Accessing Celoxis using SSL
For the purpose of this article, let's assume that Celoxis has been installed on a Linux server at /usr/local/celoxis
and is accessed as http://celoxis.acme.com:8888
Default SSL
Celoxis comes with a self-signed SSL certificate and accessible on port 8843 as https://celoxis.acme.com:8843
. Accessing websites that serve self-signed SSL certificates gets a warning in Chrome and other browsers saying that the site is not secure. You can install a certificate from a know provider like Verisign, Thawte, RapidSSL, etc. to overcome this issue.
Installing your own SSL Certificate
Each provider comes with their own instructions. However, we are going to look at the most common scenario.
Stop Celoxis
Stop Celoxis as we are going to overwrite a file.
Go to the <Celoxis-Install-Dir>
$ cd /usr/local/celoxis
Generate a Key Pair
Give the password as celoxis. The reason will be evident at the end of the chapter. Instead of celoxis.acme.com, you would put in your own hostname.
$ keytool -genkey -alias celoxis -keyalg RSA -keystore celoxis.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: celoxis.acme.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Acme What is the name of your City or Locality? [Unknown]: Santa Clara What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=celoxis.acme.com, OU=Unknown, O=Acme, L=Santa Clara, ST=CA, C=US correct? [no]: yes Enter key password for(RETURN if same as keystore password): $
Generate a Certificate Request (CSR)
We will be generating the CSR in a file certreq.csr
.
$ keytool -certreq -keyalg RSA -alias celoxis -file certreq.csr -keystore celoxis.jks Enter keystore password: $
List the files
We have the two expected files.
$ ls celoxis.jks certreq.csr $
Get the SSL certificate
You would now go to one of the SSL certificate issuers like Verisign, RapidSSL, GeoTrust, etc. and use the certreq.csr
file to request and SSL certificate. They will ensure that you are owner of the domain you requested for and issue you a certificate.
You would get two files in PEM format. One will be your certificate and the other your chain to the CA certificate.
Let's assume that the chain is available in the file chain.crt
and your certificate in certificate.crt
.
Copy these two files to <Celoxis-Install-Dir>.
Import the two files into our keystore
$ keytool -import -trustcacerts -alias intermediate -file chain.crt -keystore celoxis.jks Enter keystore password: $
keytool -import -trustcacerts -alias celoxis -file certificate.crt -keystore celoxis.jks Enter keystore password: $
Our keystore is now ready!
Overwrite Celoxis's keystore with our keystore
$ cp celoxis.jks /usr/local/celoxis/psa_14.5.x/.keystore $
Change 8843 to 443 (the default SSL port)
Open <Celoxis-Install-Dir>/psa_14.5.x/conf/server.xml
and change the port number as shown from the left to the right.
<Connector port="8843" ... scheme="https" secure="true" keystoreFile=".keystore" keystorePass="celoxis" ... />
<Connector port="443"
...
scheme="https"
secure="true"
keystoreFile=".keystore"
keystorePass="celoxis"
...
/>
celoxis.jks
file to the .keystore
file, and also change the port number as as shown above. But do it only after the upgrade is successful.Start Celoxis
Start Celoxis and point your browser to https://celoxis.acme.com
. You should be taken to the Celoxis login screen.