Click here to expand

    Working with HTTPS

    Configuring Secure Communication - HTTPS

    The HTTPS protocol provides several features that enable secure transmission of web traffic. These features include data encryption, server authentication, and message integrity. You can enable secure communication between the web clients and the EventLog Analyzer server using HTTPS.

    The steps given below describe the procedure to manually setup HTTPS. To configure HTTPS using the HTTPS configuration tool, refer to the connection settings page.

    Note: The steps provided describe how to enable HTTPS functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the HTTPS resources at https://www.apache.org

    Procedure to manually setup HTTPS

    Use the existing keystore file to configure HTTPS

    • Stop the EventLog Analyzer server/service, if it is running.
    • If you have a keystore file to configure HTTPS, place the file under <EventLog Analyzer Home>/server/conf directory and rename it as "chap8.keystore"
    • Enabling and disabling HTTPS
    • Verify HTTPS Setup

    Use the existing HTTPS certificate

    • You can export the Wild Card certificate to a .pfx file and then follow the instructions given below to configure the same in EventLog Analyzer.
    • Firstly, it is considered best practice to take a backup of the existing server.xml file. This can be restored if any error or misconfiguration takes place when editing the file.
    • Stop ManageEngine EventLog Analyzer service.
    • Copy the .pfx file to the location <EventLog Analyzer Home>/conf
    • Go to the location <EventLog Analyzer Home>/conf and open the file server.xml in a text editor, and locate the entries in the file as below:

    <Connector HTTPSEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" HTTPSProtocol="TLS"/>

    • Replace the value of keystoreFile 'chap8.keystore' with your .pfx file name.
    • Ensure that the field keystoreType is specified as pkcs12"and also replace the keystorePass value 'eventlog' with your.pfx file password.
    • The entries should be as given below:

    <Connector HTTPSEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12" keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" HTTPSProtocol="TLS"/>

    • Restart the EventLog Analyzer service.

    How to create a new keystore, generate a certificate signing request (CSR), and install HTTPS certificate for EventLog Analyzer

    Follow the instructions given below for HTTPS Installation:

    1. Create a new keystore
    2. Generate a CSR from the new keystore
    3. How to install the HTTPS Certificate

    Step 1: Create a new keystore

    If you do not have a keystore file, follow the steps to create a new one.

    1. In the command prompt go to <EventLog Analyzer Home>/jre/bin directory and execute the following command
    Copy to Clipboard

    "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias <our_alias_name>
    or [Domain Name] -keyalg RSA -keystore chap8.keystore

    Example: "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

    For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be

    Copy to Clipboard

    C:/ManageEngine/EventLog/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore

    Note: The absolute path of keytool should be in double quotes
    1. When you execute the above command, it will ask for keystore password. Enter the password. In our case, 'eventlog'.
    2. Enter the answers for the six questions,
      1. first and last name

      2. organizational unit

      3. organization

      4. city

      5. state

      6. country code
    1. For confirmation, type 'y' and press 'Enter' key
    2. Press 'Enter' key again for password for Tomcat. Keystore file named 'chap8.keystore' will be created in the <EventLog Analyzer Home>/server/conf location

    Step 2: Generate a CSR from the new keystore

    1. If you want to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command

    Copy to Clipboard

    keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore

    (For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)

    1. Type the keystore password that you assigned earlier and press the 'Enter' key.
    2. Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful in saving the keystore file (chap8.keystore) as your certificates will be installed to it later.

    Step 3: How to install the HTTPS Certificate

    1. Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore, it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.
    2. Install the Root Certificate file:
    • Each time you install a certificate to your keystore, you will be prompted for the keystore password, which you assigned while generating your CSR.
    • In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install the Root certificate file:
    Copy to Clipboard

    keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore

    Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustHTTPSca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore".
    1. Install the intermediate certificates if any. (Follow the instructions provided by the CA)

    2. Install the Primary Certificate file:

    • In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install the Primary certificate file:

    Copy to Clipboard

    keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore

    This time you will get a different confirmation stating that the 'Certificate reply was installed in keystore'. If it asks if you want to trust the certificate, choose 'y' or 'yes'.

    • Your certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to use the keystore file.
    1. If the certificate is from the internal domain, add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file by executing the following command:
    Copy to Clipboard

    keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

    Note: Open the .cer file to get the name of your internal CA and provide 'changeit' as the keystore password when prompted.

    Enabling and disabling HTTPS

    1. Log in to the EventLog Analyzer web console as an administrator.
    2. Navigate to Settings > System Settings > Connection Settings > General settings.
    3. Use the checkbox next to Enable SSL [HTTPS] to enable or disable HTTPS.

    Verify HTTPS Setup

    1. Restart the EventLog Analyzer server.

    2. Verify that the following message appears in the command window after the EventLog Analyzer application is started:

    Copy to Clipboard

    Server started.

    Please connect your client at https://localdevice:8400

    1. Connect to the server from a web browser by typing https://<devicename>:8400 where <devicename> is the machine where the server is running.

    Configure HTTPS Parameters for 64 bit/128 bit encryption

    If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in <EventLog Analyzer Home>/conf directory. Add the following parameter at the end of the HTTPS/TLS Connector tag:

    HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"

    <!-- HTTPS/TLS Connector configuration using the admin devl guide keystore -->
    <Connector port="8400" HTTPSEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" HTTPSProtocol="TLS" URIEncoding="UTF-8" HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"/>

    Get download link