Security Configuration > Setting Up SSL on QAD .NET UI Tomcat Home Server
  
Setting Up SSL on QAD .NET UI Tomcat Home Server
The following steps describe how to set up SSL on the QAD .NET UI Tomcat Home Server. Be sure to review the Apache Tomcat documentation on this topic. For example, see:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#SSL_and_Tomcat
1 Create a keystore file to store the server’s private key and SSL certificate. Make sure that $JAVA_HOME/bin is in your PATH. (This example uses Java 1.6.):
$ cd $TOMCAT_HOME/bin
$ mv keystore keystore.bak # save the old keystore
$ keytool -genkey -alias tomcat -keyalg RSA -dname "CN=vmnnn01.qad.com,OU=QAD,O=QAD,L=Santa Barbara,ST=California,C=US" -keystore keystore -keysize 2048 -storepass changeit -keypass changeit
Note: The Common Name (CN) is the name of the web server as it will be referenced from a browser (for example, CN=vmnnn01.qad.com).
# View keystore
$ keytool -list -v -keystore keystore -storepass changeit
The response is as follows:
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Oct 18, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=vmnnn01.qad.com, OU=QAD, O=QAD, L=Santa Barbara, ST=California, C=US
Issuer: CN=vmnnn01.qad.com, OU=QAD, O=QAD, L=Santa Barbara, ST=California, C=US
Serial number: 4e9dbf82
Valid from: Tue Oct 18 11:03:46 PDT 2011 until: Mon Jan 16 10:03:46 PST 2012
Certificate fingerprints:
MD5: FE:B4:69:FA:78:CA:D1:3E:41:5D:A8:1C:6A:F3:E4:CF
SHA1:FD:DF:94:3A:A8:74:76:C3:4F:AC:8A:60:9A:94:5A:C0:8C:9A:11:3E
Signature algorithm name: SHA1withRSA
Version: 3
For this example, the default password of changeit is being used.
Make sure you back up your keystore because it contains your public/private keys.
2 Generate a Certificate Signing Request (CSR) required by the certificate provider into the file certreq.csr.
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore -storepass changeit
3 You will receive an SSL certificate and a Primary Intermediate CA certificate file. You will need to install the Primary Intermediate CA certificate first. GeoTrust will issue these files in PKCS#7 format. Open a file named primary.p7b in the vi editor and copy the Primary Intermediate CA certificate into the file. The contents look like this:
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5UatcGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4GuFmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvhdGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ5096QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkNd53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPjiJ2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYETpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----
Then copy the SSL certificate into the file ssl_cert.p7b.
4 Import the Primary Intermediate certificate (primary.p7b) into the Java keystore:
$ keytool -import -alias primary -trustcacerts -file primary.p7b
-keystore keystore -storepass changeit
5 Import the SSL certificate into the Java keystore (ssl_cert.p7b):
$ keytool -import -alias tomcat -trustcacerts -file ssl_cert.p7b -keystore keystore -storepass changeit
6 Validate the keystore entries:
$ keytool -list -v -keystore keystore -storepass changeit | more
The response is as follows:
Alias name: primary
Creation date: Oct 18, 2011
Entry type: trustedCertEntry
Owner: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Serial number: 236d0
Valid from: Fri Feb 19 14:39:26 PST 2010 until: Tue Feb 18 14:39:26 PST 2020
Certificate fingerprints:
MD5: DF:F1:B7:6B:25:8D:BE:73:48:E3:76:68:97:A9:38:71
SHA1: 78:0A:06:F6:E9:B4:06:1C:AD:0C:65:02:71:06:06:EB:53:5F:1C:26
Signature algorithm name: SHA1withRSA
Version: 3
Alias name: tomcat
Creation date: Oct 18, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=vmnnn01.qad.com, OU=QAD, O=QAD Inc, L=Santa Barbara, ST=California, C=US,
SERIALNUMBER=haR57uaOG5cC3ZMg5ugxN9t6rjDKEVF/
Issuer: CN=GeoTrust SSL CA, O="GeoTrust, Inc.", C=US
Serial number: f310
Valid from: Sun Oct 16 23:55:13 PDT 2011 until: Thu Oct 18 22:33:33 PDT 2012
Certificate fingerprints:
MD5: E8:76:F2:97:C0:CE:00:0A:AB:01:71:9F:70:21:9E:7F
SHA1: 1D:66:21:6E:C2:E3:58:F2:B5:D2:80:38:C7:E3:5F:FA:BF:7E:89:4B
Signature algorithm name: SHA1withRSA
Version: 3
7 Uncomment the SSL HTTP/1.1 Connector entry in the $TOMCAT_HOME/conf/server.xml file. You may have to add the keystorePass attribute and set the value to the keystore password:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="bin/keystore"
keystorePass="changeit"
URIEncoding="UTF-8"
compression="on"
compressableMimeType="text/html,text/xml,application/
xml,application/octet-stream"
/>
8 Restart Tomcat:
$ cd $TOMCAT_HOME/bin
$ ./startup.sh
9 Port 8443 should be in the LISTEN state.
10 Validate the connection by going to the Tomcat home page (for example, go to the following URL):
https://vmnnn01.qad.com:8443
11 Update client-session.xml (HOMESERVER/configurations/<config name>/client-session.xml) to use HTTPS when connecting to Desktop:
<!-- The desktop protocol. Valid values are "http" or "https". -->
<DesktopProtocol>https</DesktopProtocol>
<!-- The Tomcat host name. -->
<DesktopHost>vmnnn01.qad.com</DesktopHost>
<!-- The Tomcat port number. -->
<DesktopPort>8443</DesktopPort>
12 Start the QAD .NET UI and open Sales Order Maintenance. You can check the configuration by looking in Help | View Configuration and searching for the desktopbaseurl setting. It should look like https://host:port/qadui.