Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Virtualization Manager (VMAN) > VMAN 7.1 Administrator Guide > Configure advanced settings > Add an SSL certificate to Virtualization Manager

Add an SSL certificate to Virtualization Manager

Created by Caroline Juszczak, last modified by MindTouch on Jun 23, 2016

Views: 13 Votes: 0 Revisions: 3

You can replace the SSL certificate included with Virtualization Manager with one of your own.

When you use the su command (switch user), you open the computer to security risks. When you log in as root, you have full system privileges, and you can perform any commands. Some of these commands are destructive.

Add a self-signed SSL certificate

  1. Log in to the virtual appliance by using the console or an SSH connection.
  2. Enter the sudo su - root command.
  3. Go to the java bin folder on the virtual appliance. This is generally in the /usr/java/jdkX/bin folder, where X represents the jdk version number.
  4. Enter the following command, where mykeystore is the name of your new keystore and daysvalid is the number of days the certificate is valid:
    ./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore -validity daysvalid

    If you use the default keystore, hyper9-keystore, you do not need to modify the server.xml file.

  5. When prompted, enter a new keystore password.
  6. Enter the required information for the new certificate.

    Provide your domain name instead of the first and last name. If you do not use the domain name for the name, you will continue to receive certificate errors.

    This information is displayed to users who try to access Virtualization Manager through a secure connection.

  7. Type yes when prompted to confirm your new key information.
  8. When prompted for the key password, enter the new keystore password.
  9. Modify the owner of the keystore by entering the following command, where mykeystore is the name of your keystore:
    chown hyper9:hyper9 /etc/hyper9/mykeystore
  10. Change the permissions on the keystore by entering the following command, where mykeystore is the name of your keystore:
    chmod 755 /etc/hyper9/mykeystore
  11. Go to /usr/share/tomcat-X/conf, and create a backup of the server.xml file.

    If you use the default keystore, hyper9-keystore, you do not need to modify the server.xml file.

  12. Open the server.xml file.
  13. Edit the connector entity to include the keystore location. The entity should look similar to the following:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    keystoreFile="../../conf/hyper9-keystore"
    keystorePass="h9keystore"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS" />

  14. Save the server.xml file.

    After an upgrade, the certificate configuration reverts back the default self-signed certificate. To preserve your configuration, create a backup of the server.xml file located in /usr/share/tomcat-X/conf under a different name (for example, server.xml.beforeupgrade).

  15. Enter the service tomcat restart command to restart Tomcat.

If you receive "Untrusted site" errors after adding your certificate, see the KB article about Accepting an Unsigned Certificate.

Add a certificate from a certificate authority

You can add a certificate from a certificate authority, but SolarWinds Technical Support only assists you with adding a self-signed certificate.

For clarification, see the Tomcat help page, or the help page of your certificate authority.

  1. Log in to the virtual appliance by using the console or an SSH connection.
  2. Enter the sudo su - root command.
  3. Go to the java bin folder on the virtual appliance. This is generally found in the /usr/java/jdkX/bin folder, where X represents the jdk version number.
  4. Enter the following command, where mykeystore is the name of your new keystore:
    ./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore
  5. When prompted, enter a new keystore password.
  6. Enter the required information for the new certificate.

    Provide your domain name instead of the first and last name.

  7. Enter yes when prompted to confirm your new key information.
  8. When prompted for the key password, enter the new keystore password.
  9. Modify the owner of the keystore by entering the following command, where mykeystore is the name of your keystore:
    chown hyper9:hyper9 /etc/hyper9/mykeystore
  10. Change the permissions on the keystore by entering the following command, where mykeystore is the name of your keystore:
    chmod 755 /etc/hyper9/mykeystore
  11. Enter the following command, where mykeystore is the name of your new keystore:
    ./keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore mykeystore
  12. Submit the certificate signing request to your certificate authority (CA).
  13. After the CA replies, copy the certificate and chain certificate to a permanent location in the virtual appliance.
  14. Navigate to the java bin folder.
  15. Import the chain certificate by entering the following command, where mykeystore is the name of your new keystore and chain_certificate_filename is the name of your chain certificate:
    ./keytool -import -alias tomcat -keystore mykeystore -trustcacerts -file chain_certificate_filename

    Chain certificates in .p7b file format are not supported by keytool.

  16. Go to /usr/share/tomcat-X/conf, and create a backup of the server.xml file.
  17. Open the server.xml file.
  18. Edit the connector entity to include the keystore location. The entity should look similar to the following:

    keystoreFile="../../conf/hyper9-keystore"
    keystorePass="h9keystore"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS" />

  19. Save the server.xml file.
  20. Enter the service tomcat restart command to restart Tomcat.
 
Last modified
04:16, 23 Jun 2016

Tags

Classifications

Public