SSL configuration with a recognized key

Note

This section describes how to add a recognized key to the Tomcat server. If you want to create an auto-signed key and add it to your server, please refer to the following section SSL configuration with an auto-signed key.

You will require:

  • A key file, referred to as key.key.
  • A certificate file, referred to as certificate.crt.

Access the Centreon MAP server through SSH.

Create a PKCS12 file with the following command line:

# openssl pkcs12 -inkey key.key -in certificate.crt -export -out keys.pkcs12

Then, import this file into a new keystore (a Java repository of security certificates):

# keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore studio.jks

Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .

<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
    port="8443"
    secure="true"
    scheme="https"
    maxThreads="200"
    SSLEnabled="true"
    sslProtocol="TLS"
    clientAuth="false"
    keystorePass="xxx"
    keystoreFile="/etc/centreon-studio/studio.jks"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
 -->

Note

Replace the keystorePass value “xxx” with the password you used for the keystore and adapt the path (if it was changed) to the keystore.

SSL configuration with an auto-signed key

Warning

Enabling the SSL mode with an auto-signed key will force every user to add an exception for the certificate before using the web client. Enable it only if your Centreon also uses this protocol. Users will have to open the URL https://centreon-map-url:8443/centreon-studio/docs. The solution we recommend is to use a recognized key method, as explained above.

On the Centreon MAP server

Create a keystore.

Go to the folder where Java is installed:

# cd $JAVA_HOME/bin

Then generate a keystore file with the following command:

# keytool -genkey -alias studio -keyalg RSA -keystore /etc/centreon-studio/studio.jks

The alias value “studio” and the keystore file path /etc/centreon-studio/studio.jks may be changed, but unless there is a specific reason, we advise keeping the default values.

Provide the needed information when creating the keystore.

At the end of the screen form, when the “key password” is requested, use the same password as the one used for the keystore itself by pressing the ENTER key.

During installation, we added a custom server.xml and saved the old server as server.xml.map4.backup.

Edit our custom server.xml and uncomment the following lines by removing the surrounding <!– and –> .

<!--
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"
    port="8443"
    secure="true"
    scheme="https"
    maxThreads="200"
    SSLEnabled="true"
    sslProtocol="TLS"
    clientAuth="false"
    keystorePass="xxx"
    keystoreFile="/etc/centreon-studio/studio.jks"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA" />
 -->

Note

Replace the keystorePass value “xxx” with the password you used for the keystore and adapt the path (if it was changed) to the keystore.

Tomcat is now configured to respond to requests from HTTP and HTTPS.

To disable non-secure mode, edit the file again and comment out the following lines by including the block within <!– and –>.

<Connector port="8080"
    protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="8443"
    compression="on"
    compressionMinSize="128"
    noCompressionUserAgents="gozilla, traviata"
    compressableMimeType="text/html,text/xml,text/css,text/javascript,application/x-javascript,application/javascript"/>

Restart Tomcat.

# systemctl restart tomcat