Generating the SSL Certificate for Tomcat on XOS


Article ID: 168002


Updated On:




Generating the SSL Certificate for Tomcat on XOSWhen logging into the EMS, a user may experience difficulties due to an expired SSL certificate. 

Use the following procedure to generate a new key store file which extends the expiration of an SSL certificate accordingly.


1. SSH into the unit as admin and from the CLI goto a UNIX prompt as root...

CBS# un su

2. Set the env variable for Java

export JAVA_HOME=/usr/java/j2re1.4.2_08/

NOTE: The path for JAVA_HOME is version-specific to XOS. In testing with XOS 7.1.2 it was found that the path "/usr/java/j2re1.4.2_08/" without quotes was needed instead of the value shown in the previous example. Please verify the path is correct for this entry for you environment before proceding.

3. Stop the tomcat service

# /etc/init.d/tomcat stop

4. It's possible that some of the java processes haven't timed out or shut down completely. To see if this is the case, run the following command...

# ps -eau |grep java

5. If you still see a number a processes still running you can kill these processes by running this command.

# killall java

6. Begin by backing up the existing configuration files before making changes

# tar cvpf /root/tomcat_conf.tgz /crossbeam/web/conf

7. Change to the appropriate directory

# cd /crossbeam/web/conf

8. Change the name of the working keystore file

# mv keystore keystore.orig

9. Create the new keystore file with the appropriate information. Upon issuing the following command you will be prompted for a password. The password currently is "changeit" without quotes. If you wish to use a different password, please modify the corresponding entry in the servers.xml file called "keypass" accordingly. You can also modify the duration for which the certificate is valid. In the following command we use 365 days (1 yr), but any value (specified in days) through 100 years is valid.

# $JAVA_HOME/bin/keytool -validity 365 -genkey -alias tomcat -keyalg RSA -keystore /crossbeam/web/conf/keystore
Enter keystore password: changeit
What is your first and last name?
[Unknown]: <Enter the FQDN of the server>
What is the name of your organizational unit?
[Unknown]: <Enter your department name here>
What is the name of your organization?
[Unknown]: <Enter your company name here>
What is the name of your City or Locality?
[Unknown]: <City>
What is the name of your State or Province?
[Unknown]: <State>
What is the two-letter country code for this unit?
[Unknown]: <Country Code>
Is CN=, OU=Customer Support, O=Crossbeam Systems Inc, L=Dallas, ST=TX, C=US correct?
[no]: yes

Enter key password for <tomcat>

(RETURN if same as keystore password):

NOTE: In the above question you can either press Enter which defaults to the previously entered password, or enter the same password as above. However, any other entry is not supported by Tomcat at this time.

10. Now set the permissions on the file

# chmod 750 ./keystore

11. Now set the ownership on the file

# chown tomcat:cbcli keystore

12. Start the Tomcat service

# /etc/init.d/tomcat start

The new certificates should now be installed