Setup SSL for Tomcat and EM

1) Setup Keystore

Option 1: Self-signed
  1. /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/keytool -genkey -alias tomcat -keyalg RSAYou will have to setup a password and fill out some details here.
  2. cp /root/.keystore /opt/entermedia/

 

Option 2: Commercial (Example: GoDaddy)

The following is a procedure for setting up an SSL Certificate from the provider GoDaddy. Below are some variables with example data used throughout the commands listed below. Alter them as they apply to you.

DOMAIN=”demo.entermediasoftware.com”

ALIAS=”demo”

ORG_UNIT=”EnterMedia”

ORG=”EnterMedia”

COUNTRY=”US”

PASS=”jif8hefe”

  1. Generate New Key for your Domainkeytool -genkey -dname “cn=$DOMAIN, ou=$ORG_UNIT, o=$ORG, c=$COUNTRY” -keyalg RSA -keysize 2048 -alias $ALIAS -storepass $PASS -keypass $PASS -keystore private.keystore
  2. This is a one time password change (If needed)keytool -storepasswd -storepass changeit -new $PASS -keystore private.keystore
  3. Generate key to send to GoDaddy.If you encounter a password error then run step 2 to change the store password

    keytool -certreq -alias $ALIAS -storepass qazwsxedc -keypass qazwsxedc -keystore private.keystore

  4. Login to GoDaddy and request
  5. Open email received from GoDaddy then Download your Certificates in ZIP file
  6. Extract Certificates
  7. Import Certificates#keytool -import -alias cross -keystore private.keystore -storepass $PASS-trustcacerts -file gd_cross_intermediate.crt

    keytool -import -alias intermed -keystore private.keystore -storepass $PASS-trustcacerts -file gd_intermediate.crt

    keytool -import -alias bundle -keystore private.keystore -storepass $PASS -trustcacerts -file gd_bundle.crt

    keytool -import -alias $ALIAS -storepass $PASS-keystore private.keystore -file $ALIAS.crt -trustcacerts

2) Configure server.xml and IP tables

vi /opt/entermedia/tomcat/conf/server.xml

You will have to edit this server.xml file to enable SSL and point to the cert.

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
keystoreFile=”/opt/entermedia/.keystore” keystorePass=”previouslyEnteredPassword”
clientAuth=”false” sslProtocol=”TLS” />

service tomcat restart

vi /etc/sysconfig/iptables

add the following (Fill in the IP’s as per your IP’s)

-A PREROUTING -d 10.120.0.xxx/32 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443

-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
-A OUTPUT -d 10.120.0.xxx/32 -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
service iptables save

This will save the new iptables config so that it won’t dissappear on restart