SSL configuration with a recognized key¶
Note
This section describes how to add a recognized key to the tomcat server. If you want to create an auto-signed key and add it to your server, please refer to the following section SSL configuration with an auto signed key
You need :
- a key file, that we will call key.key
- a certificate file, that we will call certificate.crt
Access the Map 4 server through SSH.
Create a PKCS12 file with the following command line :
# openssl pkcs12 -inkey key.key -in certificate.crt -export -out keys.pkcs12
Then import this file into a new keystore
# keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore studio.jks
Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .
<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
compression="on"
compressionMinSize="128"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
port="8443"
secure="true"
scheme="https"
maxThreads="200"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false"
keystorePass="xxx"
keystoreFile="/etc/centreon-studio/studio.jks"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
-->
Note
Please replace the keystorePass value “xxx” by the password you used for the keystore and adapt the path to the keystore if you changed it.
SSL configuration with an auto signed key¶
Warning
Enabling the SSL mode with an auto signed key will force every user to add an exception for the certificate before using the web client, enable it only if your Centreon is also using this protocol. Every user will have to open the url https://centreon-map4-url:8443/centreon-studio/docs.
On the Centreon Map 4 machine¶
Create a Keystore
Go in the folder where Java is installed
# cd $JAVA_HOME/bin
Then generate a keystore file with the following command
# keytool -genkey -alias studio -keyalg RSA -keystore /etc/centreon-studio/studio.jks
The alias value ‘studio’ and the keystore file path ‘/etc/centreon-studio/studio.jks’ might be changed, but without any particular reason to do it, keep the default values.
Provide the needed information for the keystore creation.
At the end of the form, when the ‘key password’ is asked, use the same password than the one used for the keystore itself by pressing the ENTER key.
During installation, we added a custom server.xml and saved the one present before as server.xml.map4.backup.
Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .
<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
compression="on"
compressionMinSize="128"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
port="8443"
secure="true"
scheme="https"
maxThreads="200"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false"
keystorePass="xxx"
keystoreFile="/etc/centreon-studio/studio.jks"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
-->
Note
Please replace the keystorePass value ‘xxx’ by the password you used for the keystore and adapt the path to the keystore if you changed it.
Tomcat is now configured to respond to request from HTTP and HTTPS.
To disable the non secure mode, edit the file again and comment out the following lines by surrouding the block by <!– and –>.
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
compression="on"
compressionMinSize="128"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>
Restart tomcat.
# service tomcat6 restart