Skip to Content
0

How do Incorporate an "Internal SSL"?

Mar 07 at 01:09 PM

51

avatar image
Former Member

I've been asked to incorporate our company's "Internal SSL" certificate on the BOE servers. I'm not familiar with the appropriate steps for this configuration and would appreciate any input. Basically our web intelligence users login in at http:<server>:8080/BOE/BI and I need to configure it to use https:<server>:8080/BOE/BI

It is only accessed on our network not externally.

Is this a server configuration? Tomcat? BOE? All? What other issues could this create with other applications such as Information Design Tool, Web Intelligence Rich Client, etc?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Denis Konovalov
Mar 07 at 01:30 PM
0


The Admin guide has detailed information on what you need to do as do KBA's and tomcat vendor web site.
To do https:<server>:8080/BOE/BI you need to enable SSL connector on your tomcat.

Share
10 |10000 characters needed characters left characters exceeded
Joe Peters Mar 07 at 01:46 PM
0

I'm assuming you only need to protect the connection from the user's browser to the web server (Tomcat, in your case).

(If you were using a load balancer or front-end web server (Apache or IIS), then the SSL configuration would be done there.)

There is information here on configuring Tomcat for SSL. The basic steps are:

  1. Get a certificate, which is created specifically for the URL and port.
  2. Load the certificate into a Java keystore file (not necessary if the certificate has been provided to you in this format)
  3. Update Tomcat's conf/server.xml file to uncomment (enable) the SSL connector, and configure it to point to the keystore file containing the certificate

Tomcat, by default, runs HTTP on port 8080 and HTTPS on 8443. Unless you're running another web server (like IIS) on 80/443, I would recommend changing tomcat to 80 and 443. Then you don't need to specify the port in the URL.

The certificate should be created for the server's FQDN, as well as any alternate URLs that would be used to access it -- such as the host name without domain and any DNS aliases. For example, "bo.mycompany.com:8443" and "bo:8443".

It's not required, but you'll probably want to redirect non-SSL requests to SSL once it's enabled. If you don't do this, then calls to http://server:8080/BOE/BI will still work (SSL is only active if the user explicitly accesses https://...). You will just need to add a few lines to webapps/BOE/WEB-INF/web.xml. Instructions are here.

If you're using WACS, then you may need to enable SSL for it, too. Instructions for this are in the Administrator's Guide.

Show 7 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you for the response. This is my first go round with SSL.. So the certificate was generated by our server team and I can see it in Microsoft management console. What is the necessary steps to utilize it from there? I read some material that mentioned exporting it to a pfx format...

0

You'll need the actual certificate file to feed to tomcat.

0
Former Member

Still struggling with this.

1. I've been able to export the certificate from the windows keystore as a pfx file. Based on everything I've researched Tomcat 8.0 can use this type of keystore.

2. I've opened ports 8443 and 443 on the firewall.

3. I've modified the server.xml file as below.

When I restart Tomcat and attempt to go through the https://<server>:8443/BOE/BI address I get

a message stating the connection is not secure that

  • <server>:8443 uses an invalid security certificate.
  • The certificate is not trusted because the issuer certificate is unknown.
  • The server might not be sending the appropriate intermediate certificates.
  • An additional root certificate may need to be imported.
  • The certificate is not valid for the name lsepboetst01.
  • Error code: SEC_ERROR_UNKNOWN_ISSUER

<Connector port="8443"
protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="/conf/<pfxname>.pfx" the file location and name are correct
keystorePass="<pw>" the password is correct
keystoreType"PKCS12"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
/>

0

Unfortunately you're now beyond my skill level with SSL certs.... I would suggest researching causes of the SEC_ERROR_UNKNOWN_ISSUER error. I would guess the issue is due to your certificate file not containing the full chain of certs to the root.

0

This "The certificate is not valid for the name lsepboetst01." - means that your certificate is not using same name as the one you have in your URL.

On the cer error :

https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

0
Former Member

Thanks. This certificate was provided to me. Should the CN in the certificate be the url: https:// :8443/BOE/BI? its currently the fully qualified server name ( . domain.org). Could it include a wild card https:// :8443* to cover /BOE/CMC? any input would be great. thanks again.

0

then you need to use FQDN in your URL.
port and app path's in the URL are irrelevant.

0