Enabling SSL Access to SysAid

 
Author
Message
SysAid Technical Writer
572
 

SSL Configuration for SysAid In-House Edition

 

If you store sensitive information in SysAid, you may want to access SysAid using an SSL connection. Also, if you intend to use SysAid MDM, you must enable SSL access to SysAid.

 

It should be noted that certain configurations of SSL acceleration are not supported by SysAid.

 

There are two options for enabling SSL access to SysAid:

 

If you are using a keystore certificate, you may self-sign your certificate or have an official certification authority sign your certificate. A certificate signed by an official certification authority is required for SysAid MDM.

 

Option 1: SSL Using a Keystore Certificate

 

You can use a keystore file as the certificate for enabling SSL access to SysAid. This process involves creating the keystore with all details of the certificate, generating a Certificate Signing Request (CSR), acquiring a signed certificate from a certification authority of your choice, importing the signed certificate back into the keystore file, and applying the certificate keystore to SysAid.

 

Important: If you are enabling SSL for use by SysAid MDM, you must complete all steps in this process.

 

To enable SSL for SysAid using a keystore certificate:

  1. On the SysAid Server, open a command prompt (Start > Run > cmd).
  2. Go to the ...\SysAidServer\jre\bin directory.
  3. Run the following command:
    keytool -genkey -alias tomcat -keyalg RSA -keystore name.keystore -validity 365
    You may replace name with the name of your choice. The validity365 command allows you to change the cert length from the default 90 days to 1 year. This option is only relevant for users with a self-signed certificate.
  4. After the keytool generator has opened:
    1. Enter your desired keystore password and press Enter.
    2. Reenter the keystore password.
    3. For the entry "first name and last name", enter the hostname to be used for accessing the SysAid Server. For example, If you intend to access SysAid via https://helpdesk.yourcompany.com then you need to enter helpdesk.yourcompany.com as your name.
    4. Line by line, input the remaining information and press Enter, until you get to the confirmation line.
    5. If the information you entered is correct, type "yes" and press Enter. If you made a mistake, type "no" and press Enter to go back.
    6. When you are prompted to input a key password for Tomcat, do not type anything and simply press Enter.
    There is now a name.keystore file in the directory ...\SysAidServer\jre\bin.
  5.  

     Creating a .keystore file

     

    If you would like an official certification authority to sign your keystore certificate, you must complete steps 5 - 12. If you are satisfied with a self-signed certificate, skip to step 13.

     

    Important: If you intend on using SysAid MDM, you must use a certificate signed by an official certification authority (e.g. VeriSign, GoDaddy, Comodo, etc.).

     

  6. Make a backup copy of the keystore file in case you need to restart the process of importing the certificate for any reason.
  7. In the command prompt you opened earlier, run the following command:
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore name.keystore -keysize 2048
  8. Enter the password for your keystore and press Enter. There is now a certreq.csr file in the directory ...\SysAidServer\jre\bin.

    Important! You must save the keystore file that you use to create the certreq.csr. If you buy a certificate and you don't have the keystore file that you used to generate the CSR, you won't be able to use the certificate!

  9. Go to the website for the certificate issuer of your choice and follow their instructions for generating your certificate using the certreq.csr file. Save the certificate to ...\SysAidServer\jre\bin.
  10. Download an intermediate certificate and root certificate (if applicable) from the website of the organization that issued your certificate and save them to the directory ...\SysAidServer\jre\bin.
  11. Return to the command prompt and import the root certificate into your keystore using the following command:
    keytool -import -alias root -keystore name.keystore -trustcacerts -file root_certificate_filename
    If you were not given a root certificate, skip this step.
  12. Import the intermediate certificate into your keystore using the following command:
    keytool -import -alias intermediate -keystore name.keystore -trustcacerts -file intermediate_certificate_filename
  13. Import your certificate into the keystore using the following command:
    keytool -import -alias tomcat -keystore name.keystore -file certificate_filename
  14. More information about using a certificate signed by an official certification authority can be found on the Apache website at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

     

  15. Copy the name.keystore file to the ...\SysAidServer\ directory.
  16. Open the server.xml file located at ...\SysAidServer\tomcat\conf.
  17. If you are using the a Tomcat version up through 7.0.73, find the following lines:
  18.  

    <!--

    <Connector executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />

    -->

     

    Note: If you cannot find this connector, you may be running a different version of Tomcat. Try searching for a connector with the "SSLEnabled" parameter or contact SysAid Support.

    Also, if you are running Tomcat version 7 till 9, the displayed protocol is "org.apache.coyote.http11.Http11Protocol". If you are running version 9 or higher, the protocol is "org.apache.coyote.http11.Http11NioProtocol"

     

    1. Delete the comment markers at the beginning of the code (<!--) and at the end of the code (-->).
    2. Immediately after sslProtocol="TLS" and before />, insert:
      keystoreFile="C:\Program Files\SysAidServer\name.keystore" keystorePass="password"

    Your server.xml should now look like this:


    <Connector executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"" keystoreFile="C:\Program Files\SysAidServer\name.keystore" keystorePass="password" />

  19. If you are using the Tomcat version 8.5.32 or higher, find the following lines:
  20.  

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
    type="RSA" />
    </SSLHostConfig>
    </Connector>
    -->

     

    Note: If you cannot find this connector, you may be running a different version of Tomcat. Try searching for a connector with the "SSLEnabled" parameter or contact SysAid Support.

    1. Delete the comment markers at the beginning of the code (<!--) and at the end of the code (-->).
    2. After the SSLEnabled parameter, enter the following text: scheme="https" secure="true">.
    3. In the certificateKeystoreFile attribute, replace the attribute value with the path of your keystore file.
      keystoreFile="C:\Program Files\SysAidServer\name.keystore"
    4. After the keystore file path, enter the certificateKeystorePassword parameter with your password.
      certificateKeystorePassword="password"


      Your server.xml should now look like this:

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

      maxThreads="150" SSLEnabled="true"

      scheme="https" secure="true">

      <SSLHostConfig>

      <Certificate certificateKeystoreFile="C:\Program Files\SysAidServer\name.keystore"

      certificateKeystorePassword="password"

      type="RSA" />

      </SSLHostConfig>

      </Connector>

       

      Note: You may change the port from 8443 if you so choose.

  21. Save server.xml.
  22. Restart the SysAid Server service.

 

You have now completed SSL configuration for SysAid. You may now access SysAid using SSL from https://your-server-URL:8443/, as well as from the normal connection you have been using until now.

 

 

 

Option 2: SSL Using a PKCS #12 Certificate

 

If you already have a PKCS #12 format certificate (.pfx file extension) containing the private key, you can use that in your tomcat configuration instead of using a keystore certificate.

 

To enable SSL for SysAid using a PKCS #12 certificate:

  1. Copy the name.pfx file to the ...\SysAidServer\ directory.
  2. Open the server.xml file located at ...\SysAidServer\tomcat\conf.
  3. If you are using the a Tomcat version up through 7.0.73, find the following lines:

  4. <!--

    <Connector executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />

    -->


    Note: If you are running Tomcat version 7.0.57 or higher the displayed protocol is "org.apache.coyote.http11.Http11Protocol".

     

    1. Delete the comment markers at the beginning of the code (<!--) and at the end of the code (-->).
    2. After the SSLEnabled parameter, enter the following text: scheme="https" secure="true">.
    3. Immediately after sslProtocol="TLS" and before />, insert:
      keystoreFile="C:\Program Files\SysAidServer\name.pfx" keystoreType="PKCS12" keystorePass="password"

    Your server.xml should now look like this:


    <Connector executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true"

    maxThreads="150" scheme="https" secure="true">

    clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\SysAidServer\name.pfx" keystoreType="PKCS12" 

    KeystorePass="password" />

  5. If you are using the Tomcat version 8.5.32 or higher, find the following lines:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
    type="RSA" />
    </SSLHostConfig>
    </Connector>
    -->


     

    1. Delete the comment markers at the beginning of the code (<!--) and at the end of the code (-->).
    2. After the SSLEnabled parameter, enter the following text: scheme="https" secure="true">.
    3. Immediately after sslProtocol="TLS" and before />, insert:
      keystoreFile="C:\Program Files\SysAidServer\name.pfx"
    4. After the keystore file path, enter the certificateKeystorePassword parameter with your password.
      certificateKeystorePassword="password"

    Your server.xml should now look like this:


    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

    maxThreads="150" SSLEnabled="true"

    scheme="https" secure="true">

    <SSLHostConfig>

    <Certificate certificateKeystoreFile="C:\Program Files\SysAidServer\name.pfx"

    certificateKeystorePassword="password"

    type="RSA" />

    </SSLHostConfig>

    </Connector>

     

Note: You may change the port from 8443 if you so choose.

  1. Save server.xml.
  2. Restart the SysAid Server service.

 

You have now completed SSL configuration for SysAid. You may now access SysAid using SSL from https://your-server-URL:8443/, as well as from the normal connection you have been using until now.

 

This message was edited 1 time. Last update was at Oct. 25, 2012 09:23 AM

@@@
SysAider
1
 
How does one force the use of https instead of http?