Using self-signed certificates

 

SapphireIMS provides security for safe communications over networks using SSL (Secure Socket Layer).  SSL is built into all major browsers and Web Servers. Using HTTPS protocol and SSL ensures that the server is authenticated and the communication is encrypted.

To enable SSL, a digital certificate is needed. This certificate contains information like certificate issuer name, validity of the certificate, encryption used etc. The certificate can be purchased from an authorized certificate issuing authority like ‘Symantec’, 'GoDaddy’, 'Comodo' or a self-signed certificate can be created.  This section describes the procedure to create a self-signed certificate. Self-signed certificates are adequate when SapphireIMS is getting accessed only on the intranet.

Note.gifNote: Before proceeding, stop the SapphireIMS service if it is running.

For using certificates purchased from third parties, go to the next topic Using certificates from a Third Party.

 

The self signed certificate is created using an utility called ‘keytool’ which is available as part of the Java platform.  The certificate is created and stored in a file.

 

Generating a self-signed certificate

 

1.    Open a command prompt on the SapphireIMS server and go to the following path

     SapphireIMS\WebManagement\JDK\bin

2.    Execute the following command

 

keytool -genkey -alias servercert -keyalg RSA -validity 730 -keystore  server.keystore -dname cn=<Host Name>,o=<Organization Name>,ou=<Organization Name> -keypass servercert -storepass servercert

The command above will create the ‘server.keystore file in the folder 'SapphireIMS\WebManagement\JDK\bin'. The password for both the keystore and certificate is 'servercert'.

3.    Copy the ‘server.keystore’ file to the  'SapphireIMS\WebManagement\standalone\configuration' folder. You next need to enable SSL in the JBoss server. Follow the steps in the section below.

 

 

Enabling HTTPS and SSL in Wildfly

1.    Open the ‘standalone.xml’ file which is present in the SapphireIMS\WebManagement\standalone\configuration’ folder using a text editor. Replace the existing block of text under 'ApplicationRealm' with the block given below.

 

            <security-realm name="ApplicationRealm">

<server-identities>

<ssl>

<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="servercert" alias="servercert" key-password="servercert"/>

</ssl>

            </server-identities>

                      <authentication>

<truststore path="server.truststore" relative-to="jboss.server.config.dir" keystore-password="servercert" />

<local default-user="$local"/>

<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

   </security-realm>

           

2.    Add https-listener in undertow section

 

            <subsystem xmlns="urn:jboss:domain:undertow:2.0">

                        <buffer-cache name="default"/>

                        <server name="default-server">

                        <http-listener name="default" socket-binding="http"max-post-size="2147483648"

max-parameters="10000" redirect-socket="https" enable-http2="true"

allow-unescaped-characters-in-url="true" url-charset="UTF-8" />

                       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm"  

                                        max-post-size="2147483648" max-parameters="10000"

                                       allow-unescaped-characters-in-url="true" url-charset="UTF-8" />

                        <host name="default-host" alias="localhost">

                            <location name="/" handler="welcome-content"/>

                            <filter-ref name="gzipFilter" predicate="regex[pattern='(?:application/javascript|text/css|text/html)(;.*)

                    ?', value=%{o,Content-Type}, full-match=true]"/>

                            <filter-ref name="server-header"/>

                            <filter-ref name="x-powered-by-header"/>

                            <http-invoker security-realm="ApplicationRealm" />

                            <location name="/SoftwareRepository" handler="SoftwareRepo"/>

                             <location name="/PatchManagement" handler="PatchMgmt"/>                             

                        </host>

                        </server>

            </subsystem>

           

3.    Change the https port to the desired port

            <socket-binding name="https" port="443"/>

 

4.    Restart the SapphireIMS service.

 

Accessing SapphireIMS over HTTPS

 

  1. From any browser, access the SapphireIMS portal by typing in the following

https://<hostname>

  1. A warning is shown on the browser as it cannot validate the certificate being a self-signed one. You need to add an exception.

  2. The SapphireIMS login screen appears. By clicking on the certificate information on the browser bar, you can get the certificate details.

 

Note.gifNote: This would still allow http access. In order to avoid accessing using http inadvertently, redirection to https should be enabled. Refer to the topic 'Enabling Redirection from http to https'