52.6 Updating the SSL Settings for the Application Server

The application server that hosts the identity applications and Identity Reporting needs to be configured to support SSL communication. This section provides instructions for updating a Tomcat application server, which is the default application server.

  1. Stop Tomcat, if it is running.

    For example, /etc/init.d/idmapps_tomcat_init stop.

  2. Configure SSL port for the Tomcat server.

    For example, connector port for SSL is 8543. Edit the server.xml file which is located in the /opt/netiq/idm/apps/tomcat/conf directory.

    <Connector port="8543" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path_to_keystore_file"
keystorePass="keystore_password" />

    where:

    keystoreFile

    Specifies the path to the userapp.keystore file, located by default in the /netiq/idm/apps/tomcat/conf/userapp.keystore directory.

    keystorePass

    Specifies the password for the userapp.keystore file.

    Also, update the redirectPort attribute to 8543 and save server.xml.

  3. Navigate to the conf directory for Tomcat, located by default at opt/netiq/idm/apps/tomcat/conf.

  4. Ensure that you have a keystore file in the /conf directory. For example, idmapps.keystore.

    If you create the keystore file after performing this procedure, ensure that you use the same file name that you provide in this procedure. For more information, see Creating a Keystore and Certificate Signing Request.

  5. In a text editor, open the server.xml file in the conf directory.

  6. Add the following content to the server.xml file:

    <Connector port="port_number" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="path_to_file/filename.keystore" keystorePass="password"/>

    For example:

    <Connector port="8543" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/netiq/idm/apps/tomcat/conf/idmapps.keystore" keystorePass="encrypted_password"/>

    NetIQ recommends that you specify an encrypted password in keystorePass instead of providing cleartext passwords. For more information about the usage of cleartext and encrypted passwords in SSL communication, see Securing Tomcat.

  7. Start Tomcat.

    For example, /ect/init.d/idmapps_tomcat_init start.