SSL configuration with a recognized key

Note

This section describes how to add a recognized key to the tomcat server. If you want to create an auto-signed key and add it to your server, please refer to the following section SSL configuration with an auto signed key

You need :

  • a key file, that we will call key.key
  • a certificate file, that we will call certificate.crt

Access the Centreon Map server through SSH.

Create a PKCS12 file with the following command line :

# openssl pkcs12 -inkey key.key -in certificate.crt -export -out keys.pkcs12

Then import this file into a new keystore

# keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore studio.jks

Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .

<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
    port="8443"
    secure="true"
    scheme="https"
    maxThreads="200"
    SSLEnabled="true"
    sslProtocol="TLS"
    clientAuth="false"
    keystorePass="xxx"
    keystoreFile="/etc/centreon-studio/studio.jks"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
 -->

Note

Please replace the keystorePass value “xxx” by the password you used for the keystore and adapt the path to the keystore if you changed it.

SSL configuration with an auto signed key

Warning

Enabling the SSL mode with an auto signed key will force every user to add an exception for the certificate before using the web client, enable it only if your Centreon is also using this protocol. Every user will have to open the url https://centreon-map-url:8443/centreon-studio/docs. The solution is to use a signed certificate, the process of installing it will be detailed in a further version of this document

On the Centreon Map server

Create a Keystore

Go in the folder where Java is installed

# cd $JAVA_HOME/bin

Then generate a keystore file with the following command

# keytool -genkey -alias studio -keyalg RSA -keystore /etc/centreon-studio/studio.jks

The alias value ‘studio’ and the keystore file path ‘/etc/centreon-studio/studio.jks’ might be changed, but without any particular reason to do it, keep the default values.

Provide the needed information for the keystore creation.

At the end of the form, when the ‘key password’ is asked, use the same password than the one used for the keystore itself by pressing the ENTER key.

During installation, we added a custom server.xml and saved the one present before as server.xml.map4.backup.

Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .

<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
    port="8443"
    secure="true"
    scheme="https"
    maxThreads="200"
    SSLEnabled="true"
    sslProtocol="TLS"
    clientAuth="false"
    keystorePass="xxx"
    keystoreFile="/etc/centreon-studio/studio.jks"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
 -->

Note

Please replace the keystorePass value ‘xxx’ by the password you used for the keystore and adapt the path to the keystore if you changed it.

Tomcat is now configured to respond to request from HTTP and HTTPS.

To disable the non secure mode, edit the file again and comment out the following lines by surrouding the block by <!– and –>.

<Connector port="8080"
    protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>

Restart tomcat.

# systemctl restart tomcat