This procedure is applicable for Firewall Analyzer version 7.4 (Build 7400) or earlier.
How to find build number?
In the Firewall Analyzer web client, and click the About link in the top pane. You will find the build number mentioned below the build version. This is the build number of the currently installed Firewall Analyzer.
The SSL protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity.
You can enable secure communication from web clients to the Firewall Analyzer server using SSL.
The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at http://www.apache.org and http://www.modssl.org |
Stop the server, if it is running.
Follow the instructions given below for SSL Installation:
If you have a keystore file for using HTTPS, place the file under <Firewall Analyzer Home>\server\default\conf directory and rename it as "chap8.keystore"
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- <Connector port="8443" address="${jboss.bind.address}" --> |
While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'rmi+ssl'.
Server started. Please connect your client at https://localhost:8500
|
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/> |
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS"SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"keystoreFile="${jboss.server.home.dir}/conf/<pfx file name>.pfx" keystoreType="pkcs12"
keystorePass="<password for the .pfx file>" sslProtocol = "TLS"SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
Follow the instructions given below for SSL Installation:
Step 1: Create a new Keystore
keytool -genkey -alias <our_alias_name> or [Domain Name] -keyalg RSA -keystore chap8.keystore
(For example: keytool -genkey -alias tomcat -keyalg RSA -keystore chap8.keystore)
Step 2: Generate a CSR from your new keystore
keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore
(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore)
Step 3: How to install your SSL Certificate
keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore
NOTE: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <entrustsslca> Do you still want to add it to your own keystore? [no]:" You will get a confirmation stating that the "Certificate was added to keystore".
keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore
This time you should get a slightly different confirmation stating that the "Certificate reply was installed in keystore" If it asks if you want to trust the certificate. Choose y or yes. Your Certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to use the keystore file.
The SSL protocol provides several features that enable secure transmission of Web traffic. These features include data encryption, server authentication, and message integrity.
You can enable secure communication from web clients to the Firewall Analyzer server using SSL.
The steps provided describe how to enable SSL functionality and generate certificates only. Depending on your network configuration and security needs, you may need to consult outside documentation. For advanced configuration concerns, please refer to the SSL resources at http://www.apache.org and http://www.modssl.org |
Stop the server, if it is running.
Follow the instructions given below for SSL Installation:
If you have a keystore file for using HTTPS, place the file under <Firewall Analyzer Home>\server\default\conf directory and rename it as "chap8.keystore"
When you have enabled SSL, HTTP will continue to be enabled on the web server port (default 8080). To disable HTTP follow the steps below:
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/>
<!-- <Connector port="8443" address="${jboss.bind.address}" --> |
While creating keystore file, you can enter the password as per your requirement. But ensure that the same password is configured, in the server.xml file. Example password is configured as 'change'.
Server started. Please connect your client at https://localhost:8500
|
If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, add the following parameter at the end of the SSL/TLS Connector tag:
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- SSL/TLS Connector configuration using the admin devl guide keystore --> SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/> |
Using the existing SSL certificate
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS"SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"keystoreFile="${jboss.server.home.dir}/conf/<pfx file name>.pfx" keystoreType="pkcs12"
keystorePass="<password for the .pfx file>" sslProtocol = "TLS"SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
Step 1: Create a new Keystore