This article will provide step by step walkthrough document for SSL (Secure Sockets Layer) setup on the Spectrum OneClick web server and OneClick WebApp.
Release : 20.2
Component : Spectrum OneClick
1. Open a bash shell (bash -login) on the Spectrum OneClick web server machine.
2. Navigate to the $SPECROOT/Java/bin/ directory.
3. Run the following syntax to add the tomcatssl alias in the cacerts (keystore file):
$ ./keytool.exe -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
$ ./keytool.exe -genkey -alias tomcatssl -keyalg RSA -keystore ../../custom/keystore/cacerts
4. The default password is "changeit" without quotes.
5. In the "What is your first and last name?" field supply the OneClick FQDN (Fully Qualified Domain Name).
6. Supply the other information similar to the screenshot below:
Export the self signed cert so you can import it into the browser for Step 14.
./keytool -export -alias tomcatssl -keystore ../../custom/keystore/cacerts -rfc -file tomcatssl.crt
7. Shutdown the OneClick web server.
8. Open the $SPECROOT/tomcat/conf/server.xml file in your preferred text editor. (Take a backup before modifying it)
9. Locate the following section in the server.xml file and uncomment it. And replace the <SPECROOT> variable in the value for the keystoreFile attribute with the fully qualified path to the directory where DX Spectrum is installed.
10. Save and close the server.xml file.
11. Start the OneClick web server.
12. Supply the following in the browser:
And click on "Continue to this website (not recommended)."
13. Click on the Certificate error or double click on the exported tomcatssl.crt file from step 6 once it has been moved locally.
14. Click on View certificates.
15. Click on Install Certificate
16. Select Local Machine and click on Next button.
17. Select "Place all certificates in the following store" and click on Browse button.
18. Select "Trusted Root Certification Authorities" and click on the OK button.
19. Click on the Next button.
20. Click on the Finish button.
21. Click on the OK button.
22. Click on the OK button.
23. Close the browser, and launch it again.
Supply the following in the browser:
There is no certificate error.
Click on the OneClick WebApp.
24. A new TAB will open with the following error message:
25. Navigate to the $SPECROOT/tomcat/conf/server.xml file and copy the connectors https ports-related information and paste in the $SPECROOT/webtomcat/conf/server.xml file, so that it does not conflict with the standard OneClick Tomcat SSL port.
Copy from row 11 to 37 of the $SPECROOT/tomcat/conf/server.xml file.
Paste them in row 146 of the $SPECROOT/webtomcat/conf/server.xml file. The copied section should be in between </Engine> and </Service> tags.
Change the port number from 443 to 7443. Avoid using port 9443, as this port number is should be already in use.
26. Save and close the server.xml file.
27. Stop/Start the SpectrumWebTomcat service.
28. Launch the OneClick WebApp again. At this time it should open successfully.
$ ./keytool.exe -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
$ ./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore ../../custom/keystore/cacerts
1. Rename cacerts file under $SPECROOT\custom\keystore to cacerts.orig
2. Copy cacerts file from $SPECROOT\Java\jre\lib\security to $SPECROOT\custom\keystore
3. Rerun keytool command
If the cacerts file has only one entry, follow the below KB article to recover the original cacerts file and then add the tomcatssl alias.
Ensure the OOB cacerts ($SPECROOT/Java/jre/lib/security/cacerts) file is not empty.