Hello!
I need to secure my AwareIM server.
Is there anyone that has a secured and tested (working) SSL / HTTPS AwareIM?
Can you show me how to do it?
Do I need to buy a certificate?
Can anyone do it for me? I you feel you need to charge, please PM me!
thank you!
HTTPS / SSL AwareIm
-
- Posts: 201
- Joined: Tue Jul 27, 2010 2:17 am
- Location: Mexico
HTTPS / SSL AwareIm
LineaMovil // Carlos Castillo
AwareIM Version 8.6
Windows Server 2021
MySQL Database 8.4
MEXICO
AwareIM Version 8.6
Windows Server 2021
MySQL Database 8.4
MEXICO
Not clear
I need to do this as well and all the existing documentation, instructions, forum posts etc. are just not complete and good enough to get a grip on how this is done. Anyone want to help out by creating a complete/thorough guide for this?
Thanks
Thanks
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 201
- Joined: Tue Jul 27, 2010 2:17 am
- Location: Mexico
Hola Carlos,
after many attempts I got it.
My enviroment:
- I use Windows
- I use port 80 in AwareIM, so I installed SSL in port 443
- As I was not sure to get it, I started installing a free certificate from StarCom (https://www.startssl.com/)
- I have a domain name pointing to my AwareIM server
And the steps:
1) Create the keystore
You'll be asked for several info. The important is:
-Use domain name for First name and Last name info. (ex: mydomain.com)
-Use same password for the keystore as the one you'll use for the certificate.
2) Edit c:\AwareIm\Tomcat\conf\server.xml
remove the comment (<!-- and -->) before and after this connector and add path and password of the keystore:
3) Create a local Certificate and Signing Request (CSR)
With these commands:
4) Submit the CSR (file certreq.csr) to the Certificate Authority (StartCom in this case) and get your trusted certificate. Copy/Paste certificate data in a text file (mycert.txt)
5) Get complementary certs (CA root certificate and class certificate). In this case:
http://www.startssl.com/certs/ca.pem
http://www.startssl.com/certs/sub.class1.server.ca.pem
6) Import the 2 StartCom Certificates:
7) Import your Trusted Certficate
8)This is optional (redirect http traffic to https):
Edit file c:\AwareIM\tomcat\conf\web.xml and add the code:
9) Restart AwareIM
Now, If you access to http://yourdomain.com, you must go to https://yourdomain.com
but I did not work to me, and after many hours trying it discovered the problem: I had no open port 443!!!. So the first lesson is: First of all open port 443 in firewall.
Well, I hope it works for you
after many attempts I got it.
My enviroment:
- I use Windows
- I use port 80 in AwareIM, so I installed SSL in port 443
- As I was not sure to get it, I started installing a free certificate from StarCom (https://www.startssl.com/)
- I have a domain name pointing to my AwareIM server
And the steps:
1) Create the keystore
Code: Select all
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore
-Use domain name for First name and Last name info. (ex: mydomain.com)
-Use same password for the keystore as the one you'll use for the certificate.
2) Edit c:\AwareIm\Tomcat\conf\server.xml
remove the comment (<!-- and -->) before and after this connector and add path and password of the keystore:
Code: Select all
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="path-to-keystore\mykeystore" keystorePass="keystore-password"
/>
3) Create a local Certificate and Signing Request (CSR)
With these commands:
Code: Select all
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore path-to-keystore\mykeystore
keytool -certreq -keyalg RSA -alias tomcat -keysize 2048 -file certreq.csr -keystore path-to-keystore\mykeystore
4) Submit the CSR (file certreq.csr) to the Certificate Authority (StartCom in this case) and get your trusted certificate. Copy/Paste certificate data in a text file (mycert.txt)
5) Get complementary certs (CA root certificate and class certificate). In this case:
http://www.startssl.com/certs/ca.pem
http://www.startssl.com/certs/sub.class1.server.ca.pem
6) Import the 2 StartCom Certificates:
Code: Select all
keytool -import -alias startcom.ca -keystore path-to-keystore\mykeystore -trustcacerts -file "path-to-file\ca.pem"
keytool -import -alias startcom.ca.sub -keystore path-to-keystore\mykeystore -file "path-to-file\sub.class1.server.ca.pem"
7) Import your Trusted Certficate
Code: Select all
keytool -import -alias tomcat -keystore path-to-keysotre\mykeystore -file "path-to-file\mycert.txt"
8)This is optional (redirect http traffic to https):
Edit file c:\AwareIM\tomcat\conf\web.xml and add the code:
Code: Select all
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
9) Restart AwareIM
Now, If you access to http://yourdomain.com, you must go to https://yourdomain.com
but I did not work to me, and after many hours trying it discovered the problem: I had no open port 443!!!. So the first lesson is: First of all open port 443 in firewall.
Well, I hope it works for you
THX
Thanks Rafa for taking the time to write this. I will work with this these coming weeks and good to have the exact steps you followed. Can I ask you a couple of questions on this?
- To generate the keystore (and also import etc.), how is this done exactly? I have read something before about using cmd in the tomcat folder or something like that but don´t fully understand?
- Regarding the domain to use when generating the keystore, should it be www.mydomain.com OR www.mydomain.com/login (which is my actual loginpage to my app)?
- Regarding linking the domain and the cert, how is this done? I for example have a domain www.mydomain.com and after following your steps in the outline, I get a CSR file which I exchange for my trusted certificate via my domain registrar. After I have done this, should I create a DNS record for e.g. www.mydomain.com/login >> https://xxx.xxx.xxx.xxx:443/AwareIM/logonAdmin.html or how will I link my domainname to my server ip/login page?
- Related to previous question, If I link via DNS the domain to my server, this would mean I only have https on my actual loginpage/application and not on all pages of my domain?
Thanks again.
- To generate the keystore (and also import etc.), how is this done exactly? I have read something before about using cmd in the tomcat folder or something like that but don´t fully understand?
- Regarding the domain to use when generating the keystore, should it be www.mydomain.com OR www.mydomain.com/login (which is my actual loginpage to my app)?
- Regarding linking the domain and the cert, how is this done? I for example have a domain www.mydomain.com and after following your steps in the outline, I get a CSR file which I exchange for my trusted certificate via my domain registrar. After I have done this, should I create a DNS record for e.g. www.mydomain.com/login >> https://xxx.xxx.xxx.xxx:443/AwareIM/logonAdmin.html or how will I link my domainname to my server ip/login page?
- Related to previous question, If I link via DNS the domain to my server, this would mean I only have https on my actual loginpage/application and not on all pages of my domain?
Thanks again.
Henrik (V8 Developer Ed. - Windows)
Thanks Rafa for sharing this...
One question...What happens in a update process?? I guess this has to be done on every update process.
Support, could this be included in a straight forward process?
Now..I have installed Java8, Tomcat 5.10, custom folder, etc..
I have created a little documentation about what steps to follow on every update...
Can we hope in including these features in next releases...
thank you.
One question...What happens in a update process?? I guess this has to be done on every update process.
Support, could this be included in a straight forward process?
Now..I have installed Java8, Tomcat 5.10, custom folder, etc..
I have created a little documentation about what steps to follow on every update...
Can we hope in including these features in next releases...
thank you.
Thx,
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
George
________________________________
Developer Edition
AwareIM: v8.5, build 2824
OS: Windows Server 2012
DB: MySql 5.6.42
Hi, Henrik, I'll try to answer your questions:
- keytool.exe is in folder c:\AwareIM\JDK\bin. Open a command line window, go to this folder an execute keytool whith the requireds params.
- In the keystore, write the domain you want use https. In your case, if you use www.mydomain.com, and get the certificate for this address, all the pages below www.mydomain.com (for example, www.mydomain.com/login) also used https.
- If you get certificate for www.mydomain.com, you must use addresses that start by www.mydomain.com: https://www.mydomain.com, https://www.mydomain.com/login, https://www.mydomain.com/AwareIM/logonAdmin.html, and so on.
I hope I helped, because I really do not know much about domains and dns
- keytool.exe is in folder c:\AwareIM\JDK\bin. Open a command line window, go to this folder an execute keytool whith the requireds params.
- In the keystore, write the domain you want use https. In your case, if you use www.mydomain.com, and get the certificate for this address, all the pages below www.mydomain.com (for example, www.mydomain.com/login) also used https.
- If you get certificate for www.mydomain.com, you must use addresses that start by www.mydomain.com: https://www.mydomain.com, https://www.mydomain.com/login, https://www.mydomain.com/AwareIM/logonAdmin.html, and so on.
I hope I helped, because I really do not know much about domains and dns
weblike wrote: One question...What happens in a update process??
I do not know, I have not yet dared to update.
I think all you have to do is a backup of files server.xml and web.xml and restore the copy after the update.
Or maybe this is already done automatically when updating. Support, something to say?
Built in
Thanks guys for the additional info. I will soon start working on this and will at the same time create a proper guide document for this process.
