SSL & AwareIM How To

Contains tips for configurators working with Aware IM
Post Reply
Bryan
Posts: 195
Joined: Fri Apr 03, 2009 12:46 am
Location: Cincy

SSL & AwareIM How To

Post by Bryan »

With the help of many individuals I was finally able to get SSL working with our AwareIM deployment. This is my attempt at a how-to document for implementing SSL with AwareIM.

Firstly, the best resource I found was from our certificate provider Thawte. Below is slimed down version of their installation instructions along with my notes on particular steps where appropriate.

Unmodified/Original instructions can be found through the following link - https://search.thawte.com/support/ssl-d ... t&id=so832

One thing to note is that Certificate providers will typically try to give you all of the information in one file as soon as you request a certificate. In order to use SSL with Tomcat you will need to generate a CSR file and submit it to the certificate provider. They will then send you a certificate file that matches the key entries generated by the Keytool.

_____________________________________________________________________________________
Using the Java JDK Tool, Keytool: Go into the JDK/bin/ directory (C:\AwareIM\JDK\bin)

STEP 1:
Generate a keystore and keyentry (= Private Key): keytool -genkey -keyalg RSA -alias tomcat
Enter keystore password: Choose a password and enter it when prompted to do so. (The default password is ‘changeit’ which is what I used for this example.)
What is your first and last name? (This field has to exactly match the domain name that the certificate was generated for).
[Unknown]: www.mydomain.com (example)
What is the name of your organizational unit?
[Unknown]: Thawte testing (example)
What is the name of your organization?
[Unknown]: Thawte Testing (example)
What is the name of your City or Locality?
[Unknown]: Cape Town (example)
What is the name of your State or Province?
[Unknown]: Western Province (example)
What is the two-letter country code for this unit?
[Unknown]: ZA (example)
Is CN=www.mydomain.com, OU=Thawte testing, O=Thawte Testing, L=Cape Town, ST=Western Province, C=ZA correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password) (Again the default password is ‘changeit’)

NOTE: Please specify the same password for the keystore and the keyentry or else you will receive an error message when you restart the java engine

Note, that a keystore was created.

Please run: keytool -list to make sure you can read the keystore file.

The keystore will be stored in your ‘C:\Documents and Settings\YourUserID’ directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.

STEP 2:
Backup Keystore file: To backup the keystore file with the keyentry just created. You can just copy the .keystore file from the ‘C:\Documents and Settings\YourUserID’ directory to a safe location.

STEP 3:
Generate a CSR off the newly create keystore and keyentry:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr
Enter keystore password (from Step 1).

The CSR should be saved to your C:\AwareIM\JDK\bin directory If not do a search for the new file.

-----BEGIN NEW CERTIFICATE REQUEST-----
and
-----END NEW CERTIFICATE REQUEST-----

STEP 4:
Submit the CSR to the certificate provider.

STEP 5:
When you receive the certificate save the thawte signed Certificate in a notepad file named 'mythawtcert' for example.

Please remember to download the Certificate in PKCS#7 format

STEP 6:
Import the Certificate into the keystore: keytool -import -alias tomcat -trustcacerts -file mythawtecert.txt

STEP 7:
In order to have the SSL certificate function properly when AwareIM is run as a window service it is necessary to move the .keystore file from ‘C:\Documents and Settings\YourUserID’ to ‘C:\Documents and Settings\Default User’. You can simple cut and paste the file to the new location.

STEP 8:
Edit the Tomcat Configuration file. ‘C:\AwareIM\Tomcat\conf\server.xml’

Below you will find the exact entry I used for this example. Note: port 80 and port 443 are used.

For a list of additional modifications that can be made to the server.xml file see the following link.
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->

<!-- Note : To use gzip compression you could set the following properties :

compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"
-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Documents and Settings\Default User\.keystore" />

STEP 9:
This step is optional. If you would like to have all http requests to your server be redirected to https without any further user interaction the following entry needs to be made to the ‘C:\AwareIM\Tomcat\conf\web.xml’ file. The entry will be place just prior to the </web-app> tag at the end of the file.

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-Bryan
Version 8 (Build 2358)
Post Reply