Installing an SSL certificate for SysAid Server

 
Author
Message
SysAider
2
 
I want to be able to have users connect to SysAid with an SSL certificate and was having trouble finding where to store the certificate and then recofigure tomcat to use the certificate. I am running SysAid on a Windows Server 2003 machine and would appriciate any help anyone could provide me on how to do this.

Thanks,

Richard
SysAid n00b
SysAid Wiz
2449
 
Hello Richard.

did you already used our instructions on integrating SysAid with SSL?

If you did, and you are having issues with it, please contact our support and this issue at helpdesk@sysaid.com

Best regards
Pushing IT forward
SysAid Wiz
915
 
Got a quick question.

Is it recommended to have SysAid and SSL in the same server ?
SysAid Wiz
2449
 
I'm not sure i understand your question obelix,
SSL is being integrated into the built-in Tomcat server in SysAid (so it must be on the same server)
In case you are referring to IIS with SSL, you can use it on the same server or another.
Pushing IT forward
SysAid Wiz
915
 
Yes but the only ssl implementation I know of sysaid is when you retrieve mail.
What about remote user accesing the SR ?
SysAider
2
 
I cannot find the instructions you are referring to on integrating SysAid with SSL. If you could provide me with the link to the document I will definately give it a try.
SysAid VP Customer Relations
604
 
Hey Richard,

Here are the instructions. As I understand, you already have a certificate that you wish to put into SysAid (and not create a self-signed certificate). If that's indeed the case, you should read the instructions on Apache Tomcat's site (link below).

To configure SSL encryption (https) for SysAid, you must first create a keystore file (which acts as the certificate). If you wish to use a purchased certificate or just one from your own CA, please consult the guide on Apache's website at https://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html

To create a keystore file, please use the following command:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
This will create a “.keystore” file in your C:\Documents and Settings\CURRENT-USER\ folder. Please copy this file to your ...\SysAidServer\ folder.

When creating this file, you should use the password "changeit" for both passwords

The next step would be to edit ...\SysAidServer\tomcat\conf\server.xml file. Please add the below text right after the existing <Connector> tag:
<!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="443" acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:\Program Files\SysAidServer\.keystore"/>
</Connector>

port=”8443” represent the port SysAid will be listening on for secure connections. In this case you will have to use the following URL: https://SERVER-NAME:8443/

After these changes were made, please restart the SysAid Server service and check if SysAid is accessible over a secure connection.



Enjoy!

This message was edited 1 time. Last update was at Jul. 09, 2008 04:45 AM

Super SysAider
68
 
Richard wrote:I want to be able to have users connect to SysAid with an SSL certificate and was having trouble finding where to store the certificate and then recofigure tomcat to use the certificate. I am running SysAid on a Windows Server 2003 machine and would appriciate any help anyone could provide me on how to do this.

Thanks,

Richard
SysAid n00b


Hello Richard,

I have been through this process myself and although tricky to set up, it can be done.

Joseph has included the instructions on the process to follow but if you're using a third party certificate, you will need to get help (I can help as much as I can as I know the difficulty that can occur).

Obelix wrote: Yes but the only ssl implementation I know of sysaid is when you retrieve mail.
What about remote user accesing the SR ?


Hello Obelix,

Just to let you know, you can have the end users access the Sysaid using SSL Web Redirect as we now have a fully functionally web redirect to SSL when our end users are logging into our portal with a third party certificate.

Any further questions then please let me know.

"REEEEBOOOOOOOOOOOOOT!"
SysAid Wiz
915
 
Yes with Joseph's post I now realize why it didn't work the first time I tried.
I forgot SysAid is a server by itself.
Been tweaking the wrong thing.
Super SysAider
68
 
Obelix wrote:Yes with Joseph's post I now realize why it didn't work the first time I tried.
I forgot SysAid is a server by itself.
Been tweaking the wrong thing.


