The instructions below are for version 12 and newer and assume you need a new certificate.
If you are running version 12 and newer and already have a certificate, you will want to reference this article.
Enable SSL in Tomcat for MITS Discover and Report (v12) with an Existing Certificate
If you are running version 11, you will want to reference this article.
Enable SSL in Tomcat for MITS Discover and Report (v11) with an Existing Certificate
If you are running a version prior to 11.0, please contact support@mits.com for more information.
The following steps are to enable SSL support in the instance of Tomcat that MITS installs and uses. This is independent of any other instances of Tomcat that may be running on the server.
This configuration may be lost during an upgrade of MITS. It's likely you'll need to reapply these changes after each upgrade.
Before you begin, you'll want to generate a secure password to use for your certificate. We suggest you use a password generating tool, such at the one found here:
https://www.grc.com/passwords.htm
1. Stop the MITS service. MITS will be unavailable during this time.
2. Open a command prompt and navigate to the MITS directory <mits install>/webserver/conf. The commands below should be run from within this directory.
3. Create a public/private key pair using this command. The %JAVA_HOME%
path should be replaced with the path to where java is installed on the server. On the MITS server, that will be <path to the MITS install directory>/jre.
../../jre/bin/keytool -genkeypair -alias server -keyalg RSA -keysize 2048 -keystore mits-tomcat.jks -dname "CN=<domain>" -storepass <password>
Example:../../jre/bin/keytool -genkeypair -alias server -keyalg RSA -keysize 2048 -keystore mits-tomcat.jks -dname "CN=alpha.example.com" -storepass password_goes_here
4. Generate a Certificate Signing request using this command.
../../jre/bin/keytool -certreq -alias server -keystore mits-tomcat.jks -file mits-tomcat.csr -storepass <password> -ext san=dns:<domain>
Example:../../jre/bin/keytool -certreq -alias server -keystore mits-tomcat.jks -file mits-tomcat.csr -storepass password_goes_here -ext san=dns:alpha.example.com
5. Sign the certificate with your domain registrar. They will have instructions to assist you with this part of the process. Once you have the certificate, place it on the MITS server or somewhere on your network accessible by the MITS server.
6. Import the signed certificate.
../../jre/bin/keytool -importcert -alias server -keystore mits-tomcat.jks -storepass <password> -file <signed cert file>
Example:../../jre/bin/keytool -importcert -alias server -keystore mits-tomcat.jks -storepass password_goes_here -file cert_with_chain.pem
7. Backup mits-tomcat.jks to a safe place so it can be restored after MITS upgrade.
8. Configure Tomcat to use SSL and the new keystore.
Do this by editing the server.xml file within the MITS directory. It will be located at [MITS Install Location]/webserver/conf/server.xml
. You'll need to modify the non-ssl connector and paste in a new connector for using SSL.
- Modify the non-SSL connector. It looks like the code snippet below and add in the contents marked in red.
<Connector address="127.0.0.1"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" URIEncoding="UTF-8"
compression="on"
maxPostSize="16777216"
useSendfile="false"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,image/svg+xml"/>
-
Now uncomment the SSL connector. Find the following SSL connector in the server.xml file and remove the <!-- and --> from the ends.
Make the changes highlighted in red below.
Depending on your specific version of MITS, the section in green may be slightly different. This is okay.
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
URIEncoding="UTF-8"
compression="on"
maxPostSize="16777216"
scheme="https"
useSendfile="false"
secure="true"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,image/svg+xml">
<SSLHostConfig protocols="+TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
<Certificate certificateKeystoreFile="conf/mits-tomcat.jks"
certificateKeystorePassword="password_goes_here"
type="RSA" />
</SSLHostConfig>
</Connector>-->
9. Change the port in the first line of the connector from 8443 to 443. This will mean users won't have to specify a port number when entering the address.
10. Reconfigure any firewall port(s) to allow 443 to this server.
11. Change the password (near the bottom) to use the password you used for the signed certificate.
12. Save the server.xml file.
13. Start the MITS service.
14. Log in using the new secure URL.
https://alpha.example.com
You'll need to either distribute that new address to your users or have a redirect in your DNS that points the non-secure path to the new, secure one.
Comments
0 comments
Article is closed for comments.