Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

If you want to access Adeptia Connect on HTTPS protocol then you need to configure SSL certificate in Adeptia Connect. You need to generate SSL certificate using Java Keytool only. 

...

  1. Open Terminal.
  2. Go to the directory where JRE is installed (for example,  /mnt/AdeptiaConnect/AdeptiaConnect-2.9/ConnectServer/ <ConnectServerInstallFolder>/jre/bin)
  3. Run the following Keytool command to create a Keystore for Jetty with a self signed certificate or CA signed certificate.

    Expand
    titleFor self signed certificate
    keytool -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize> -ext SAN=ip:<IP_Address_of_Connect_Server_machine>,dns:<domain_name>

    where,

    <keyalg> specifies the algorithm to be used to generate a key pair.

    <alias_name> is a unique string to identify the Keystore.

    <keystore_name> is the location and filename where you want to store the generated key.

    <password> is the password to protect the private key of the generated key pair, default is changeit.

    <days> are the number of days certificate will expire.

    <keysize> specifies the size of each key to be generated.

    <IP_Address_of_Connect_Server_machine> is the IP address hosting Connect Server.

    <domain_name> is the name of the domain you are using. It is not necessary to use the domain name in the command above. However, for easy identification, it is recommended to use the domain name.

    For example,

    keytool -genkey -keyalg RSA -alias selfsigncert -keystore certs.jks -storepass changeit -validity 365 -keysize 2048 -ext SANsan=ip:10.44.2.59

    keytool -genkey -keyalg RSA -alias selfsigncert -keystore certs.jks -storepass changeit -validity 365 -keysize 2048 -ext san=dns:localhost


    Expand
    titleFor CA signed certificate

    To generate SSL certificate for Jetty with a CA signed certificate:

    1. Generate Keystore
      keytool -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>

      where,           

      <keyalg> specifies the algorithm to be used to generate a key pair.

      <alias_name> is a unique string to identify the Keystore.

      <keystore_name> is the location and filename where you want to store the generated key.

      <password> is the password to protect the private key of the generated key pair, default is changeit.

      <days> are the number of days certificate will expire.

      <keysize> specifies the size of each key to be generated.

      For example,

      keytool -genkey -keyalg RSA -alias server -keystore certs.jks -storepass changeit -validity 365 -keysize 2048

      If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating Keystore.

      keytool -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>
      -ext SAN=ip:<IP_Address_of_Connect_Server_machine>

      where <IP_Address_of_Connect_Server_machine> is the IP address hosting Adeptia Suite.

    2. Generate CSR from the generated Keystore
      1. Run the following Keytool command to create a Certificate Signing Request (CSR).

        keytool -certreq -alias <alias_name> -file <domainname>.csr -keystore <keystore_name>.jks -storepass <password>

        This command will generate a <domainname>.csr file to sign from CA.

      If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating CSR for the Keystore.

      keytool -certreq -alias server -file <domainname>.csr -keystore <keystore_name>.jks -storepass changeit -ext SANsan=ip:<IP_Address_of_Connect_Server_machine>

      Info
      Send this CSR to your CA to generate SSL certificate. After your SSL certificate is generated, you need to import the certficate in the Java Keystore.


    3. Import CA Signed SSL Certificate into Java Keystore

      You might get multiple SSL certificates from your CA. You need to import all these SSL certificates into your Keystore. Ensure that you use the same Keystore that is used in generating CSR while importing SSL certificates.

      1.   Import Trusted Root certificate into Java Keystore

      keytool -import -trustcacerts -alias root -file <certificate_name>.crt -keystore <domain_name>.jks

      2.   Import Intermediate certificate into Java Keystore

      keytool -import -trustcacerts -alias intermediate -file <certificate_name>.crt -keystore <domain_name>.jks

      3.   Import domain certificate into Java Keystore

      keytool -import -trustcacerts -alias server -file <certificate_name>.crt -keystore <domain_name>.jks 

            where, 

           <certificate_name> is the name of the CA certificate. 

           <domain_name> is the name of the domain you are using.  


    Info
    While executing the command, you will be prompted to provide other details. The default password is changeit. You can change the password. Note the Keystore password for future references.


  4. Copy this Keystore (certs.jks) at the location (<AdeptiaInstallFolder>/AdeptiaServer/ServerKernel/etc/jetty).
  5. From the same folder location, open jetty.xml file and register the Keystore entry in the file. In the sslContextFactory section, add the path of the Keystore and the Keystore password (password chosen while creating Keystore).
    Image Removed
    Image Added

  6. Save the file.
  7. Restart Connect Kernel and Connect WebRunner.

...

  1. Open Terminal.
  2. Go to the directory where JRE is installed (for example,  /mnt/AdeptiaConnect/AdeptiaConnect-2.9/ConnectPortal/ <ConnectPortalInstallFolder>/jre/bin)
  3. Run the following Keytool command to create a Keystore for Jetty Connect Portal with a self signed certificate or CA signed certificate.

    Expand
    titleFor self signed certificate
    keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize> -ext SAN=ip:<IP_Address_of_Connect_Portal_machine>,dns:<domain_name>

    where,

    <keyalg> specifies the algorithm to be used to generate a key pair.

    <alias_name> is a unique string to identify the Keystore.

    <keystore_name> is the location and filename where you want to store the generated key.

    <password> is the password to protect the private key of the generated key pair, default is changeit.

    <days> are the number of days certificate will expire.

    <keysize> specifies the size of each key to be generated.

    <IP_Address_of_Connect_Portal_machine> is the IP address hosting Connect Server.

