NOTE:The information in this section does not apply to OES Linux, which installs both Tomcat and Apache. The OES Linux documentation includes information about replacing the self-signed Apache/Tomcat certificate.
Standalone iManager installations include a temporary, self-signed certificate for use by Tomcat. It has an expiration date of one year.
This is not intended to be a long-term implementation. It is a temporary solution to get your system up and running so yu can securely use iManager immediately following installation. OpenSSL does not recommend using self-signed certificates except for testing purposes.
One challenge to replacing the self-signed certificate is that Tomcat’s default keystore uses is in Tomcat (JKS) format file. The tool used to modify this keystore, keytool, cannot import a private key. It will only use a self-generated key.
If you are using eDirectory, you can use Novell Certificate Server to securely generate, track, store and revoke certificates with no further investment. To generate a public/private key pair in eDirectory using Novell Certificate Server, complete the following steps for your applicable platform:
The following instructions show how to create a keypair in eDirectory and export the Public, Private and Root Certificate Authority (CA) keys via a PKCS#12 file on the Linux platform. This includes modifying Tomcat's server.xml configuration file in order to use the PKCS12 directive and point the configuration to an actual P12 file rather than use the default JKS keystore.
The files associated with this process are as follows:
The temporary keypair is held in the /var/opt/novell/novlwww/.keystore file.
The trusted roots are contained in the /etc/opt/novell/java/security/cacerts file.
The file for configuring Tomcat's use of certificates is /etc/opt/novell/tomcat7.0.32/server.xml.
Create a new server certificate with iManager.
In iManager, select > . Select the appropriate server, specify a nickname and accept the rest of the certificate defaults.
Export the server certificate to the Tomcat home directory (/var/opt/novell/novlwww).In iManager, select > . Browse to and select the Key Material Object (KMO) object. In the tab, select . Specify a password and save the server certificate as a PKCS#12 (.pfx).
Convert the .pfx file to a .pem file.
To do this, use a command similar to the following:
openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem
Specify the certificate password specified in Step 2, and specify a password for the new .pem file. You can use the same password, if desired.
Convert the .pem file to a .p12 file.
To do this, use a command similar to the following:
openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New Tomcat"
Specify the certificate password specified in Step 3, and specify a password for the new .p12 file. You can use the same password, if desired.
Enter the following command to stop Tomcat:
/etc/init.d/novell-tomcat7 stop
Edit the Tomcat configuration file (/etc/opt/novell/tomcat7.0.32/server.xml) and add keystoreType, keystoreFile, and keystorePass variables to let Tomcat use the newly created .p12 certificate file. For example:
<Connector className="org.apache.coyote.tomcat7.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreType="PKCS12"
keystoreFile="/var/opt/novell/novlwww/newtomcert.p12" keystorePass="password" />
</Connector>
When setting the keystore type to PKCS12 you must specify the entire path to the certificate file, as Tomcat will no longer default to using the Tomcat home path.
Change the .p12 file’s ownership to the appropriate Tomcat user/group, typically novlwww, and set the file permissions to user=rw, group=rw, and others=r. For example:
chown novlwww:novlwww newtomcert.p12
chmod 654 newtomcert.p12
Enter the following command to restart Tomcat:
/etc/init.d/novell-tomcat7 start
The following instructions show how to create a keypair in eDirectory and export the Public, Private and Root Certificate Authority (CA) keys via a PKCS#12 file on the Windows platform. This includes modifying Tomcat's server.xml configuration file in order to use the PKCS12 directive and point the configuration to an actual P12 file rather than use the default JKS keystore.
The files, and their default locations, associated with this process are as follows:
The temporary keypair: C:\Program Files\Novell\Tomcat\conf\ssl\. keystore.
The trusted root certificates: C:\Program Files\Novell\jre\lib\security\cacerts.
Configure Tomcat's certificate use: C:\Program Files\Novell\Tomcat\conf\server.xml
Create a new server certificate with iManager.
In iManager, select > . Select the appropriate server, specify a nickname and accept the rest of the certificate defaults.
Export the server certificate.In iManager, select > . Browse to and select the KMO object. In the tab, select . Specify a password and save the server certificate as a PKCS#12 (.pfx).
Convert the .pfx file to a .pem file.
NOTE:OpenSSL is not installed on Windows by default, but a version for the Windows platform is available on the OpenSSL Web site. Alternatively, you can convert the certificate on a Linux platform, on which OpenSSL is installed by default.
To do this, use a command similar to the following:
openssl pkcs12 -in newtomcert.pfx -out newtomcert.pem
Specify the certificate password from Step 2, and specify a password for the new .pem file. You can use the same password, if desired.
Convert the .pem file to a .p12 file.
To do this, use a command similar to the following:
openssl pkcs12 -export -in newtomcert.pem -out newtomcert.p12 -name "New Tomcat"
Specify the certificate password from Step 3, and specify a password for the new .p12 file. You can use the same password, if desired.
Copy the .p12 file to the Tomcat certifcate location.
By default, this is C:\Program Files\Novell\Tomcat\conf\ssl\.
Stop the Tomcat Service.
/etc/init.d/novell-tomcat7 stop
Edit the Tomcat’s server.xml and add keystoreType, keystoreFile, and keystorePass variables to let Tomcat use the newly created .p12 certificate file. For example:
<Connector className="org.apache.coyote.tomcat7.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat7.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreType="PKCS12"
keystoreFile="/conf/ssl/newtomcert.p12" keystorePass="password" />
When setting the keystore type to PKCS12, you must specify the entire path to the certificate file, as Tomcat will no longer default to using the Tomcat home path.
Start the Tomcat Service.