1. Generate Self-Signed Key(If using a signed certificate and you have the keystore file (ie. .jks file) skip to step 2.

When creating the self signed key, specify the hostname, FQDN and IP address in the SAN(subject alternative name) section of the command and specify the hostname or FQDN when asked for First and Last name.

Linux Command

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>/apache-tomcat/conf/key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

Windows Command

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore <install dir>\apache-tomcat\conf\key.bin -ext SAN=dns:<hostname>,dns:<FQDN>,ip:192.168.1.38

2. Update Tomcat Configuration

Linux Configuration

Add the following section after existing <Connector> element in <Install dir>/apache-tomcat/conf/server.xml.

Here you will specify the HTTPS port you wish to use, if on the same server as AAI, use a different HTTPS port.

You will also specify the path to the keystore you created in step 1 which should be in <install dir>/apache-tomcat/conf/.

You will also specify the password you used when creating the keystore.

Windows Configuration

Add the following section after existing <Connector> element in <Install dir>apache-tomcat\conf\server.xml

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="${HTTPS_PORT}" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="<insight install dir>\apache-tomcat\conf\key.bin" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>

3. Get and Import JAWS certificate to TermaINSIGHT server Java Keystore AND the Jasperserver Java Keystore

Linux Command

Get the cert for JAWS server:

openssl s_client -connect <AAI hostname:AAI port>  | openssl x509 -out jawsserver.cert

Import the cert into the $JAVA_HOME/jre/lib/security/cacerts keystore

keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file jawsserver.cert

Import the AAI/JAWS cer file into the Java keystore that is embedded with Jasperserver which is in <Insight Install Dir>/java/jre/lib/security/cacerts

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/jre/lib/security/cacerts -file jawsserver.cert

Windows

You can get the Jaws cert over to the Insight server a few different ways. 

• Get the public cert for the AAI server by running openssl on a Linux machine and then copy it over to Windows:

• You can also use keytool to export the cert from the Jaws server’s keystore like below:

• From IE go to Terma web url  http://<jaws server>:8443/terma from IE, and save the keys. And then open Internet Options -> Click Content tab -> Click Certificates Button -> Select the Entry with JAWS server host name -> Click on Export -> Follow the wizard to save the certificate. 

• From  Chrome, go to https://<jaws server>:8443/terma click on the “Not Secure” message to the left of the URL and select certificates.

Import the Cert

Once you have the cert, Import the generated/exported cert to java keystore (default password for keystore is ‘changeit’):

 keytool -import -alias tomcat -keystore %JAVA_HOME%\jre\lib\security\cacerts -file jawsserver.cert

Also you must import the cert into the Jasperserver’s bundled java which is located in the <install dir>\java\lib\security\cacerts directory.

keytool -import -alias tomcat -keystore <Insight Install Dir>/java/lib/security/cacerts -file jawsserver.cert

4.    Check that the correct AAI/JAWS URL is stored on the Insight server.

The server name, port, and protocol for accessing the AAI server from Insight is set during the installation of Insight in your install parameters for Windows or Linux.

If you already specified the protocol https, the port used for https, and the correct hostname, FQDN, or IP that matches your certificate, this should already be set correctly.

To make sure, check the file below on the insight server:

5.    Restart TermaINSIGHT application

Linux

<Insight install dir>./ctlscript.sh restart

Windows

There are two desktop icons to stop and start the Jasperserver services, double click “Stop JRS Service” and then “Start JRS Service”.

6.    Verify you can get to the Jasperserver login page via https

The link is below, use the ip, hostname, or FQDN of the server, whichever name you use to access the URL should match what you supplied as the Subject Alternative Names in your certificate.

https://<hostname>:<https port>/jasperserver-pro

You should be able to log in with the user superuser and password TermaPassword by default.

7.    Download the cert to your local desktop and Import into your Trusted Certificates(Self signed certs only).

If you are using self signed certs you must download the certs used for your AAI server and your Insight server to whichever computer you are using to access the Web URL.

From  Chrome, go to https://<aai server>:<port>/terma and https://<Insight server>:<port>/jasperserver-pro click on the red “Not Secure” message to the left of the URL and select certificates.

Click on the Details tab and select “copy to file”

Select the top options and “Next” a select a name and save it.

Then import both certs into Windows Trusted Certificates, you may already have the AAI/Jaws cert imported if you are able to launch the Jaws thick client.

• Run mmc.exe from the Start menu on the client
• Click File then click Add/Remove Snap-in
• Choose Certificates from the list then click Add
• In the Certificates snap-in pop-up window, select Computer Account then click Next
• In the Select Computer pop-up window, select Local Computer then click Finish
• Click OK to confirm Certificates (Local Computer) snap-in
• Expand Certificates, expand Trusted Root Certification Authorities
• Right-click Certificates, click All Tasks, and then click Import
• On the Certificate Import Wizard Welcome page, click Next
• Browse to the location of the saved certificate file, select the file and then click Open
• Select Next
• In the Certificate Store, select Place all certificates in the following store and choose Trusted Root Certification Authorities
• Select Next then Finish

Restart all browsers.

8.    Import Self-Signed TermaINSIGHT Key into TermaUNIFY (JAWS) Java Keystore

To be able to connect to BI server from JAWS with HTTPS with self-signed cert, we have to import the self-signed cert of BI Server to java keystore in JAWS server (default password for the keystore is ‘changeit’):

Linux

Get the cert via the command below from the AAI/JAWS server:

openssl s_client -connect ${BI_HOSTNAME}:${BI_SSL_PORT} <<<'' | openssl x509 -out bi_server.cert

$JAVA_HOME/bin/keytool -import -alias bi_key -keystore $JAVA_HOME/jre/lib/security/cacerts -file bi_server.cert

Windows

              “%JAVA_HOME% \bin\keytool” -import -alias bi_key -keystore “%JAVA_HOME%\jre\lib\security\cacerts” -file bi_server.cert (Windows)

9.    Restart AAI/JAWS server

10. Configure the Reporter Server in the Terma website.

Open the Terma website with the same hostname/FQDN/IP as in step 4 and go to System Tools->Reporting Configuration.

• It is very important to specify the same hostname or IP address that is in the URL in step 4 or used during your Insight installation and your https port.
  
  
• Username and password by default are superuser and TermaPassword.
• Follow the rest of the steps.
• If all is configured properly you should be able to go to the home page, create a new view and see the reports from Insight like below: