Working with SSL


How to find build number?

In the EventLog Analyzer web client, click Help > About link in the top pane. You will find the build number mentioned below the build version. This is the build number of the currently installed EventLog Analyzer.
 

Configuring Secure Communication - SSL

The SSL protocol provides several features that enable secure transmission of web traffic. These features include data encryption, server authentication, and message integrity.

You can enable secure communication from web clients to the EventLog Analyzer server using SSL.

 

Note: The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at http://www.apache.org

 

Procedure for EventLog Analyzer version 8.0 (Build 8010) onwards

 

Use the existing keystore file to configure SSL

Use the existing SSL certificate

 

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

 

 

 

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12" keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

 

 

How to create a new keystore, generate a certificate signing request (CSR), and install SSL certificate for EventLog Analyzer

Follow the instructions given below for SSL Installation:

  1. Create a new keystore

  2. Generate a CSR from the new keystore

  3. How to install the SSL Certificate


Step 1: Create a new keystore

If you do not have a keystore file, follow the steps to create a new one.

  1. In the command prompt go to <EventLog Analyzer Home>/jre/bin directory and execute the following command

"<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore

 

 

Example: "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be
"C:/ManageEngine/EventLog/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

Note: The absolute path of keytool should be in double quotes
  1. When you execute the above command, it will ask for keystore password. Enter the password. In our case, 'eventlog'.

  2. Enter the answers for the six questions,

    1. first and last name

    2. organizational unit

    3. organization

    4. city

    5. state

    6. country code
  1. For confirmation, type 'y' and press 'Enter' key

  2. Press 'Enter' key again for password for Tomcat. Keystore file named 'chap8.keystore' will be created in the <EventLog Analyzer Home>/server/conf location

 

Step 2: Generate a CSR from the new keystore

  1. If you want to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command

keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore

(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)

  1. Type the keystore password that you assigned earlier and press the 'Enter' key.

  2. Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful in saving the keystore file (chap8.keystore) as your certificates will be installed to it later.

Step 3: How to install the SSL Certificate

  1. Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore, it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.

  2. Install the Root Certificate file:

keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore

 
Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore".
  1. Install the intermediate certificates if any. (Follow the instructions provided by the CA)

  2. Install the Primary Certificate file:

keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore

This time you will get a different confirmation stating that the 'Certificate reply was installed in keystore'. If it asks if you want to trust the certificate, choose 'y' or 'yes'.

 

Disable HTTP

When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8400). To disable HTTP, follow the steps below:

  1. Edit the server.xml file present in <EventLog Analyzer Home>/conf directory.

  2. Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:

<Connector port="8400" SSLEnabled="false" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="http" secure="false" URIEncoding="UTF-8"/>

 

Enable HTTPS (SSL)

<!--
<Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"/>
-->

 

Note: While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'eventlog'.

 

Verify SSL Setup

  1. Restart the EventLog Analyzer server.

  2. Verify that the following message appears in the command window after the EventLog Analyzer application is started:

Server started.
Please connect your client at https://localdevice:8400

  1.  Connect to the server from a web browser by typing https://<devicename>:8400 where <devicename> is the machine where the server is running.

 

Configure HTTPS Parameters for 64 bit/128 bit encryption

If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in <EventLog Analyzer Home>/conf directory. Add the following parameter at the end of the SSL/TLS Connector tag:
 
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
 

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8" SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

 

 

 

Procedure for EventLog Analyzer version 8.0 (Build 8000) or earlier

 

Use the existing keystore file to configure SSL

 

Use the existing SSL certificate

 

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="rmi+ssl" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

 

 

 

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12" keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

 

 

 

How to create a new keystore, generate a certificate signing request (CSR), and install SSL certificate for EventLog Analyzer

Follow the instructions given below for SSL Installation:

  1. Create a new keystore

  2. Generate a CSR from the new keystore

  3. How to install the SSL Certificate


Step 1: Create a new keystore

If you do not have a keystore file, follow the steps to create a new one.

  1. In the command prompt go to <EventLog Analyzer Home>/server/default/conf and execute the following command

 

 

"<EventLog Analyzer Home>/server/default/conf/keytool" -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore

 

 

Example: "<EventLog Analyzer Home>/server/default/conf/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be like "C:/ManageEngine/EventLog/server/default/conf/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

Note: The absolute path of keytool should be in double quotes
  1. When you execute the above command, it will ask for keystore password. Enter the password. In our case 'eventlog'.

  2. Enter the answers for the six questions,

    1. first and last name

    2. organizational unit

    3. organization

    4. city

    5. state

    6. country code
  1. For confirmation, type 'y' and press 'Enter' key

  2. Press 'Enter' key again for password for Tomcat. Keystore file named 'chap8.keystore' will be created in the location <EventLog Analyzer Home>/server/default/conf

 

Step 2: Generate a CSR from the new keystore

  1. If you want to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command prompt go to <EventLogAnalyzer Home>/server/defaul/tconf and execute the following command

keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore

(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)

  1. Type the keystore password that you assigned earlier and press 'Enter' key.

  2. Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful to save the keystore file (chap8.keystore) as your certificates will be installed to it later.

Step 3: How to install the SSL Certificate

  1. Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore, it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.

  2. Install the Root Certificate file:

keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore

 
Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore".
  1. Install the intermediate certificates if any. (Follow the instructions provided by the CA)

  2. Install the Primary Certificate file:

keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore

This time you will get a different confirmation stating that the 'Certificate reply was installed in keystore' If it asks if you want to trust the certificate, choose 'y' or 'yes'.

 

Disable HTTP

When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:

  1. Edit the server.xml file present in <EventLog Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory.

  2. Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:

<Connector port="8080" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>

 

 

Enable HTTPS (SSL)

 

 

<!--
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->

 

Note: While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'rmi+ssl'.

 

Verify SSL Setup

  1. Restart the EventLog Analyzer server.

  2. Verify that the following message appears in the command window after the EventLog Analyzer application is started:

Server started.
Please connect your client at https://localdevice:8500

  1.  Connect to the server from a web browser by typing https://<devicename>:8500 where <devicename> is the machine where the server is running

 

Configure HTTPS Configuration Parameters for 64 bit/128 bit encryption

If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in <EventLog Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory, add the following parameter at the end of the SSL/TLS Connector tag:
 
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"

 

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

 

Get download link