HTTPS / SSL AwareIm

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
lineamovil
Posts: 201
Joined: Tue Jul 27, 2010 2:17 am
Location: Mexico

HTTPS / SSL AwareIm

Post by lineamovil »

Hello!

I need to secure my AwareIM server.

Is there anyone that has a secured and tested (working) SSL / HTTPS AwareIM?

Can you show me how to do it?
Do I need to buy a certificate?
Can anyone do it for me? I you feel you need to charge, please PM me!

thank you!
LineaMovil // Carlos Castillo
AwareIM Version 8.6
Windows Server 2021
MySQL Database 8.4
MEXICO
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Not clear

Post by hpl123 »

I need to do this as well and all the existing documentation, instructions, forum posts etc. are just not complete and good enough to get a grip on how this is done. Anyone want to help out by creating a complete/thorough guide for this?

Thanks
Henrik (V8 Developer Ed. - Windows)
lineamovil
Posts: 201
Joined: Tue Jul 27, 2010 2:17 am
Location: Mexico

Post by lineamovil »

Thank you HenriK for second the motion.

I sure that we can do something good. Job has been low in developing recently and have to offer an extra to sell this days.

thank you!
LineaMovil // Carlos Castillo
AwareIM Version 8.6
Windows Server 2021
MySQL Database 8.4
MEXICO
RafaMD
Posts: 52
Joined: Wed Mar 16, 2011 6:22 am
Location: Spain

Post by RafaMD »

Hola Carlos,

after many attempts I got it.

My enviroment:

- I use Windows
- I use port 80 in AwareIM, so I installed SSL in port 443
- As I was not sure to get it, I started installing a free certificate from StarCom (https://www.startssl.com/)
- I have a domain name pointing to my AwareIM server

And the steps:

1) Create the keystore

Code: Select all

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore
You'll be asked for several info. The important is:
-Use domain name for First name and Last name info. (ex: mydomain.com)
-Use same password for the keystore as the one you'll use for the certificate.

2) Edit c:\AwareIm\Tomcat\conf\server.xml

remove the comment (<!-- and -->) before and after this connector and add path and password of the keystore:

Code: Select all

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
    	       keystoreFile="path-to-keystore\mykeystore" keystorePass="keystore-password"
/>

3) Create a local Certificate and Signing Request (CSR)

With these commands:

Code: Select all

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore

keytool -certreq -keyalg RSA -alias tomcat -keysize 2048 -file certreq.csr -keystore path-to-keystore\mykeystore

4) Submit the CSR (file certreq.csr) to the Certificate Authority (StartCom in this case) and get your trusted certificate. Copy/Paste certificate data in a text file (mycert.txt)


5) Get complementary certs (CA root certificate and class certificate). In this case:

http://www.startssl.com/certs/ca.pem
http://www.startssl.com/certs/sub.class1.server.ca.pem

6) Import the 2 StartCom Certificates:

Code: Select all

keytool -import -alias startcom.ca -keystore path-to-keystore\mykeystore -trustcacerts -file "path-to-file\ca.pem"

keytool -import -alias startcom.ca.sub -keystore path-to-keystore\mykeystore -file "path-to-file\sub.class1.server.ca.pem"

7) Import your Trusted Certficate

Code: Select all

keytool -import -alias tomcat -keystore path-to-keysotre\mykeystore -file "path-to-file\mycert.txt"

8)This is optional (redirect http traffic to https):

Edit file c:\AwareIM\tomcat\conf\web.xml and add the code:

Code: Select all

<security-constraint> 
<web-resource-collection> 
<web-resource-name>Entire Application</web-resource-name> 
<url-pattern>/*</url-pattern> 
</web-resource-collection> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint>

9) Restart AwareIM


Now, If you access to http://yourdomain.com, you must go to https://yourdomain.com


but I did not work to me, and after many hours trying it discovered the problem: I had no open port 443!!!. So the first lesson is: First of all open port 443 in firewall.


Well, I hope it works for you
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

THX

Post by hpl123 »

Thanks Rafa for taking the time to write this. I will work with this these coming weeks and good to have the exact steps you followed. Can I ask you a couple of questions on this?

- To generate the keystore (and also import etc.), how is this done exactly? I have read something before about using cmd in the tomcat folder or something like that but don´t fully understand?

- Regarding the domain to use when generating the keystore, should it be www.mydomain.com OR www.mydomain.com/login (which is my actual loginpage to my app)?

- Regarding linking the domain and the cert, how is this done? I for example have a domain www.mydomain.com and after following your steps in the outline, I get a CSR file which I exchange for my trusted certificate via my domain registrar. After I have done this, should I create a DNS record for e.g. www.mydomain.com/login >> https://xxx.xxx.xxx.xxx:443/AwareIM/logonAdmin.html or how will I link my domainname to my server ip/login page?

- Related to previous question, If I link via DNS the domain to my server, this would mean I only have https on my actual loginpage/application and not on all pages of my domain?

Thanks again.
Henrik (V8 Developer Ed. - Windows)
weblike
Posts: 1165
Joined: Sun Dec 02, 2012 12:00 pm
Location: Europe

Post by weblike »

Thanks Rafa for sharing this...

