HTTPS / SSL AwareIm

lineamovil

Hello!

I need to secure my AwareIM server.

Is there anyone that has a secured and tested (working) SSL / HTTPS AwareIM?

Can you show me how to do it?
Do I need to buy a certificate?
Can anyone do it for me? I you feel you need to charge, please PM me!

thank you!

hpl123

I need to do this as well and all the existing documentation, instructions, forum posts etc. are just not complete and good enough to get a grip on how this is done. Anyone want to help out by creating a complete/thorough guide for this?

Thanks

lineamovil

Thank you HenriK for second the motion.

I sure that we can do something good. Job has been low in developing recently and have to offer an extra to sell this days.

thank you!

RafaMD

Hola Carlos,

after many attempts I got it.

My enviroment:

I use Windows
I use port 80 in AwareIM, so I installed SSL in port 443
As I was not sure to get it, I started installing a free certificate from StarCom (https://www.startssl.com/)
I have a domain name pointing to my AwareIM server

And the steps:

1) Create the keystore

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore

You'll be asked for several info. The important is:
-Use domain name for First name and Last name info. (ex: mydomain.com)
-Use same password for the keystore as the one you'll use for the certificate.

2) Edit c:\AwareIm\Tomcat\conf\server.xml

remove the comment () before and after this connector and add path and password of the keystore:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
    	       keystoreFile="path-to-keystore\mykeystore" keystorePass="keystore-password"
/>

3) Create a local Certificate and Signing Request (CSR)

With these commands:

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore

keytool -certreq -keyalg RSA -alias tomcat -keysize 2048 -file certreq.csr -keystore path-to-keystore\mykeystore

4) Submit the CSR (file certreq.csr) to the Certificate Authority (StartCom in this case) and get your trusted certificate. Copy/Paste certificate data in a text file (mycert.txt)

5) Get complementary certs (CA root certificate and class certificate). In this case:

http://www.startssl.com/certs/ca.pem
http://www.startssl.com/certs/sub.class1.server.ca.pem

6) Import the 2 StartCom Certificates:

keytool -import -alias startcom.ca -keystore path-to-keystore\mykeystore -trustcacerts -file "path-to-file\ca.pem"

keytool -import -alias startcom.ca.sub -keystore path-to-keystore\mykeystore -file "path-to-file\sub.class1.server.ca.pem"

7) Import your Trusted Certficate

keytool -import -alias tomcat -keystore path-to-keysotre\mykeystore -file "path-to-file\mycert.txt"

8-)This is optional (redirect http traffic to https):

Edit file c:\AwareIM\tomcat\conf\web.xml and add the code:

<security-constraint> 
<web-resource-collection> 
<web-resource-name>Entire Application</web-resource-name> 
<url-pattern>/*</url-pattern> 
</web-resource-collection> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint>

9) Restart AwareIM

Now, If you access to http://yourdomain.com, you must go to https://yourdomain.com

but I did not work to me, and after many hours trying it discovered the problem: I had no open port 443!!!. So the first lesson is: First of all open port 443 in firewall.

Well, I hope it works for you

hpl123

Thanks Rafa for taking the time to write this. I will work with this these coming weeks and good to have the exact steps you followed. Can I ask you a couple of questions on this?

To generate the keystore (and also import etc.), how is this done exactly? I have read something before about using cmd in the tomcat folder or something like that but don´t fully understand?
Regarding the domain to use when generating the keystore, should it be www.mydomain.com OR www.mydomain.com/login (which is my actual loginpage to my app)?
Regarding linking the domain and the cert, how is this done? I for example have a domain www.mydomain.com and after following your steps in the outline, I get a CSR file which I exchange for my trusted certificate via my domain registrar. After I have done this, should I create a DNS record for e.g. www.mydomain.com/login >> https://xxx.xxx.xxx.xxx:443/AwareIM/logonAdmin.html or how will I link my domainname to my server ip/login page?
Related to previous question, If I link via DNS the domain to my server, this would mean I only have https on my actual loginpage/application and not on all pages of my domain?

Thanks again.

weblike

Thanks Rafa for sharing this...

One question...What happens in a update process?? I guess this has to be done on every update process.

Support, could this be included in a straight forward process?
Now..I have installed Java8, Tomcat 5.10, custom folder, etc..

I have created a little documentation about what steps to follow on every update...

Can we hope in including these features in next releases...

thank you.

RafaMD

Hi, Henrik, I'll try to answer your questions:

keytool.exe is in folder c:\AwareIM\JDK\bin. Open a command line window, go to this folder an execute keytool whith the requireds params.
In the keystore, write the domain you want use https. In your case, if you use www.mydomain.com, and get the certificate for this address, all the pages below www.mydomain.com (for example, www.mydomain.com/login) also used https.
If you get certificate for www.mydomain.com, you must use addresses that start by www.mydomain.com: https://www.mydomain.com, https://www.mydomain.com/login, https://www.mydomain.com/AwareIM/logonAdmin.html, and so on.

