Enable SSL in Tomcat for BOXI using a Self-Signed Certificate

book

Article ID: 15564

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

We do not recommend using a self-signed certificate because browsers will not accept it as being from a trusted certificate authority.  Thus, users who access service desk using https (SSL) will see a warning in their browser saying "The security certificate presented by this website was not issued by a trusted certificate authority.", and the user will have to click on "continue to this website (not recommended)" in order to actually get to the site. This document provides the steps to do

 

Please also consider this KBA 1648573 from SAP

1648573 - How to configure SSL on Tomcat in BI 4 1648573_E_20170817.pdf



Implement The SSL in Tomcat for BOXI using a Self-Signed Certificate

Environment

Windows 2008R2 & windows 2012Boxi 4.1

Resolution

1/ created the .pfx file in the same way as this tecdoc TEC1659789

The steps consist of

<<

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. In the Actions column on the right, click on Create Self-Signed Certificate...

4. Enter any friendly name such as "sdmsslcert" or "sdmcert" and then click OK.

5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

Next you have to export that certificate to a .pfx file.  To do this, follow these steps:

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. Right click on the certificate that you created (sdmsslcert or sdmcert), and select "Export"

4. In the "Export to" field - click the elipsis and select a directory to store your certificate, and a filename such as "sdmsslcert" or "sdmcert" (it will have a .pfx file extension), then create a password for that certificate (you will need this password later to configure tomcat to access that certificate)

5. Click OK on the Export Certificate window, then use windows explorer to navigate to the directory where you specified to save the .pfx cert file and ensure its there.
>>

 

2/ Once the .pfx file generated, identify bthe server.xml in boxi we have to update

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKWOAA4" alt="1.png" width="1659" height="948">

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKWPAA4" alt="2.png" width="1659" height="948">

Modify the server.xml

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKWQAA4" alt="3.png" width="1659" height="948">

<Connector SSLEnabled="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
clientAuth="false" keystoreFile="C:\keystore\sdmcert.pfx"
keystorePass="Password1" keystoreType="PKCS12"
maxThreads="150" port="8493" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKWRAA4" alt="3.png" width="1659" height="948">

 

Restart Tomcat_boxi and verify boxi is in SSL mode

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AKWSAA4" alt="5.png" width="1353" height="877">

 

 

Additional Information

We have customer for testing purpose running ServiceDesk and Boxi on the same server.

 

1/ Apply tecdoc tec1659789 for "Enable SSL in Tomcat for CA Service Desk Manager using a Self-Signed Certificate"

TEC1659789

2/ Apply this tecdoc using the same .pfx file for boxi too

Attachments

1558717342483000015564_sktwi1f5rjvs16ujr.png get_app
1558717340542000015564_sktwi1f5rjvs16ujq.png get_app
1558717338474000015564_sktwi1f5rjvs16ujp.png get_app
1558717336446000015564_sktwi1f5rjvs16ujo.png get_app
1558717334311000015564_sktwi1f5rjvs16ujn.png get_app
1558534620194TEC1144726.zip get_app