SSL Configuration steps for Version 12.3

SSL Configuration steps for Version 12.3

For Build 12.3.181 and above:

Steps to enable HTTPS

Go to Settings

1 





Click on Basic Settings

2




Choose "Security Settings"

3




Enable "Secure Mode"

4_new


Here you have 3 options to choose from:

 

  • Generate a CSR
  • Self-signed Certificate
  • Import Certificate
5



Generate CSR:
  This option helps you to generate a Certificate Signing Request (CSR).  A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. A CSR is generally encoded using ASN.1 according to the PKCS #10 specification.

 

 

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work. 

csr1




Once you click on the Generate CSR, you will have to fill out a few information for the certificate you want to create for use in your OpManagerServer.

 

csr2


On clicking the Generate button your CSR and Server Key files will be downloaded as a ZIP. 

 

 

csr3



Extract it and use the "OpManager.csr" file to get a signed certificate from a CA of your choice.

csr4

 

 

 

 


After getting signed by the CA, you will get a certificate file which you can import into OpManager using the Import Certificate option discussed below.



Self-Signed Certificate:

This option lets you enable SSL in OpManager with a self generated and self-signed certificate. This certificate is safe to use and is equally secure. But browsers may show it as untrusted, since it is not signed by a Valid CA (Certificate Authority). 

self1




You will be prompted to restart OpManager for the changes to take effect.

self2_new





Import Certificate:

Use this option if you already have a valid certificate and key files (or) a keystore or a PFX file with the certificate.

import1



Select a cert file.

import-cert-1



Select the appropriate "key" file.

import-cert-2



Verify and choose Import.

import-cert-7



!!! In case the certificate cannot be validated with trusted sources, you will be asked to provide the intermediate certificates and root certificate files. 

import-cert-3


import-cert-4




Once uploaded, Verify the certificate and click import.

import-cert-5





On successful import, you will be prompted to restart OpManager.

import_keystore_4_new





Importing from PFX or Keystore:
 
In case you are using a Keystore or a PFX file, you will be prompted to input the password for opening the file.

import-keystore-1




On clicking Fetch, you will be provided with a list of Key-entries present in the keystore. Choose a specific alias which is to be used to enable SSL in OpManager.

import-keystore-2





You will be shown a preview of the certificate information, verify the same and click Import for using the same.

import-keystore-3





Finally you will be prompted to restart OpManager for the changes to take effect.

import_keystore_4_new




Finally, after enabling SSL through one of the above ways, you will be able to connect to OpManager in secure mode:

final-ssl-enabled




For Builds below 12.3.181:



SSL Configuration

Note: Please don't modify the OpManager.truststore file. For third party certificates.Use OpManagerServer.truststore file. Also don't delete the OpManager.truststore file, it should be available in conf directory.
-------------------------------------------------------------------------------------------------------------------

Pre-Requestics: 

Build number should be greater than or equals to 12300

For PPM Customers (12200-12300): Extract this zip under the Home directory & then proceed the below.
Also make sure the below file exists in home/server_xml_bkp directory
win_ssl_server.xml
-------------------------------------------------------------------------------------------------------------------

Installing .PFX certificate in OpManager:

First Enable SSL & then install .PFX certificate.

To Enable SSL, Please follow the below steps.
  1. Open a command prompt and change directory to /opmanager/bin.
  2. Execute the following command,
    ssl_gen.bat/sh -f Enable

To install the .PFX certificate, please follow the steps below.

1. First you need to convert the .pfx type to .truststore type. To do that, place the .pfx file under \OpManager\jre\bin folder. Also open a command prompt as Administrator and go to \OpManager\jre\bin folder.

2. Run the command below with the correct .pfx file.

keytool.exe -importkeystore -srckeystore mykeystore.pfx -destkeystore OpManagerServer.truststore -srcstoretype pkcs12 -deststoretype JKS

It will ask you for a password, please use the pfx password as the truststore password.

3. OpManagerServer.truststore file will be generated after running the above command under \OpManager\jre\bin folder, place this file under \OpManager\conf folder.

4. Now we have to configure Tomcat, for that, open "server.xml" file (under OpManager_Home\conf) in a text editor. 
For Linux:
Search for term "keystoreFile". It will be an attribute for connector tag. And set the value as "./conf/OpManagerServer.truststore". Change the value for "keystorePass" attribute with your keystore file password.

For Windows:
Search for term "certificateKeystoreFile". It will be an attribute for connector tag. And set the value as "./conf/OpManagerServer.truststore". Change the value for "certificateKeystorePassword" attribute with your keystore file password.

5. Start OpManager.

-------------------------------------------------------------------------------------------------------------------

Enabling third party SSL:

First Enable SSL & then enable third party certificate.

To Enable SSL, Please follow the below steps.
  1. Open a command prompt and change directory to /opmanager/bin.
  2. Execute the following command,
    ssl_gen.bat/sh -f Enable

To install the third party certificate, please follow the steps below.

1.Open the command prompt and change to OpManager_Home directory.