I hope I helped, because I really do not know much about domains and dns

RafaMD

weblike wrote
One question...What happens in a update process??

I do not know, I have not yet dared to update.

I think all you have to do is a backup of files server.xml and web.xml and restore the copy after the update.

Or maybe this is already done automatically when updating. Support, something to say?

kklosson

You will have to update modified files manually. In some cases, the files will change and copy/replace will fail you at some point. I have a documented checklist of changes to make after upgrading my instance.

hpl123

Thanks guys for the additional info. I will soon start working on this and will at the same time create a proper guide document for this process.

Support, the problem with having to update manually after AwareIM updates has been discussed before and applies to SSL, custom folder and a couple of other things. Having these features/options built in would again be great, any chance this can be done in a future version update?

lineamovil

Rafa!

Im back, and really surprised to see your reply! Thank you so much for sharing!

This action tells a lot about you. I will get to it very soon and let you all know how did it go.

Gracias!

himanshu

Friends,

I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:

Create CSR (Certificate Signing Request)
Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
Install these certificates on Tomcat
Modify server.xml

I have documented the detailed steps in below shown document:

http://softservsolutions.com/AwareIM/SSL/AwareIM_SSL.pdf

himanshu

himanshu wrote
Friends,

I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:

Create CSR (Certificate Signing Request)

Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.

CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate

Install these certificates on Tomcat

Modify server.xml

I have documented the detailed steps in below shown document:

http://softservsolutions.com/AwareIM/SSL/AwareIM_SSL.pdf

hpl123

Thanks Himanshu, great guide.

Gabbitas

Hi Guys,

Some help would be hugely appreciated by anyone who has successfully implemented ssl with AwareIM.

I have been trying to follow the guide that himanshu posted (thank you himanshu for taking the time, do you run windows servers?) and I have successfully completed all the steps (by that I mean I've followed each step) but I can't get my app to load over https. I just get an error in the browser that says: "This site can’t be reached. secureserver.mydomain.co.uk unexpectedly closed the connection".

I'm using a windows server 2008 and I'm still on AwareIM v6. Im confident that port 443 is open as I am able to reach it from outside the server with a port testing tool.

Some questions to help me understand what's correct and what's not:

1) Does the extension of the keystore file matter? himanshu uses (and mine is set up as) 'tomcat.keystore' but I notice that eagles9999 has a different extension that is the equivalent of 'tomcat.jks' If my keystore extension is wrong under windows do I have to begin the whole process again or can I just rename the file extension?

2) Is the location of the keystore important and does it need to be in a certain place? Can tomcat access c:/AwareIm/JDK/bin/keystore (as deduced from himanshu's guide) or does it need to be in c:/AwareIM/tomcat/bin/certs/keystore as per eagles9999's postings??

3) If I go to my AwareIM control panel and look at settings I currently run tomcat on port 80. Should I be changing this to port 443 or does it get left as port 80?

Any thoughts or ides would be more than welcome.

many thanks

customaware

PM Suwandy (member cishpix)

He is a genius and can fix it for you.

You should negotiate a fee but not overly expensive.

Suwandy manages ALL on my servers and is very talented and trustworthy.

JonP

I can attest to Suwandy's excellence and reasonableness.

cishpix

Hello Gabbitas, let me to answer you

Gabbitas wrote
I'm using a windows server 2008 and I'm still on AwareIM v6. Im confident that port 443 is open as I am able to reach it from outside the server with a port testing tool.

I should check your domain first to make sure the problem so would you like let me know your domain name?

Gabbitas wrote
1) Does the extension of the keystore file matter?
2) Is the location of the keystore important and does it need to be in a certain place?
3) If I go to my AwareIM control panel and look at settings I currently run tomcat on port 80. Should I be changing this to port 443 or does it get left as port 80?

I don't think so, you can give the extension as you want or remove it.
Absolutely yes but you can locate it as you want as long as you have set it in server.xml
Leave it port 80

Many thanks for you (Jon and Mark), I just done it as your request with my best performance.

himanshu

JonP wrote
I can attest to Suwandy's excellence and reasonableness.

Gabbitas

Thanks guys, I appreciate your input on this one.

After a whole day of research, fiddling and learning I managed to finally secure all of my servers with a wildcard certificate! The issues I was facing were due to an error in the server and intermediate certificates that were provided to me. After I had them re-issued I essentially just followed himanshu’s pdf guide and it worked a treat. Thanks to himanshu for taking the time to write up a guide.

I would encourage anyone to have a go at this. It seems very daunting at first but by doing a bit of research and watching a few videos on YouTube it’s not to difficult to understand in the end.

Thanks again to all contributors