-
Titolo
HOW TO CONFIGURE STAT WEB CLIENT TO USE HTTPS -
Descrizione
How do you configure Stat Web Client to use HTTPS?
-
Causa
N/A
-
Risoluzione
This article has been tested for Stat 6.3 and Stat 7.0. For Stat 7.0, please take a look at the specific note at the end of the article.
- Creating the Self-Signed Certificate
The Java Developer's Kit includes a utility to create certificates. Go to a command line and navigate to your JRE directory where keytool.exe is located. Type the following command:
keytool -genkey -alias key4stat -keyalg RSA -keystore key4stat.jks -keysize 2048 -validity 3650
This command tells Java to generate a self-signed certificate. Some prompts look like this:
Following the Warning, we execute the command suggested to migrate from JKS to PKCS12 format:
keytool -importkeystore -srckeystore key4stat.jks -destkeystore key4stat.jks -deststoretype pkcs12
Notice that there are two prompts for the password. That's because there's one password for the keystore and one password for the actual key. Test this using the defaults indicated above and also using something different for the password
2. Moving the Keystore
By default, the keytool puts information in the "C:\Users\graiano" directory for your USER-ID. In the example above, we'd find that the keystore has been created as a file called:
C:\Users\graiano\key4stat.jks- Browse to C:\Users\graiano\key4stat.jks
- Copy the key4stat.jks to the SCA_HOME\app\standalone\configuration.
- Update the standalone-full-https.xml as below:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore keystore-password="changeme" path="key4stat.jks" relative-to="jboss.server.config.dir" alias="key4stat"/>
</ssl>
</server-identities>
</security-realm>
- Shutdown the SCA
- Delete cache directories (data, log, and tmp)
- Edit the standalone.conf.bat pointing to the standalone-full-https.xml
set SERVER_CONFIG=standalone-full-https.xml
- Start the SCA and fill in the URL as https://sca_server:8443/stat-config from the browser to reconfigure the SCA page for the HTTPS protocol.
- Now, log into the Web Client and click on “Not Secure | Certificate details” as the screenshots below show. Export and save your certificate .crt.
3. Additional steps for the EBS environment
Now we have the .jks and the .crt files created on the SCA machine, and we have to move to the EBS machine by FTP under the STAT_JAVA_HOME/jre/lib/security.
Using the keytool utility, we can import the certificate as below:
keytool -import -keystore jssecacerts -file Gio.crt -alias key4stat
Go into the OA_HOME\conf and edit the stat.conf setting the parameter below:
stat.central_agent.name_port:8443
stat.central_agent.protocol:https
Start the OA that will get an HTTPS communication with the SCA.
For Stat 7.0
Please create a keystore with the command below:
keytool -genkeypair -v -keystore [KEYSTORE_NAME] -keyalg RSA -keysize 2048 -storepass [KEYSTORE_PASSWORD] -keypass [KEYSTORE_PASSWORD] -dname "cn=[SCA_IP_ADDRESS],o=[ORGNIZATION_NAME],c=[COUNTRY_CODE]" -alias [SCA_IP_ADDRESS] -ext "SAN=dns:localhost,dns:[SCA_HOST_NAME],ip:[SCA_IP_ADDRESS]"Once the keystore is created, replace the older one with the newer one. The SCA should refer to this new keystore.
Use the command below to import the keystore to the JDK's cacerts file of the EBS machine:
keytool -import -keystore [JDK_CERTICATE_FILE_PATH] -file [SERVER_CERTIFICATE] -alias [ALIAS_NAME]
Restart the OA.