Task 1: Create your own self-signed certificate
To create your own self-signed keystore certificate and specify a password value of "watch4net", do the following:
cd /opt/APG/Java/Sun-JRE/<version>/bin/
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore
Note: The specific Java version numbering and the path to Java used in your APG environment may vary. In Watch4Net 6.6u1, use the following for this step:
Enter keystore password:watch4net
Re-enter new password: watch4net
What is your first and last name?
[Unknown]: https://FQDN_to_APG_server
(IMPORTANT! You must enter the https FQDN of your APG server at this prompt instead of your "first and last name". Otherwise, you will continuously have certificate mismatch errors.)
What is the name of your organizational unit?
[Unknown]: Example Support
What is the name of your organization?
[Unknown]: Example Watch4net
What is the name of your City or Locality?
[Unknown]: Example Salt Lake City
What is the name of your State or Province?
[Unknown]: Example Utah
What is the two-letter country code for this unit?
[Unknown]: Example US
Is CN=John Doe, OU=Support, O=Watch4net, L=Montreal, ST=Quebec, C=CA correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):<return>
Task 2: Import a certificate from a provider into your keystore (this step is not required if you have already created the self signed certificate in task 1 and can be skipped)
In this task, you must import your "Chain Certificate" or "Root Certificate" into your keystore. The command syntax to do this is as follows:
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
Task 3: Import your new certificate into Tomcat
The command syntax to import your new certificate into Tomcat is as follows:
Navigate to : /opt/APG/Java/Sun-JRE/<version>/bin/
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>
Task 4: Enable the certificate in Tomcat
To enable your new certificate in Tomcat, you must uncomment the "SSL HTTP/1.1 Connector" entry in the Tomcat server.xml configuration file. This is done as follows:
vi /opt/APG/Web-Servers/Tomcat/Default/conf/server.xml
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="58443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/APG/Web-Servers/Tomcat/Default/conf/.keystore"
keystorePass="watch4net" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
Testing the Tomcat SSL configuration
To test your Tomcat APG server SSL configuration after the above tasks are completed, browse to the following URL: https://<your_server_IP_address>:58443/APG/
If VNX Monitoring and Reporting is in use, browse the following URL: https://<your_server_IP_address>:58443/VNX-MR/