Well if you get stuck and need help with it, give me a shout.
"REEEEBOOOOOOOOOOOOOT!"
SysAider
1
 
I've tried to follow the instructions but when I change the values my server service will no longer restart. My server.xml file also looks different than what's stated on this post. See below:
<Server port="8005" shutdown="SHUTDOWN" debug="0">
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>

<!-- Global JNDI resources -->
<GlobalNamingResources>

<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>

</GlobalNamingResources>

<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">

<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port ? --><Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="80"
minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="443"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />


<!-- Define the top level container in our container hierarchy -->
<Engine name="Standalone" defaultHost="localhost" debug="0">

<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>

<!-- Because this Realm is here, an instance will be shared globally -->

<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>

<!-- Define the default virtual host -->
<Host name="localhost" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">


<!-- Logger shared by all Contexts related to this virtual host. By
default (when using FileLogger), log files are created in the "logs"
directory relative to $CATALINA_HOME. If you wish, you can specify
a different directory with the "directory" attribute. Specify either a
relative (to $CATALINA_HOME) or absolute path to the desired
directory.-->
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_log." suffix=".txt"
timestamp="true"/>

<!-- Tomcat Root Context -->

<Context path="" docBase="../../root" debug="0"/>




</Host>

</Engine>

</Service>

</Server>
SysAid Customer Relations
93
 
Dear Richard

In order to further investigate this issue , please open a service request and send it to :
helpdesk@sysaid.com
You mentioned that after changeing the server.XML file ,the SysAid server service stop responding , so please provide us on that service request your logs directory zipped which located at:
...\SysAidServer\root\WEB-INF\logs
As well ,please provide us your wrapper.log which located at :
...\SysAidServer\logs\wrapper.log
...\SysAidServer\tomcat\conf\server.xml

Looking forward to your response .
Super SysAider
68
 
Hello Macro,

It would seem to me that there is some code missing from the script you've provided.

I would double check with what we have here and let you know.

Can you please explain exactly what you're trying to do... Just install a third party SSL cert?

Can you please let I know what values you have changed before this stopped working?
"REEEEBOOOOOOOOOOOOOT!"
SysAider
38
 
I tried following these intructions. Everything worked perfectly for my SysAid 6 test server, but when I tried to implement the same procedures on my 5.6.10 SysAid production server it ignores the https and won't find the server but yet it still finds my http non-secure connection. I added the following section after the <connector > tag as stated in the instructions. My server is a windows 2003 server.

Here is my Server.xml:

<Server port="8005" shutdown="SHUTDOWN" debug="0">
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>

<!-- Global JNDI resources -->
<GlobalNamingResources>

<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>

</GlobalNamingResources>

<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Tomcat-Standalone">

<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port ? -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="80"
minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="443"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />

<Connector className="org.apache.catalina.connector.http.HttpConnector" port="443"
minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="443"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:\Program Files\SysAidServer\.keystore"/>
</Connector>


<!-- Define the top level container in our container hierarchy -->
<Engine name="Standalone" defaultHost="localhost" debug="0">

<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>

<!-- Because this Realm is here, an instance will be shared globally -->

<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>

<!-- Define the default virtual host -->
<Host name="localhost" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">


<!-- Logger shared by all Contexts related to this virtual host. By
default (when using FileLogger), log files are created in the "logs"
directory relative to $CATALINA_HOME. If you wish, you can specify
a different directory with the "directory" attribute. Specify either a
relative (to $CATALINA_HOME) or absolute path to the desired
directory.-->
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_log." suffix=".txt"
timestamp="true"/>

<!-- Tomcat Root Context -->

<Context path="" docBase="../../root" debug="0"/>




</Host>

</Engine>

</Service>

</Server>
SysAid Wiz
2449
 
OCIO,
The server.xml looks ok at first sight.

Please try to re-start the SysAid server service, the wait a minute or two and look in the ...\SysAidServer\logs\wrapper.log and copy everything below the last time the "Starting service Tomcat-Standalone" line appear.

This log should show us if the SSL service is started or not.

Haim
Pushing IT forward