Summary: How to setup SSL for access to Secure Proxy Server:: Administrative User Interface (Proxy UI)
Instructions:
The first steps for proxy-engine/tomcat to listen on an SSL port is to obtain a certificate & private key pair.
In fact if the host name used to access the proxyui is identical to the one used to access the sps server itself (eg: http://sps.example.com/, and http://sps.example.com:8080/proxyui), which is usually the case, then proxyui can use the cert+private key generated for the apache front end (self signed or otherwise). Otherwise a new cert+private key is required via steps 1-3 in the document on this page.
- Convert the certificate & private key into a .p12 object
The first step is to convert the certificate (we will say: server.crt) and private key (server.key) into a .p12 object. In the following example, we have ca.cer as the issuing certificate, but you may not require that option (if it is a self-signed certificate) or you may need a .pem file with all the certs in the trust chain as that parameter:
..\bin\openssl pkcs12 -export -in server_x509.cer -inkey server.key -out mycert.p12 -name tomcat -CAfile ca.cer -caname root -chain
You will be asked for passwords to server.key, if there is one, and a password for the new mycert.p12 file. - Create the tomcat java keystore from the .p12 object.
"c:\Program Files (x86)\Java\jdk1.6.0_31"\bin\keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore tomcat.keystore
You will be prompted for password to access mycert.p12, and new password for the created tomcat.keystore
Note: The tomcat.keystore file needs to be installed in the secure-proxy/SSL/keys directory.
- Update the server.conf file
Edit the following parameters in server.conf :
#To enable SSL for localapp uncomment next three parameters
local.https.port=543
local.https.keyStoreFileName="tomcat.keystore"
- Storing the tomcat.keystore decrypt password
To decrypt the tomcat.keystore proxy-engine needs the decrypt password, we do not want to store it in the clear, so the following method adds the (encrypted) password to the sslconfig.properties file, and code in proxy-engine will decrypt it and use it to access the URL :
We change the the bin directory & run the GenerateSSLConfig.bat command with keystorepass option:
cd \CA\proxy-engine\secure-proxy\bin
GenerateSSLConfig.Bat -keystorepass password
That generates output as follows:
INFO: Successfully written SSL configuration properties file in: C:\CA\secure-proxy\Tomcat\properties\sslconfig.properties
- Restart the proxy-engine.
Restart the proxy-engine via the system services.
Check SSL comes up
netstat -an | find "543"
Should show a process listening on port 543 :
Otherwise will need to look into server.log & nohup log for clues as to what has occurred.
- Access Proxy ui on SSL port :
https://www.example.com:543/proxyui/
And you should be prompted to login.