Adsense Code

Wednesday, 18 March 2015

Java - Tomcat SSL certificates and Vmware View 5

This is to go through the process of making a website SSL compliant on Tomcat.  Which is just very VERY particular.  On the server that needs the certificate, I suggest creating a directory on the root of the C drive as a temporary working area.  Something like c:\newkeys  In this example, I will be using the server, cm-testserver
You need to add a java tool to your environment path first, go to Properties of My Computer, Click the Advanced Tab, Click Environment Variables.
In the System Variables group, select path and click Edit.
Type the path the JRE directory in the Variable Value Text box, on cm-testserver this is
D:\Program Files\VMware\VMware View\Server\jre\bin
Note: use a semi colon to separate the path variables.
On the server in question (cm-testserver), open a cmd prompt and navigate to c:\newkeys.  Type in
keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048
This is telling the server to create a keystore (genkey).  A keystore is analogous to a safe.  This safe is used to hold your certificates and use the RSA algorithm (RSA).  The safe is to be called keys.p12  The keystore will be created in the pkscs12 format, it's valid for 360 days and the safe will be generated with 2048-bit encryption.
When keytool prompts you for the first and last name, type the FQDN (Fully Qualified Domain Name) of the server.  So this example would be cm-testserver.<yourdomain>
Enter all the rest of the information, remembering that the country code is GB for ISO compliance.
Now you need to type in the following to generate a certificate request.  You will then send out the request, they send back a certificate and you store it inside the keystore.
keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass ATopSecretPassword
At the time of writing, we are using Janet, which in turn uses Comodo to authorise certificates.  Janet / Comodo only send back *.cer certificates, and not PKCS7 standard certificates.  The ZIP file that contains all of the certificates needs to be extracted to a new empty temporary directory.  Highlight one of the extracted certificates, right mouse click, and click select Open on the menu.
A new window pops open.  Click the details tab at the top, and then click the Copy To File button on the lower right.  Click Next on the wizard.  We are now exporting your new certificate out into PKCS#7 format.  Select the third option down "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) and ENSURE that the tick box "Include all certificates in the certification path if possible" IS ticked.  Unlike in other configurations where you might install the root certificates one by one, here you bundle them all together.
Export it out to a file name, your choice, but I called mine testserver.p7b, and remember where you save it.
Now go back to the server where you were creating the keystores and copy the file that you've created with the merged certificates into your c:\newkeys
Go back to your DOS prompt, making sure that you are at the path c:\newkeys type in the following command
keytool -import -keystore keys.p12 -storetype pkcs12 -storepass ATopSecretPassword -keyalg "RSA" -trustcacerts -file testserver.p7b
With the above command, you are telling the keytool to import into your keys.p12 file (the keystore) the merged certificates that are held in your testserver.p7b file.
Yay!  You now have a certificated keystore file!  Now we have to make your Tomcat environment work with it
You need to copy that keys.p12 file to d:\program files\vmware\vmware view\server\sslgateway\conf\
Within that same directory, you need to edit a file called
If the file does not exist, you need to create it.
In that file, you need two lines.
The password is the same one that you typed in earlier (remember?!!)

Then restart the View Connection Server service.  Job done!

No comments:

Post a comment