Support, the problem with having to update manually after AwareIM updates has been discussed before and applies to SSL, custom folder and a couple of other things. Having these features/options built in would again be great, any chance this can be done in a future version update?
Support, the problem with having to update manually after AwareIM updates has been discussed before and applies to SSL, custom folder and a couple of other things. Having these features/options built in would again be great, any chance this can be done in a future version update?
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 201
- Joined: Tue Jul 27, 2010 2:17 am
- Location: Mexico
Friends,
I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:
1. Create CSR (Certificate Signing Request)
2. Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
3. CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
4. Install these certificates on Tomcat
5. Modify server.xml
I have documented the detailed steps in below shown document:
<Link>http://softservsolutions.com/AwareIM/SS ... .pdf</Link>
I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:
1. Create CSR (Certificate Signing Request)
2. Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
3. CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
4. Install these certificates on Tomcat
5. Modify server.xml
I have documented the detailed steps in below shown document:
<Link>http://softservsolutions.com/AwareIM/SS ... .pdf</Link>
From,
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
himanshu wrote:Friends,
I am also successful in installing SSL on the AwareIM server and now my apps are working fine on SSL. This is a result of many failed attempts. I am sharing the info:
So theoretically, we have to follow 5 major steps:
1. Create CSR (Certificate Signing Request)
2. Submit this CSR to CA (Certifying Authority) eg. Verisign, Thawte, GeoTrust etc.
3. CA will issue 2 certificates i.e. Server Certificate and Intermediate Certificate
4. Install these certificates on Tomcat
5. Modify server.xml
I have documented the detailed steps in below shown document:
http://softservsolutions.com/AwareIM/SS ... IM_SSL.pdf
From,
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Re: HTTPS / SSL AwareIm
Hi Guys,
Some help would be hugely appreciated by anyone who has successfully implemented ssl with AwareIM.
I have been trying to follow the guide that himanshu posted (thank you himanshu for taking the time, do you run windows servers?) and I have successfully completed all the steps (by that I mean I've followed each step) but I can't get my app to load over https. I just get an error in the browser that says: "This site can’t be reached. secureserver.mydomain.co.uk unexpectedly closed the connection".
I'm using a windows server 2008 and I'm still on AwareIM v6. Im confident that port 443 is open as I am able to reach it from outside the server with a port testing tool.
Some questions to help me understand what's correct and what's not:
1) Does the extension of the keystore file matter? himanshu uses (and mine is set up as) 'tomcat.keystore' but I notice that eagles9999 has a different extension that is the equivalent of 'tomcat.jks' If my keystore extension is wrong under windows do I have to begin the whole process again or can I just rename the file extension?
2) Is the location of the keystore important and does it need to be in a certain place? Can tomcat access c:/AwareIm/JDK/bin/keystore (as deduced from himanshu's guide) or does it need to be in c:/AwareIM/tomcat/bin/certs/keystore as per eagles9999's postings??
3) If I go to my AwareIM control panel and look at settings I currently run tomcat on port 80. Should I be changing this to port 443 or does it get left as port 80?
Any thoughts or ides would be more than welcome.
many thanks
Some help would be hugely appreciated by anyone who has successfully implemented ssl with AwareIM.
I have been trying to follow the guide that himanshu posted (thank you himanshu for taking the time, do you run windows servers?) and I have successfully completed all the steps (by that I mean I've followed each step) but I can't get my app to load over https. I just get an error in the browser that says: "This site can’t be reached. secureserver.mydomain.co.uk unexpectedly closed the connection".
I'm using a windows server 2008 and I'm still on AwareIM v6. Im confident that port 443 is open as I am able to reach it from outside the server with a port testing tool.
Some questions to help me understand what's correct and what's not:
1) Does the extension of the keystore file matter? himanshu uses (and mine is set up as) 'tomcat.keystore' but I notice that eagles9999 has a different extension that is the equivalent of 'tomcat.jks' If my keystore extension is wrong under windows do I have to begin the whole process again or can I just rename the file extension?
2) Is the location of the keystore important and does it need to be in a certain place? Can tomcat access c:/AwareIm/JDK/bin/keystore (as deduced from himanshu's guide) or does it need to be in c:/AwareIM/tomcat/bin/certs/keystore as per eagles9999's postings??
3) If I go to my AwareIM control panel and look at settings I currently run tomcat on port 80. Should I be changing this to port 443 or does it get left as port 80?
Any thoughts or ides would be more than welcome.
many thanks