Starting from Spectrum 10.1 onward we can enable ModSecurity Web Application Firewall in Spectrum to prevent malicious remote clients from accessing OneClick Server (Tomcat). Some of you may have configured Tomcat in SSL before we have this feature. In this case, if you want to utilize this ModSecurity feature for improved security, that naturally means that you want to configure ModSecurity in SSL mode reusing existing digital certificate on the OneClick Server. This article explains how you can migrate digital certificate for Tomcat to be reusable for Apache HTTP server where ModSecurity is implemented.
Release: Spectrum 10.1 or greater
Component:
Please follow the following steps:
1. Upgrade Spectrum to version 10.1 or later where ModSecurity feature is available
2. Use keytool to export existing digital certificate to p12 format. You can do that by running the following command under $SPECROOT/Java/bin directory.
./keytool -importkeystore -srcalias <source cert alias> -srckeystore $SPECROOT/custom/keystore/cacerts -srcstorepass <source cert password> -destkeystore <p12 filenane> -deststoretype pkcs12
E.g.
./keytool -importkeystore -srcalias tomcatssl -srckeystore /usr/Spectrum/custom/keystore/cacerts -srcstorepass changeit -destkeystore tomcatkey.p12 -deststoretype pkcs12
3. Use openssl to extract digital certificate into server.crt (SSL Certificate File) and server.key (SSL Certification Key File) in the format Apache HTTP server requires.
openssl pkcs12 -in <p12 cert filename> -clcerts -nokeys -out server.crt
openssl pkcs12 -in <p12 cert filename> -nocerts -out server.key
E.g.
openssl pkcs12 -in tomcatkey.p12 -clcerts -nokeys -out server.crt
openssl pkcs12 -in tomcatkey.p12 -nocerts -out server.key
4. Put both server.crt and server.key files in $SPECROOT/apache/conf directory and follow the steps (skip step to create the digital certificate) in the "Enable ModSecurity in SSL Mode" section of documentation.