Search This Blog

Wednesday, April 22, 2009

Securing your DimensioN Portal - enabling https

I had to do this for one of the clients. This is the procedure which i followed. It was a real headache. Got into some difficulties and then found out things and stuff. I am writing down the exact procedure which i had followed, during development time, and during the setting up of the server with a thawte certificate, and enable SSL and HTTPS. Hope this helps someone.



DimensioN is based on JBoss, So SSL on JBoss should also be the same, but i can't guarantee


To Enable SSL in DimensioN.

For development
Step 1: keytool -genkey -alias [alias name] -keypass [password] -keyalg RSA -keystore [keystore name]


to get ssl certificate from issuing authorities.

Perform the steps to generate the key , CSR and install SSL certificate. (ref:1)

STEP 1 : keytool -genkey -keyalg RSA - alias [alias name] -keystore [keystore name] (use the password same as alias.)
STEP 2 : keytool -list -keystore [keystore name]
STEP 3 : keytool -certreq -alias [alias name] -keyalg RSA -file certreq.csr -keystore [keystore name]
STEP 4 : keytool -import -alias [alias name] -trustcacerts -file [downloaded certificate name] -keystore [keystore name]


for eg:
STEP 1 : keytool -genkey -keyalg RSA - alias tomcat -keystore dimension.keystore (use the password same as alias.)
STEP 2 : keytool -list -keystore dimension.keystore
STEP 3 : keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore dimension.keystore
STEP 4 : keytool -import -alias tomcat -trustcacerts -file mysignedcert.crt -keystore dimension.keystore


Use the CSR file which is generated after step 3 to apply for the SSL certificate from the concerned authorities. apply step 4 with the file which you get back from the signing authority.

If after doing this procedure, if you still get the error that is a self signed certificate, then the certificate you have downloaded is not in PKCS#7 format.(ref:3) you will have to create a chain certificate from the one which you have. The procedure to follow in windows is as follows.(ref:2)

1. Double click on the .crt file, which you had downloaded.
2. Click on the Details Tab at the top
3. Click on 'Copy to file'
4. Click 'Next'
5. Tick the third option: "Cryptographic Message Syntax Standard - PKCS#7 Certificates (.P7B)".
also tick "Include all certificates in the certification path if possible"
6. Click 'Next'
7. Select a file name or browse to a path where you'd like to save this chained certificate.
8. Click 'Next'
9. Click 'Finish'
10. Your export should be successful, then click 'OK'.


configuration in DimensioN:

Step 1 : copy the generated keystore to [DimensioN_Server_install_Directory]\DimensionServer\server\default\conf

Step 2 : open server.xml file in [DimensioN_Server_install_Directory]\DimensionServer\server\default\deploy\jbossweb-tomcat50.sar

Step 3 : find the below section in that file.

<! - - < port="8443" address="${jboss.bind.address}" maxthreads="100"
minsparethreads="5" maxsparethreads="15" scheme="https" secure="true"
clientauth="false" keystorefile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorepass="rmi+ssl" sslprotocol = "TLS"> - - >

remove the comments by removing the < ! - - and -- > from the beginning and end of the section.
give the keystore name in the line
keystoreFile="${jboss.server.home.dir}/conf/[keystore name]"
give the keystore password in the line
keystorePass="[keystore password]"

Step 4 : find the below section in that file

< Connector port="6666" address="${jboss.bind.address}"
maxThreads="150" maxHttpHeaderSize="8192"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on"
compressableMimeType="text/csv"/ >

comment out this section by adding < ! - - and - - > at the beginning and end of the section respectively.


Step 5 : Start the DimensioN server. now you should be able to access it via the url https:\\localhost:8443.
you can even set the connector port to 443, so that you can call the url as https:\\localhost.

ref:
(1) https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO3143&actp=search&searchid=1240204108338
(2) https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO2995&actp=search&searchid=1240199136843
(3) http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I know this is ugly. i promise to clean this up and write it properly once i get some time.