Introduction:

This document will provide step by step instructions to set up a LaunchWorks server to use SSL encryption for communications between Apache Tomcat and the various applications components like Report Launch and Dashboard Launch. In this case the certificate authority is GoDaddy.com which has the most reasonable prices for SSL certificates needed to secure the site.

References:

http://support.godaddy.com/help/article/5276/generating-a-certificate-signing-request-csr-tomcat-4x5x6x

http://blog.davidg.com.au/2012/12/setting-up-ssl-for-tomcat-and-sia-in-6.html

http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x

Getting Started:

  • Log into the LaunchWorks server with an administrator capable account.

  • The prerequisite for this process requires the JAVA 2 SDK 1.2 or above installed on the target server.

  • Open a CMD window and navigate to the root drive where the Tomcat X.X is installed. This is frequently the C:\ drive on a virtual server but check for the Tomcat folders to make certain where Tomcat software is located i.e. Apache Software Foundation\Tomcat 7.0\conf


 

  • Navigate to the root of the installation drive for the LaunchWorks software (C: or D: )

 

Generate the Key Pair

  • Identify the location of the keytool.exe

    • For RapidStack/Business Objects only installs, the default location is often (D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin)

  • Enter the following command (assumes D: is installation drive)

 

command variables:

 -keysize 2048

 -genkey

 -alias tomcat

 -keyalg RSA

 -keystore tomcat.keystore

 -keypass (set chosen password)

 -storepass (set chosen password)

 

  • Once the command is entered you will be prompted for Distinguished Name (DN) information that will be part of the key pair file.

    • First and last name: is the common Name: The common name is the fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.

NOTE:  Choose a name consistent with the environment. ex. BI4eCOLLEGE.EDU or *.launchworks.com, or if you are setting this up for another customer, confirm the required URL

    • Organizational unit - Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.

      • EX: LaunchWorks

    • Organization - The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the Organization field, and the DBA (doing business as) name in the Organizational Unit field.

      • EX: LaunchWorks, inc.

    • City/Locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.

      • ED: San Antonio

    • State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.

      • EX: Texas

    • Country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered. (US for United Sates)

      • EX: US

    • Type Yes

 

 

  • NOTE: User may not be notified that tomcat.keystore file was actually created. Complete steps below to confirm creation.

  • Create a directory to contain the files used for the SSL processing:

    • MKDIR D:\SSL

  • Copy the file created to this directory

    • COPY tomcat.keystore D:\SSL

 

Generate the CSR

  • Enter the following command (assumes D: is installation drive)

 

  • Copy the file created to this directory

    • COPY tomcat.csr D:\SSL

  • Open the file in notepad it should look like this:

  • You will use this information to activate your certificate with your certificate provider.



    • When you copy this information select all of the file i.e. control-A

     

    Obtaining a SSL Certificate from GoDaddy.com


     

    GoDaddy.com is a Certificate Authority which provides SSL certificates that are used to secure website. Start by navigating to GoDaddy.com where you will need to create an account to purchase a SSL certificate. Log into your GoDaddy account (launchworks/Q****4) and choose SSL & Site Protection from the All Products menu. Select the link to purchase a SSL Certificate. Follow the process to purchase a SSL Certificate and once the purchase has been completed you will have an SSL certificate added to your “My Account” information.

    • While logged into GoDaddy.com click on the “My Account” links to display the products that you have purchased from GoDaddy.com. Click on the “+” in front of the SSL CERTIFICATES” to see your new certificate.

     

    • If you have completed the creation of your “tomcat.csr” file in the prior steps you can now open the “tomcat.csr” file in Notepad and copy the entire contents to the Windows clipboard (Ctrl-A,CTRL-C).

    • To activate your certificate click on the OPTIONS link next to your new certificate. This will display a screen that will tell you that your certificate is pending activation. Click on the Launch Control Center button on the top right.

    • If you are using an existing certificate Click on Rekey button

    • This will present a screen where you can paste the contents of the “tomcat.csr” file into the area labeled “Enter your Certificate Signing Request (CSR) below:” and complete the page to perform Domain Validation.

