Watch4net/VNX Monitoring and Reporting: How to configure the Web Portal to use SSL (https)
search cancel

Watch4net/VNX Monitoring and Reporting: How to configure the Web Portal to use SSL (https)


Article ID: 304637


Updated On:




VMware Smart Assurance - Watch4Net/M&R


This article explains:
  • How to configure Watch4net or VNX Family Monitoring and Reporting Web portal to use SSL (https)
  • How to create a self-signed certificate for the Watch4net or VNX Monitoring and Reporting Web Portal

The following instructions explain how to configure SSH (secure HTTP or HTTPS) on the Tomcat 6 server used by the Web Portal for Watch4Net and VNX Family Monitoring and Reporting. These instructions assume that you are using a self-signed Digital Certificate and not a certificate generated by a well-known Certificate Authority (CA) such as VeriSign or Thawt.

To configure SSL (secure HTTP or HTTPS) for the Watch4net or VNX Family Monitoring and Reporting Tomcat 6 or later Web server, the following tasks must be completed:
  1. Create your own self-signed certificate and specify a password value of "watch4net".
  2. Import a certificate from a provider (your "Chain Certificate" or "Root Certificate") into your keystore. (This step can be skipped if you are using a self-signed certificate)
  3. Import your new certificate into Tomcat.
  4. Enable your certificate in Tomcat.
  5. Test the SSH configuration.
*For VNX Family Monitoring and Reporting, please replace all instances of APG with VNX in the commands mentioned below*

The following sections present the details for the actions required when doing each of the above tasks and any special considerations.

Task 1: Create your own self-signed certificate
To create your own self-signed keystore certificate and specify a password value of "watch4net", do the  following:

  1. Change (cd) to the Java directory on the server and run the command to open the keystore:

cd /opt/APG/Java/Sun-JRE/<version>/bin/
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore

Note: The specific Java version numbering and the path to Java used in your APG environment may vary. In Watch4Net 6.6u1, use the following for this step:

cd /opt/APG/Java/Sun-JRE/8.0.51/bin/
./keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore
  1. Respond to the prompts as in the following example, customizing your responses as appropriate for your environment:

Enter keystore password:watch4net
Re-enter new password:  watch4net
What is your first and last name?
  [Unknown]:  https://FQDN_to_APG_server

(IMPORTANT! You must enter the https FQDN of your APG server at this prompt instead of your "first and last name". Otherwise, you will continuously have certificate mismatch errors.)

What is the name of your organizational unit?
  [Unknown]:  Example Support
What is the name of your organization?
  [Unknown]:  Example Watch4net
What is the name of your City or Locality?
  [Unknown]:  Example Salt Lake City
What is the name of your State or Province?
  [Unknown]:  Example Utah
What is the two-letter country code for this unit?
  [Unknown]:  Example US
Is CN=John Doe, OU=Support, O=Watch4net, L=Montreal, ST=Quebec, C=CA correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):<return>

Task 2: Import a certificate from a provider into your keystore (this step is not required if you have already created the self signed certificate in task 1 and can be skipped)
In this task, you must import your "Chain Certificate" or "Root Certificate" into your keystore. The command syntax to do this is as follows:

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

Task 3: Import your new certificate into Tomcat
The command syntax to import your new certificate into Tomcat is as follows:
Navigate to : /opt/APG/Java/Sun-JRE/<version>/bin/

keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>

Task 4: Enable the certificate in Tomcat
To enable your new certificate in Tomcat, you must uncomment the "SSL HTTP/1.1 Connector" entry in the Tomcat server.xml configuration file. This is done as follows:

  1. Open the server.xml configuration file in an appropriate XML editor like vi:

vi /opt/APG/Web-Servers/Tomcat/Default/conf/server.xml

  1. Find the "Define a SSL HTTP/1.1 Connector" entry and remove the comment indicators from the section specifying "Connector port" and the other parameters of the HTTPS connection:

<!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

<Connector port="58443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystorePass="watch4net" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />

  1. Save the file and restart Tomcat with the following command:
Navigate to  /opt/APG/bin
Execute: ./ service stop tomcat Default
Execute: ./ service start tomcat Default

Testing the Tomcat SSL configuration
To test your Tomcat APG server SSL configuration after the above tasks are completed, browse to the following URL: https://<your_server_IP_address>:58443/APG/ 

If VNX Monitoring and Reporting is in use, browse the following URL: https://<your_server_IP_address>:58443/VNX-MR/