Working with SSL
How to find build number?
In the EventLog Analyzer web client, and click Help > About link in the top pane. You will find the build number mentioned below the build version. This is the build number of the currently installed EventLog Analyzer.
Configuring Secure Communication - SSL
The SSL protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity.
You can enable secure communication from web clients to the EventLog Analyzer server using SSL.
Note: The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at
http://www.apache.org
Procedure for EventLog Analyzer version 8.0 (Build 8010) onwards
Use the existing keystore file to configure SSL
- Stop the EventLog Analyzer server/service, if it is running.
- If you have a keystore file to configure HTTPS, place the file under <EventLog Analyzer Home>/server/conf directory and rename it as "chap8.keystore"
- Disable HTTP
- Enable HTTPS (SSL)
- Verify SSL Setup
Use the existing SSL certificate
- You can export the Wild card certificate to a .pfx file and then follow the instructions given below to configure the same in EventLog Analyzer.
- Stop ManageEngine EventLog Analyzer service
- Copy the .pfx file to the location <EventLog Analyzer Home>/conf
- Go to the location <EventLog Analyzer Home>/conf and open the file server.xml in word pad, and locate the entries in the file as below:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
|
- Replace the value of keystoreFile 'chap8.keystore' with your .pfx file name.
- Ensure that field keystoreType is specified as "pkcs12" and also replace the keystorePass value 'eventlog' with your .pfx file password
- The entries should be as given below:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12" keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
|
- Restart EventLog Analyzer service.
How to create a new keystore, generate a certificate signing request (CSR), and install SSL certificate for EventLog Analyzer
Follow the instructions given below for SSL Installation:
-
Create a new keystore
-
Generate a CSR from the new keystore
-
How to install the SSL Certificate
Step 1: Create a new keystore
If you donot have a keystore file, follow the steps to create a new one.
- In the command prompt go to <EventLog Analyzer Home>/jre/bin directory and execute the following command
"<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore
|
Example: "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore
For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be like "C:/ManageEngine/EventLog/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore
|
Note: The absolute path of keytool should be in double quotes |
-
When you execute the above command, it will ask for keystore password, enter a password. In our case 'eventlog'.
-
Enter the answers for the six questions,
-
first and last name
-
organizational unit
-
organization
-
city
-
state
- country code
-
For confirmation type 'y' and press 'Enter' key
- Press 'Enter' key again for password for Tomcat. Keystore file named 'chap8.keystore' will be created in the <EventLog Analyzer Home>/server/conf location
Step 2: Generate a CSR from the new keystore
-
If you wan to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command
keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore
|
(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)
-
Type the keystore password that you assigned earlier and press 'Enter' key.
-
Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful to save the keystore file (chap8.keystore) as your certificates will be installed to it later.
Step 3: How to install the SSL Certificate
-
Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.
-
Install the Root Certificate file:
keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore
|
|
Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore". |
-
Install the intermediate certificates if any. (Follow the instructions provided by the CA)
-
Install the Primary Certificate file:
keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore
|
This time you will get a different confirmation stating that the 'Certificate reply was installed in keystore' If it asks if you want to trust the certificate, choose 'y' or 'yes'.
- Your certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to use the keystore file.
Disable HTTP
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8400). To disable HTTP follow the steps below:
-
Edit the server.xml file present in <EventLog Analyzer Home>/conf directory.
-
Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
<Connector port="8400" SSLEnabled="false" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="http" secure="false" URIEncoding="UTF-8"/>
|
Enable HTTPS (SSL)
- In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after the following lines:
<!-- <Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"/> -->
|
|
Note: While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'eventlog'. |
Verify SSL Setup
-
Restart the EventLog Analyzer server.
-
Verify that the following message appears in the command window after the EventLog Analyzer application is started:
Server started. Please connect your client at https://localhost:8400
|
-
Connect to the server from a web browser by typing https://<hostname>:8400 where <hostname> is the machine where the server is running
Configure HTTPS Parameters for 64 bit/128 bit encryption
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in <EventLog Analyzer Home>/conf directory, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8" SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|
Procedure for EventLog Analyzer version 8.0 (Build 8000) or earlier
Use the existing keystore file to configure SSL
- Stop the EventLog Analyzer server/service, if it is running.
- If you have a keystore file to configure HTTPS, place the file under<EventLog Analyzer Home>/server/default/conf directory and rename it as "chap8.keystore"
- Disable HTTP
- Enable HTTPS (SSL)
- Verify SSL Setup
Use the existing SSL certificate
- You can export the Wild card certificate to a .pfx file and then follow the instructions given below to configure the same in EventLog Analyzer.
- Stop ManageEngine EventLog Analyzer service
- Copy the .pfx file to the location <EventLog Analyzer Home>/server/default/conf
- Go to the location <EventLog Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar and open the file server.xml in word pad, and locate the entries in the file as below:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="rmi+ssl" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
|
- Replace the file name 'chap8.keystore' with the pfx file name (<pfx file name>.pfx) .Ensure that the value for keystoreType is "pkcs12". Replace the keystorePass value 'rmi+ssl' with the password for the .pfx file.
- The entries should be as given below:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12" keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
|
- Restart EventLog Analyzer service.
How to create a new keystore, generate a certificate signing request (CSR), and install SSL certificate for EventLog Analyzer
Follow the instructions given below for SSL Installation:
-
Create a new keystore
-
Generate a CSR from the new keystore
-
How to install the SSL Certificate
Step 1: Create a new keystore
If you donot have a keystore file, follow the steps to create a new one.
- In the command prompt go to <EventLog Analyzer Home>/server/default/conf and execute the following command
"<EventLog Analyzer Home>/server/default/conf/keytool" -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore
|
Example: "<EventLog Analyzer Home>/server/default/conf/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore
For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be like "C:/ManageEngine/EventLog/server/default/conf/keytool" -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore
|
Note: The absolute path of keytool should be in double quotes |
-
When you execute the above command, it will ask for keystore password, enter a password. In our case 'eventlog'.
-
Enter the answers for the six questions,
-
first and last name
-
organizational unit
-
organization
-
city
-
state
- country code
-
For confirmation type 'y' and press 'Enter' key
- Press 'Enter' key again for password for Tomcat. Keystore file named 'chap8.keystore' will be created in the location <EventLog Analyzer Home>/server/default/conf
Step 2: Generate a CSR from the new keystore
-
If you wan to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command prompt go to <EventLogAnalyzer Home>/server/defaul/tconf and execute the following command
keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore
|
(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)
-
Type the keystore password that you assigned earlier and press 'Enter' key.
-
Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful to save the keystore file (chap8.keystore) as your certificates will be installed to it later.
Step 3: How to install the SSL Certificate
-
Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to a different keystore it will not work. The certificates you downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly.
-
Install the Root Certificate file:
keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore
|
|
Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore". |
-
Install the intermediate certificates if any. (Follow the instructions provided by the CA)
-
Install the Primary Certificate file:
keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore
|
This time you will get a different confirmation stating that the 'Certificate reply was installed in keystore' If it asks if you want to trust the certificate, choose 'y' or 'yes'.
- Your certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to use the keystore file.
Disable HTTP
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
-
Edit the server.xml file present in <EventLog Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory.
-
Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
<Connector port="8080" address="${jboss.bind.address}" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>
|
Enable HTTPS (SSL)
- In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after the following lines:
<!-- <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl" sslProtocol = "TLS" /> -->
|
|
Note: While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'rmi+ssl'. |
Verify SSL Setup
-
Restart the EventLog Analyzer server.
-
Verify that the following message appears in the command window after the EventLog Analyzer application is started:
Server started. Please connect your client at https://localhost:8500
|
-
Connect to the server from a web browser by typing https://<hostname>:8500 where <hostname> is the machine where the server is running
Configure HTTPS Configuration Parameters for 64 bit/128 bit encryption
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in <EventLog Analyzer Home>/server/default/deploy/jbossweb-tomcat50.sar directory, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector port="8443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl" sslProtocol = "TLS" SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
|