     

     

     

     

    • Wait for the certificate to be approved. Will take a few minutes then it goes from Pending to “Certificate issued” status

    • Switch to Class


     

    • Switch to Classic View at link at bottom (RR: I didn’t see that link)

    • Click Download

     

     

    • Once this process is complete the certificate will be generated. You will be able to download the ZIP file with all the required certificates that will be installed on server from the GoDaddy site. Place a copy of this file on the server so the certificates can be installed.

     

    • Click on the LAUNCH button next to your certificat. (Now says “View Status”)


    • The will take you to a site to download the certificate and root certificates that must be installed along with your new SSL certificate


    • Click on on the Download to download a zip file with your certificates.

     

     


    • Unzip the certificates file downloaded from GoDaddy.com and copy them to the D:\SSL directory.

    • Next click on the “Repository” link

     

    • In the repository find the following file “gdroot-g2.crt” (for SHA-2) and download the file to D:\SSL



     

    • In the repository find the following file “gd_cross_intermediate.crt” and download the file to D:\SSL



     

     

    Install SSL Certificates in Tomcat

     

    • Open a command window as Administrator.

        

    • Navigate to the D:\SSL drive in the command window. The files in this directory should look like this


     

    • Install the root certificate (i.e. for SHA-2 gdroot-g2.crt downloaded from repository) by entering the following command in the command window

     

    c:\

    cd\

    cd SSL

    c:\program files\java\jre7\bin\keytool.exe -import -alias root -keystore tomcat.keystore -trustcacerts -file gdroot-g2.crt -keypass changeit -storepass changeit

     

    yes use “root” as the alias

    one of two messages

    1. Certificate already exists in the system-wide CA keystore alias gdrood-g2.crt

    Do you still want to add it to your own keystore? [no]

    Type yes

     

    1. Trust this certificate? [no]

    Type yes

     

    Certificate was added to keystore

     

    if states “Certificate was not imported, alias <root> already exists

     

    keytool.exe -delete -alias root -keystore tomcat.keystore =keypass changeit

     

    • Install the first intermediate certificate gd_cross_intermediate.crt (downloaded from repository) by entering the following command in the command window

     

    c:\program files\java\jre7\bin\keytool.exe -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt -keypass changeit -storepass changeit

     

    Certificate was added to keystore

     

    if states “Certificate was not imported, alias <cross> already exists

     

    keytool.exe -delete -alias cross -keystore tomcat.keystore =keypass changeit

     

    • Install the second intermediate certificate (gdig2.crt or gd_intermediate.crt downloaded in zip file) by entering the following command in the command window

     

    c:\program files\java\jre7\bin\keytool.exe -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt -keypass changeit -storepass changeit

     

    Trust this certificate? [no] (RR: didnt get this prompt)

    Type yes

    Certificate was added to keystore

     

    • Install the issued certificate *.launchworks.com.crt by entering the following command in the command window (RR: in my case the downloaded cert was named b455e3ddb617ee.crt)

     

    c:\program files\java\jre7\bin\keytool.exe -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file *.launchworks.com.crt -keypass changeit -storepass changeit

     

    • When these commands are issued the expected response is “Certificate reply was added to keystore”

     

     


     

    Editing the Tomcat Configuration file SERVER.XML

    • After the certs have been installed we have to tell TOMCAT how to interface with the SSL certificates. In the SERVER.XML file there is a connector for the SSL on port 8443 which is commented out. The comments need to be removed and a few parameters added.

    • Start by finding your SERVER.XML file. It should be located in the installation drive Program Files (X86) folder.

      • C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf

      • C:\Program Files (x86)\\SAP BusinessObjects\tomcat\conf

    • Make a backup copy of the SERVER.XML file just in case.

    • Open the Services Manager , CCM or Apache controller and stop Apache Tomcat

     

    • Here’s a sample SERVER.XML file content before SSL changes

     

    • Open the SERVER.XML in Notepad to make changes to the file to add SSL parameters. After adding the SSL parameters and removing the comments (<!-- and -->) it should look like this

    • Note: make sure that keystoreFile and keystorePass are case sensitive and have quotes around the path with forward slashes

    • Save the SERVER.XML file with your new changes.

    • Restart the Apache Tomcat service in the CCM, or Services

    • Test your results.