2. Generating keystore file:

Execute the following command and provide requested details to create OpManagerServer.truststore file under conf folder.
>jre\bin\keytool.exe -v -genkey -keyalg RSA -keystore conf\OpManagerServer.truststore -alias opmanager (Press Enter)
                                                                  ( or )
>jre\bin\keytool.exe -v -genkey -keyalg RSA -keystore conf\OpManagerServer.truststore -alias opmanager  -keysize 2048   for 2048 bit key

Enter keystore password:(Enter a password for this keystore. atleast 6 characters long. Press Enter)

What is your first and last name?
[Unknown]: (Enter the Server's name in which OpManager is running. It must be a FQDN
[Fully Qualified Domain Name] Ex.: opmserver.manageengine.com. Press Enter.)
What is the name of your organizational unit?
[Unknown]: (Name of your Orgazational Unit. Ex: SYSADMIN. Press Enter.)
What is the name of your organization?
[Unknown]: (Your Organization Name. Ex:Zoho Corp. Press Enter.)
What is the name of your City or Locality?
[Unknown]: (Your city name. Ex:Pleasanton. Press Enter.)
What is the name of your State or Province?
[Unknown]: (Your state name. Ex:California. Press Enter.)
What is the two-letter country code for this unit?
[Unknown]: (Your country's two letter code. Ex:US. Press Enter.)
Is CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton,
ST=California, C=US correct?
[no]: (Check the details and if it is correct type yes and press enter. If else just press Enter to
modify)
Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
for CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton,
ST=California, C=US
Enter key password for <opmanager>
(RETURN if same as keystore password): (Just press enter. For tomcat both keystore password and key [alias] password must be the same)
[Storing conf\OpManagerServer.truststore]

3. Generating CSR File (Certificate Signing Request):
Execute the following commands to create opmssl.csr file under conf folder.
>jre\bin\keytool.exe -v -certreq -file conf\opmssl.csr -keystore conf\OpManagerServer.truststore -alias opmanager
Enter keystore password: (Enter the password for the keystore file)
Certification request stored in file <conf\opmssl.csr>
Submit this to your CA

4. Getting certificates from CA (Certification Authority):
Contact a CA like Verisign, Equifax, with the csr file generated in the previous step to get ssl certificate. 

Mostly you have to copy and paste the content of the csr file in a text area of theier website. After verifying your request, mostly they will sent you the certficate content through mail. Copy and paste the content in a text editor and save it as "ServerCert.cer" under OpManager_Home\conf folder. Be cautious that while doing copy-paste, no extra space added at the end of lines.

5. Importing root and intermediate certifacates:Before importing our certificate, we have to import the CA's root and intermediate certificates into the keystore file we generated at the second step. While mailing you the certificate, CA's will mention the link to their root and intermediate certificates. Save them under conf directory in the name
"CARoot.cer" and "CAIntermediate.cer" respectively. Some CAs may have two or more intermediate certificates. 

Refer their document clearly before importing.
To import root certificate:
(Execute it from OpManager home directory)
>jre\bin\keytool.exe -import -trustcacerts -file conf\CARoot.cer -keystore conf\OpManagerServer.truststore -alias CARootCert
Enter keystore password: (Enter the keystore password)
(Root Certifiate's information will be printed)
Trust this certificate? [no]: (type yes and press enter if it is the certificate of your CA)
Certificate was added to keystore
To import Intermediate certificate:
(Execute it from OpManager home directory)
>jre\bin\keytool.exe -import -trustcacerts -file conf\CAIntermediate.cer -keystore conf\OpManagerServer.truststore -alias CAInterCert
Enter keystore password: (Enter the keystore password)
Certificate was added to keystore

6. Importing Server's Certificate:
Execute the follwing command to add the certificate received from CA to the keystore file.
(Execute it from OpManager home directory)
>jre\bin\keytool.exe -import -trustcacerts -file conf\ServerCert.cer -keystore conf\OpManagerServer.truststore -alias opmanager
Enter keystore password: (Enter the keystore password)
Certificate reply was installed in keystore

7. 
Now we have to configure Tomcat, for that, open "server.xml" file (under OpManager_Home\conf) in a text editor. 
For Linux:
Search for term "keystoreFile". It will be an attribute for connector tag. And set the value as "./conf/OpManagerServer.truststore". Change the value for "keystorePass" attribute with your keystore file password.

For Windows:
Search for term "certificateKeystoreFile". It will be an attribute for connector tag. And set the value as "./conf/OpManagerServer.truststore". Change the value for "certificateKeystorePassword" attribute with your keystore file password.

9. Start OpManager server. Connect client with https. Ex:https://opmserver.manageengine.com:80/

Note:If you are already having a certificate for this server and that certificate was requested by the keystore
file generated using Java keytool, you may use it for SSL configuration. Just copy and paste the keystore file under OpManager_Home\conf and rename it to “OpManagerServer.truststore” and follow the steps from 5.

          • Related Articles

          • Chrome 45 & Firefox 39 (SSL)

            Error: Getting message ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error in Chrome 45 & Firefox 39 while connecting OpManager in HTTPS, its because of weak cipher (lesser than 1024-bit). ...
          • Steps for enabling Self Signed SSL in OpManager 12 Enterprise Edition

            Steps to enable SSL for OpManagerCentral  Stop OpManagerCentral Open a command prompt (Run > cmd) and change directory to /OpManagerCentral/bin. Execute the following command   ssl_gen.bat -f Enable Start OpManagerCentral Now we have successfully ...
          • Garbled page issue when SSL is configured in OpManager

            When SSL(self signed or 3rd party) is configured in OpManager, users might get garbled page sometimes. Sample error page from chrome browser. This is an issue in the current java version we use. We need to replace the file from the new version of ...
          • Steps for configuring SNMPv3 on a Router

            Steps for configuring SNMPv3 on a Router Here are the steps to configure SNMPv3 on a router and opmanager. Lets configure a privileged user called Henry with the relevant details below. username : Henry authProtocol : MD5 privProtocol : DES ...
          • Steps for configuring SNMPv3 on a Router

            Steps for configuring SNMPv3 on a Router Here are the steps to configure SNMPv3 on a router and opmanager. Lets configure a privileged user called Henry with the relevant details below. username : Henry authProtocol : MD5 privProtocol : DES ...