    <domain_name> is the name of the domain you are using. It is not necessary to use the domain name in the command above. However, for easy identification, it is recommended to use the domain name.

    For example,

    keytool .exe -genkey -keyalg RSA -alias selfsigncert -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048 -ext SANsan=ip:10.44.2.59

    keytool .exe -genkey -keyalg RSA -alias selfsigncert -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048 -ext san=dns:localhost


    Expand
    titleFor CA signed certificate

    To generate SSL certificate for Jetty Connect Portal with a CA signed certificate:

    1. Generate Keystore
      keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>

      where,           

      <keyalg> specifies the algorithm to be used to generate a key pair.

      <alias_name> is a unique string to identify the Keystore.

      <keystore_name> is the location and filename where you want to store the generated key.

      <password> is the password to protect the private key of the generated key pair, default is changeit.

      <days> are the number of days certificate will expire.

      <keysize> specifies the size of each key to be generated.

      For example,

      keytool .exe -genkey -keyalg RSA -alias server -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048

      If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating Keystore.

      keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>
      -ext SAN=ip:<IP_Address_of_Connect_Portal_machine>

      where <IP_Address_of_Connect_Portal_machine> is the IP address hosting Connect Portal.

       
    2. Generate CSR from the generated Keystore
      1. Run the following Keytool command to create a Certificate Signing Request (CSR).

        keytool .exe -certreq -alias <alias_name> -file <domainname>.csr -keystore <keystore_name>.jks -storepass <password>

        This command will generate a <domainname>.csr file to sign from CA.

      If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating CSR for the Keystore.

      keytool .exe -certreq -alias server -file <domainname>.csr -keystore <keystore_name>.jks -storepass changeit -ext SANsan=ip:<IP_Address_of_Connect_Server_machine>

      Info
      Send this CSR to your CA to generate SSL certificate. After your SSL certificate is generated, you need to import the certficate in the Java Keystore.


    3. Import CA Signed SSL Certificate into Java Keystore

      You might get multiple SSL certificates from your CA. You need to import all these SSL certificates into your Keystore. Ensure that you use the same Keystore that is used in generating CSR while importing SSL certificates.

      1.   Import Trusted Root certificate into Java Keystore

      keytool .exe -import -trustcacerts -alias root -file <certificate_name>.crt -keystore <domain_name>.jks

      2.   Import Intermediate certificate into Java Keystore

      keytool .exe -import -trustcacerts -alias intermediate -file <certificate_name>.crt -keystore <domain_name>.jks

      3.   Import domain certificate into Java Keystore

      keytool .exe -import -trustcacerts -alias server -file <certificate_name>.crt -keystore <domain_name>.jks 

            where, 

           <certificate_name> is the name of the CA certificate. 

           <domain_name> is the name of the domain you are using.  


    Info
    While executing the command, you will be prompted to provide other details. The default password is changeit. You can change the password. Note the Keystore password for future references.


  4. Go to Copy this Keystore (certs.jks) at the location where Connect Portal is installed (/mnt/AdeptiaConnect/AdeptiaConnect-2.9/ConnectPortal). Create certs folder and copy the Keystore (certs.jks) in this folder.<ConnectPortalInstallFolder>/keystore).
  5. Go to …/<ConnectPortalInstallFolder>/conf and open server.xml in the Text Editor.
  6. From the same folder location, open file and register the

    Update the Keystore entry in

    the file. In the sslContextFactory section, add the path of the Keystore and the Keystore password

    the server.xml file and add the path of KeystoreFile and KeystorePass (password chosen while creating Keystore)

    .Uncomment the following configuration section.
    Image Removed
    Provide the path of keystore:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="5000" 
    scheme="https" secure="true" compressionMinSize="128" connectionTimeout="20000" 
    maxConnections="10000" clientAuth="false" sslProtocol="TLS" keystoreFile="/mnt/AdeptiaConnect/AdeptiaConnect-2.9/ConnectPortal/certs/certs.jks" 
    keystoreType="JKS" keystorePass="XXXXXXXX" compression="on" noCompressionUserAgents="gozilla, 
    traviata" compressableMimeType="text/html,text/xml,text/css,application/javascript,application/json" 
    useSendfile="false" server="Adeptia" xpoweredby="false" clientauth="true"/>

     

     If  

    Image Added

    Info

    If the keystore password contains any of following characters then it needs to be escaped with the value mentioned next to it.

    Character
    Value
    "&quot;
    '&apos;
    <&lt;
    >&gt;
    &&amp;

    For example, if the keystore password is p@ssw0rd&123! then it has to be defined as p@ssw0rd&amp;123!

     

     

    Info
    For better performance of Connect Portal, refer
    to  for
    for tuning other parameters.


  7. Save the file.
  8. Restart Connect Portal.

...

  1. Go to …/<ConnectPortalInstallFolder>/conf.
  2. Open web.xml file.
  3. Uncomment the below security constraint within </web-app> and save the file.

     

    <security-constraint>
              <web-resource-collection>
              <web-resource-name>Protected Context</web-resource-name>
              <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
    </security-constraint>
    </web-app>


    Image Added

Verifying Configuration

To verify whether you have configured SSL certificate in Adeptia Connect:

  1. Open the browser and hit the URL to access Adeptia Connect using https protocol.
  2. Adeptia Suite login page appears. Verify your certificate by checking https protocol color in the address bar. If you have used CA signed certificate then https protocol will be green in color  () . However, if you have used self signed certificate then https protocol will be red in color ().


Next step

Configuring SSL Handshake between Connect Server and Connect Portal


See also

Enabling Clustering