Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Steps to enable SSL

    The following steps will guide you through enabling SSL in ADAudit Plus.

    Step 1: Define the SSL port

    • Log in to ADAudit Plus with an account that has administrative privileges.
    • Navigate to Admin > General Settings > Connection.
    • Check the Enable SSL Port [https] box. The default port number 8444 is selected automatically.
    • Click Save changes.
    • Restart ADAudit Plus for the changes to take effect.

    Note: If you want to install an existing PFX or PKCS #12 certificate, skip to the PFX or PKCS #12 format section in Step 5.

    Steps for enabling SSL

    Step 2: Create the keystore

    A keystore is a password-protected file that contains the keys and certificates for the server to encrypt and decrypt data.

    • To create a certificate keystore file and generate encryption keys, run Command Prompt as an administrator, navigate to <product_installation_directory>\jre\bin, and execute the following command:

      keytool -genkey -alias tomcat -keyalg RSA -validity 1000 -keystore <domainName>.keystore

      Replace <domainName> with the name of your domain.

    • Type in your keystore password.
    • Provide information based on the following guidelines:
      What is your first and last name? Provide the machine name or the fully qualified domain name of the server hosting ADAudit Plus.
      What is the name of your organizational unit? Enter the department name that you want to appear in the certification.
      What is the name of your organization?/td> Provide the legal name of your organization.
      What is the name of your City or Locality? Enter the city name as provided in your organization’s registered address.
      What is the name of your State or Province? Enter the state or province as provided in your organization’s registered address.
      What is the two-letter country code for this unit? Provide the two-letter code of the country in which your organization is located.
      Enter key password for <tomcat> Enter the same password as the keystore password.
      Note: If you choose to enter a different password, note it down because the key password will be required later.

    Steps for enabling SSL

    Step 3: Generate the certificate signing request (CSR)

    To create a CSR with a subject alternative name (SAN), execute the following command in Command Prompt:

    keytool -certreq -alias tomcat -keyalg RSA -ext SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr

    Replace <domainName> with the name of your domain and provide the appropriate SANs as shown in the image below:

    Steps for enabling SSL

    Step 4: Issue the SSL certificate

    In this step, you will connect to a certificate authority (CA), submit the CSR to the specific CA, and get the SSL certificate issued to you.

    A. Issue the SSL certificate using an external CA

    • To request a certificate from an external CA, submit the CSR to that CA. You can locate the CSR file in the <product_installation_directory>\jre\bin folder.
    • Unzip the certificates returned by your CA and put them in the <product_installation_directory>\jre\bin folder.

    Note: After the SSL certificate is issued by the external CA, proceed to Step 5 to install the certificate.

    B. Issue the SSL certificate using an internal CA

    An internal CA is a member server or domain controller in a specific domain that has been assigned the CA role.

    • Connect to the Microsoft Active Directory Certificate Services of your internal CA and click the Request a certificate link.

      Steps for enabling SSL

    • On the Request a Certificate page, click the advanced certificate request link.

      Steps for enabling SSL

    • On the Submit a Certificate Request or Renewal Request page, copy the content from your CSR file and paste it in the Saved Request field.
    • Select Web Server or the appropriate template for Tomcat under Certificate Template and click Submit.

      Steps for enabling SSL

    • The certificate will be issued when you click the Download certificate chain link. The downloaded certificate will be in the P7B file format.

      Steps for enabling SSL

    • Copy the P7B file to the <product_installation_directory>\jre\bin folder.

    Step 5: Import the certificate

    Follow the steps given below that correspond with the format in which you want to import the certificate.

    A. Privacy-enhanced mail (PEM) format

    To import the certificate into the keystore file in PEM format, open Command Prompt, navigate to <product_installation_directory>\jre\bin, and run the commands from the list below that applies to your CA.

    General commands

    • keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.keystore -trustcacerts
    • keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.keystore -trustcacerts
    • keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.keystore -trustcacerts
    • keytool -importcert -alias tomcat -file <server.cert.pem> -keystore <your.domain.com>.keystore -trustcacerts

    Vendor-specific commands

    For GoDaddy certificates

    • keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file gd_bundle.crt
    • keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file gd_cross.crt
    • keytool -import -alias intermed -keystore <domainName>.keystore -trustcacerts -file gd_intermed.crt
    • keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file <domainName>.crt

    For Verisign certificates

    • keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>
    • keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file <domainName>.cer

    For Comodo certificates

    • keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt -keystore <domainName>.keystore
    • keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore

    For Entrust certificates

    • keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore> -trustcacerts -file entrust_root.cer
    • keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore> - trustcacerts -file entrust_2048_ssl.cer
    • keytool -import -alias -keystore <keystore-name.keystore> -trustcacerts -file <domainName.cer>/li>

    For certificates purchased through the Thawte reseller channel

    • keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer> -keystore <keystore-name.keystore>
    • keytool -import -trustcacerts -alias thawtecasec -file <SSL_SecondaryCA.cer> - keystore <keystore-name.keystore>
    • keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore <keystore-name.keystore>

    Once the certificate is installed, proceed to Step 6 to bind the certificate to ADAudit Plus.

    Note: If you are receiving the certificates from a CA that is not listed above, then contact your CA to get the commands required to add its certificates to the keystore.

    B. P7B or PKCS #7 format

    To import the certificate into the keystore file in P7B or PKCS #7 format, open Command Prompt, navigate to <product_installation_directory>\jre\bin, and execute the following command:

    keytool -import -trustcacerts -alias tomcat -file certnew.p7b -keystore <keystore_name>.keystore

    Once the certificate is installed, proceed to Step 6 to bind the certificate to ADAudit Plus.

    C. PFX or PKCS #12 format

    • Copy and save your PFX or PKCS #12 file in the <product_installation_directory>\conf folder.
    • Open the server.xml file present in the <product_installation_directory>\conf folder with a local text editor. Create a backup of the existing server.xml file just in case you wish to restore it.
    • Find the connector tag that contains <Connector ... SSLEnabled="true"... name="SSL".../>.
    • Within the connector tag, make the following changes:
      • Replace the value of keystoreFile with "./conf/<YOUR_CERT_FILE.pfx>".
      • Add keystoreType="PKCS12".
    • Save and close the server.xml file.
    • <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/<YOUR_CERT_FILE.pfx>" keystorePass="*********" keystoreType="PKCS12"maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="8444" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
    Note: After modifying the server.xml file, skip to the "Encrypt the keystore password" section in Step 6.

    Step 6: Bind the certificates to ADAudit Plus

    • Copy the <domainName>.keystore file from the <product_installation_directory>\jre\bin folder and paste it in the <product_installation_directory>\conf folder.
    • Open the server.xml file present in the <product_installation_directory>\conf folder with a local text editor. Create a backup of the existing server.xml file just in case you wish to restore it.
    • Find the connector tag that contains <Connector ... SSLEnabled="true"... name="SSL".../>.
    • Within the connector tag, replace the value of keystoreFile with "./conf/<Your_Domain_Name>.keystore".
    • <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" connectionTimeout="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/<Your_Domain_Name>.keystore" keystorePass="*********" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="8444" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
    • Save and close the server.xml file.

    Encrypt the keystore password

    • Log in to your ADAudit Plus web console and navigate to Admin > General Settings > Connection.
    • Select the General tab, check the Encrypt Keystore Password box, and enter the keystore password you used while generating the CSR for this certificate file.
    • Click Save changes.
    • Restart ADAudit Plus again for the changes to take effect.
    Note: If you want to modify the TLS versions and ciphers attribute, refer to our security hardening guide.

    Steps for enabling SSL

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link