You can replace the SSL certificate included with Virtualization Manager with one of your own.
Warning: When you use thesucommand (switch user), you open the computer to security risks. It is not good practice for numerous people to know theroot
password. When you log in asroot, you have full system privileges, and you can perform any and all commands. Some of these commands are destructive.
Inexperienced users could cause serious damage to the system. When a user leaves the company, or otherwise should no longer have access to theroot
account, the system administrator should change theroot password.
To add a self-signed SSL certificate:
1. Log on to the virtual appliance by using the console or an SSH connection.
2. Enter the following command:sudo su - root.
3. Navigate to the java bin folder on the virtual appliance. This is generally found in the/usr/java/jdkX/binfolder, whereXrepresents the jdk version number.
4. Enter the following command, wheremykeystoreis the name of your new keystore anddaysvalidis the number of days the certificate is valid:
./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore -validity daysvalid
Note: If you use the default keystore,hyper9-keystore, you do not need to modify theserver.xmlfile.
5. When prompted, enter a new keystore password. This information is necessary for a later step.
6. Enter the information necessary for the new certificate. Provide the following information:
l Your domain name instead of the first and last name
l The name of your organizational unit
l The name of your organization
l The name of your city or locality
l The name of your state or province
l Your two letter country code
This information is displayed to users who attempt to access Virtualization Manager through a secure connection.
If you do not use the domain name for the name, you will continue to receive certificate errors.
7. Typeyeswhen prompted to confirm your new key information.
8. When prompted for the key password, enter the keystore password you entered before.
Chapter 3: Administration and setup
9. Modify the owner of the keystore by entering the following command, where
mykeystoreis the name of your keystore:
chown hyper9.hyper9 /etc/hyper9/mykeystore
10. Change the permissions on the keystore by entering the following command, wheremykeystoreis the name of your keystore:
chmod 755 /etc/hyper9/mykeystore
11. Navigate to/usr/share/tomcat-X/conf, and create a backup of the
server.xmlfile.
Note: If you use the default keystore,hyper9-keystore, you do not need to modify theserver.xmlfile.
12. Open theserver.xmlfile.
13. Edit the connector entity to include the keystore location. The entity should look similar to the following:
<Connector port="8443"
14. Save theserver.xmlfile.
Note: After an upgrade, the certificate configuration reverts back the default self-signed certificate. To preserve your configuration, create a backup of theserver.xmlfile located in/usr/share/tomcat-X/confunder a different name (for example,server.xml.beforeupgrade).
15. Restart Tomcat by entering the following command:
service tomcat6 restart
If you receive "Untrusted site" errors after adding your certificate, see the KB article aboutAccepting an Unsigned Certificate.
To add a certificate from a certificate authority:
Warning: While you can add a certificate from a certificate authority, SolarWinds Technical Support only assists you with adding a self-signed certificate.
If you need clarification, see the Tomcat help page, or the help page of your certificate authority.
1. Log on to the virtual appliance by using the console or an SSH connection.
2. Enter the following command:sudo su - root.
3. Navigate to the java bin folder on the virtual appliance. This is generally found in the/usr/java/jdkX/binfolder, whereXrepresents the jdk version number.
4. Enter the following command, wheremykeystoreis the name of your new keystore:
./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore
5. When prompted, enter a new keystore password. This information is necessary for a later step.
6. Enter the information necessary for the new certificate. Provide the following information:
l Your domain name instead of the first and last name
l The name of your organizational unit
l The name of your organization
l The name of your city or locality
l The name of your state or province
l Your two letter country code
7. Enteryeswhen prompted to confirm your new key information.
Chapter 3: Administration and setup
8. When prompted for the key password, enter the keystore password you entered before.
9. Enter the following command, wheremykeystore is the name of your new keystore:
keytool certreq keyalg RSA alias tomcat file certreq.csr -keystore my-keystore
10. Submit the CSR to your certificate authority (CA).
11. After the CA replied to you, copy the certificate and chain certificate to a permanent location in the virtual appliance.
12. Navigate to the java bin folder.
13. Import the chain certificate by entering the following command, where
mykeystoreis the name of your new keystore andchain_certificate_
filenameis the name of your chain certificate:
keytool import alias root keystore mykeystore trustcacerts -file chain_certificate_-filename
14. Import the new certificate be entering the following command, where
mykeystoreis the name of your new keystore andcertificate_filenameis the name of your certificate:
keytool -import -alias tomcat -keystore mykeystore -file certificate_filename
15. Navigate to/usr/share/tomcat-X/conf, and create a backup of the
server.xmlfile.
16. Open theserver.xmlfile.
17. Edit the connector entity to include the keystore location. The entity should look similar to the following:
keystoreFile="../../conf/hyper9-keystore"
clientAuth="false"
sslProtocol="TLS" />
18. Save theserver.xmlfile.
19. Restart Tomcat by entering the following command:
service tomcat6 restart