Submit a ticketCall us

Virtualization Manager 7.0 is here!
Read the Upgrade Guide and learn how to use new features in the Getting Started Guide.

 

 

 

 

Home > Success Center > Virtualization Manager (VMAN) > Add a SSL certificate to Virtualization Manager

Add a SSL certificate to Virtualization Manager

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 1,193 Votes: 2 Revisions: 10

Overview:

You can replace the SSL certificate included with Virtualization Manager with one of your own.

Warning: When you use the su command (switch user), you open the computer to security risks. It is not good practice for numerous people to know the root password. When you log in as root, you have full system privileges, and you can perform any and all commands. Some of these commands are destructive. Inexperienced users could cause serious damage to the system. When a user leaves the company, or otherwise should no longer have access to the root account, the system administrator should change the root password.

Resolution:

To add a self-signed SSL certificate:

  1. Log on to the virtual appliance using the console or an SSH connection.
  2. Enter the command: 
    sudo su - root
  3. Navigate to the java bin folder on the virtual appliance.  This is generally found in the /usr/java/jdkX/bin folder, where X represents the jdk version number.
  4. Enter the following command where mykeystore is the name of your new keystore and daysvalid is the number of days the certificate is valid:
    ./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore -validity daysvalid
    Note: If you use the default keystore, hyper9-keystore, you do not need to modify the server.xml file.
  5. When prompted, enter a new keystore password. You need this information for a later step.
  6. Enter the information needed for the new certificate. You will need to provide the following information:
    • Your domain name instead of the first and last name
    • The name of your organizational unit
    • The name of your organization
    • The name of your city or locality
    • The name of your state or province
    • Your two letter country code
    This information is displayed to users who attempt to access Virtualization Manager through a secure connection.
    If you do not use the domain name for the name, you will continue to receive certificate errors.
  7. Enter "yes" when prompted to confirm your new key information.
  8. When prompted for the key password, enter the keystore password you entered before.
  9. Modify the owner of the keystore by entering the following command where mykeystore is the name of your keystore:
    chown hyper9.hyper9 /etc/hyper9/mykeystore
  10. Change the permissions on the keystore by entering the following command where mykeystore is the name of your keystore:
    chmod 755 /etc/hyper9/mykeystore
  11. Navigate to /usr/share/tomcat-X/conf, and create a backup of the server.xml file.
    Note: If you use the default keystore, hyper9-keystore, you do not need to modify the server.xml file.
  12. Open the server.xml file.
  13. Edit the connector entity to include the keystore location. The entity should look similar to the following:
    <connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol">keystoreFile="../../conf/hyper9-keystore" </connector>
    keystorePass="h9keystore
    SSLEnabled="true" 
    maxThreads="150" 
    scheme="https" 
    secure="true" 
    clientAuth="false" 
    sslProtocol="TLS" />
  14. Save the server.xml file.
  15. Restart Tomcat by entering the following:
    service tomcat restart

If you receive "Untrusted site" errors after adding your certificate, view KB article: Accepting a self-signed certificate.

To add a certificate from a certificate authority:

Warning:  While you can add a certificate from a certificate authority, SolarWinds Technical Support only assists you with adding a self-signed certificate.

If you need clarification, view the Tomcat help page or your certificate authority’s help page.

  1. Log on to the virtual appliance using the console or an SSH connection.
  2. Enter the command: 
    sudo su - root
  3. Navigate to the java bin folder on the virtual appliance.  This is generally found in the /usr/java/jdkX/bin folder, where X represents the jdk version number.
  4. Enter the following command where mykeystore is the name of your new keystore:
    ./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore
  5. When prompted, enter a new keystore password. You need this information for a later step.
  6. Enter the information needed for the new certificate. You will need to provide the following information:
    • Your domain name instead of the first and last name
    • The name of your organizational unit
    • The name of your organization
    • The name of your city or locality
    • The name of your state or province
    • Your two letter country code
  7. Enter "yes" when prompted to confirm your new key information.
  8. When prompted for the key password, enter the keystore password you entered before.
  9. Modify the owner of the keystore by entering the following command where mykeystore is the name of your keystore:
    chown hyper9.hyper9 /etc/hyper9/mykeystore
  10. Change the permissions on the keystore by entering the following command where mykeystore is the name of your keystore:
    chmod 755 /etc/hyper9/mykeystore
  11. Enter the following command where mykeystore is the name of your new keystore:
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore mykeystore
  12. Submit the CSR to your certificate authority
  13. Once the CA has replied to you, copy the certificate and chain certificate to a permanent location in the virtual appliance.
  14. Navigate to the java bin folder.
  15. Import the chain certificate by entering the following command where mykeystore is the name of your new keystore and chain_certificate_filename is the name of your chain certificate:
    keytool -import -alias root -keystore mykeystore  -trustcacerts -file  chain_certificate_filename
  16. Import the new certificate be entering the following command where mykeystore is the name of your new keystore and certificate_filename is the name of your certificate:
    keytool -import -alias tomcat -keystore mykeystore -file certificate_filename
  17. Navigate to /usr/share/tomcat-X/conf, and create a backup of the server.xml file.
  18. Open the server.xml file.
  19. Edit the connector entity to include the keystore location. The entity should look similar to the following:
     <connector port="443" protocol="org.apache.coyote.http11.Http11Protocol">
    keystoreFile="../../conf/hyper9-keystore
    keystorePass="h9keystore
    SSLEnabled="true" 
    maxThreads="150" 
    scheme="https" 
    secure="true" 
    clientAuth="false" 
    sslProtocol="TLS" /></connector>
  20. Save the server.xml file.
  21. Restart Tomcat by entering the following:
    service tomcat restart
  1. Modify the owner of the keystore by entering the following command where mykeystore is the name of your keystore:
    chown hyper9.hyper9 /etc/hyper9/mykeystore
  2. Change the permissions on the keystore by entering the following command where mykeystore is the name of your keystore:
    chmod 755 /etc/hyper9/mykeystore
Last modified
04:06, 23 Jun 2016

Tags

Classifications

Public