How do you enable Clarity to communicate via HTTPS?
Note that these instructions are for a non-clustered Clarity setup. For a load-balanced architectural implementation, the way to enable SSL is very simple and is provided in the "Additional Information" section.
keytool -genkey -keystore C:\clarity16\keystore.jks -keyalg RSA -storepass changeit
Run a command such as the following to generate a Certification Request:
keytool -certreq -keystore C:\clarity16\keystore.jks -keyalg RSA -file myRequest0.cer
This file should be sent to the Certification Authority to obtain a certificate for your server
(Check with the Certification Authority for Root and Intermediate certificates)
Run a command such as the following one to import the root certificate (replacing the keystore name, path, certificate name, patch, etc.):
keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA -file root.cer -trustcacerts -alias myroot
To import an intermediate certificate:
keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA -file intermediate.cer -trustcacerts -alias myintermediate
keytool -import -keystore C:\clarity16\keystore.jks -keyalg RSA file server.cer -trustcacerts -alias myserver
Navigate to the "Security" tab in the CSA
Provide the fully qualified path of your keystore in the "SSL Keystore" field
Provide and confirm the password for the keystore in the "SSL Password" and "Confirm Password" fields respectively
Now navigate to the "Application" tab
Change "SSL Handling" to "Support both HTTP and HTTPS without switching"
Check the "HTTPS Enabled" field under section "Application Instance: app"
Change "HTTPS Port" to a number allotted to the Clarity Application (this is organization-dependent). For Example, the Port number could be 8043
Change "HTTPS Entry URL" to the exact server name that was provided during keystore generation in step 3
Restart the Application Service
Once you have successfully verified that HTTPS is working by navigating using HTTPS (use the right port number and url. For example, the URL could be "https://servername.example.com:8043/"), change the "SSL Handling" to "Support only HTTPS". Restart the Application service again
Note: You may wish to take a look at our documentation too here: CSA: Security, Passwords, LDAP, SSL, SSO, XSS (On-Premise Only)
Note: In some of the environment and with certificate authorities the SAN is mandatory as per X509 standards in the CSR for that case the below two command to generate keystore and generating the CSR with SAN extension
* keytool -alias “hostname” -genkey -keystore C:\clarity16\keystore.jks -keyalg RSA -storepass changeit
* keytool -certreq -alias "hostname" -keystore C:\clarity16\keystore.jks -keyalg RSA -file myRequest0.cer -ext "SAN=DNS:hostname"