One question...What happens in a update process?? I guess this has to be done on every update process.

Support, could this be included in a straight forward process?
Now..I have installed Java8, Tomcat 5.10, custom folder, etc..

I have created a little documentation about what steps to follow on every update...

Can we hope in including these features in next releases...

thank you.
Thx,
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
RafaMD
Posts: 52
Joined: Wed Mar 16, 2011 6:22 am
Location: Spain

Post by RafaMD »

Hi, Henrik, I'll try to answer your questions:

- keytool.exe is in folder c:\AwareIM\JDK\bin. Open a command line window, go to this folder an execute keytool whith the requireds params.

- In the keystore, write the domain you want use https. In your case, if you use www.mydomain.com, and get the certificate for this address, all the pages below www.mydomain.com (for example, www.mydomain.com/login) also used https.

- If you get certificate for www.mydomain.com, you must use addresses that start by www.mydomain.com: https://www.mydomain.com, https://www.mydomain.com/login, https://www.mydomain.com/AwareIM/logonAdmin.html, and so on.



I hope I helped, because I really do not know much about domains and dns
RafaMD
Posts: 52
Joined: Wed Mar 16, 2011 6:22 am
Location: Spain

Post by RafaMD »

weblike wrote: One question...What happens in a update process??

I do not know, I have not yet dared to update.


I think all you have to do is a backup of files server.xml and web.xml and restore the copy after the update.

Or maybe this is already done automatically when updating. Support, something to say?
kklosson
Posts: 1617
Joined: Sun Nov 23, 2008 3:19 pm
Location: Virginia

Post by kklosson »

You will have to update modified files manually. In some cases, the files will change and copy/replace will fail you at some point. I have a documented checklist of changes to make after upgrading my instance.
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Built in

Post by hpl123 »

Thanks guys for the additional info. I will soon start working on this and will at the same time create a proper guide document for this process.

Support, the problem with having to update manually after AwareIM updates has been discussed before and applies to SSL, custom folder and a couple of other things. Having these features/options built in would again be great, any chance this can be done in a future version update?
Henrik (V8 Developer Ed. - Windows)
lineamovil
Posts: 201
Joined: Tue Jul 27, 2010 2:17 am
Location: Mexico

Post by lineamovil »

Rafa!

Im back, and really surprised to see your reply! Thank you so much for sharing!

This action tells a lot about you. I will get to it very soon and let you all know how did it go.

Gracias!
LineaMovil // Carlos Castillo
AwareIM Version 8.6
Windows Server 2021
MySQL Database 8.4
MEXICO
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Post by himanshu »

Friends,

I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:
1. Create CSR (Certificate Signing Request)
2. Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
3. CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
4. Install these certificates on Tomcat
5. Modify server.xml

I have documented the detailed steps in below shown document:

<Link>http://softservsolutions.com/AwareIM/SS ... .pdf</Link>
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
himanshu
Posts: 722
Joined: Thu Jun 19, 2008 6:24 am
Location: India
Contact:

Post by himanshu »

himanshu wrote:Friends,

I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:
1. Create CSR (Certificate Signing Request)
2. Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
3. CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
4. Install these certificates on Tomcat
5. Modify server.xml

I have documented the detailed steps in below shown document:

http://softservsolutions.com/AwareIM/SS ... IM_SSL.pdf
From,
Himanshu Jain


AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

THX

Post by hpl123 »

Thanks Himanshu, great guide.
Henrik (V8 Developer Ed. - Windows)
Gabbitas
Posts: 334
Joined: Sun Jan 03, 2010 3:36 am

Re: HTTPS / SSL AwareIm

Post by Gabbitas »

Hi Guys,

Some help would be hugely appreciated by anyone who has successfully implemented ssl with AwareIM.

I have been trying to follow the guide that himanshu posted (thank you himanshu for taking the time, do you run windows servers?) and I have successfully completed all the steps (by that I mean I've followed each step) but I can't get my app to load over https. I just get an error in the browser that says: "This site can’t be reached. secureserver.mydomain.co.uk unexpectedly closed the connection".

I'm using a windows server 2008 and I'm still on AwareIM v6. Im confident that port 443 is open as I am able to reach it from outside the server with a port testing tool.

Some questions to help me understand what's correct and what's not:

1) Does the extension of the keystore file matter? himanshu uses (and mine is set up as) 'tomcat.keystore' but I notice that eagles9999 has a different extension that is the equivalent of 'tomcat.jks' If my keystore extension is wrong under windows do I have to begin the whole process again or can I just rename the file extension?

2) Is the location of the keystore important and does it need to be in a certain place? Can tomcat access c:/AwareIm/JDK/bin/keystore (as deduced from himanshu's guide) or does it need to be in c:/AwareIM/tomcat/bin/certs/keystore as per eagles9999's postings??

3) If I go to my AwareIM control panel and look at settings I currently run tomcat on port 80. Should I be changing this to port 443 or does it get left as port 80?

Any thoughts or ides would be more than welcome.

many thanks
Post Reply