1. Home
  2. Security
  3. Enable HTTPS/SSL using CA Signed certificate

Enable HTTPS/SSL using CA Signed certificate

About

Before we start enabling SSL, if you are not familiar with SSL or have questions on it, we recommend you to read our Security using SSL (Secure Sockets Layer) article.

The steps below will enable SSL/HTTPS for your Linux installation. Refer to your operating system manual for equivalent commands if you are using a different operating system. These should be done after you have launched your instance in Oracle Cloud Marketplace or AWS or after completing Falcon Deploy installation using an on-premise server.

SSL Change

From an application user perspective, here’s what you should know regarding how you access the application before and after the change. When you first launch the Falcon Deploy application, SSL will not be enabled (It is because a certificate is required that identifies you and your organization). 

Before Change

You will access the application using a browser via HTTP protocol. The web address for the Tomcat Manager application will be similar to http://hostname_or_ip:8080/manager/html. The web address for the Falcon Deploy application will be similar to http://hostname_or_ip:8080/falcon-deploy/.

After Change

You will access the application using a browser via HTTPS protocol. The web address for the Tomcat Manager application will be similar to https://hostname_or_ip:8443/manager/html. The web address for the Falcon Deploy application will be similar to https://hostname_or_ip:8443/falcon-deploy/.

Domain name and DNS entry

Most organizations have a team that takes care of issuing certificates. Most times, your organization has already paid for Wildcard SSL. A Wildcard SSL protects your primary domain and an unlimited number of its subdomains. For example, a single Wildcard Certificate can secure app1.yourcompany.com, app2.yourcompany.com, falcon-deploy.yourcompany.com, etc. You get a DNS entry added for falcon-deploy.yourcompany.com that points to the server where Falcon Deploy application is running. Then obtain and install the SSL certificate.

For this demo, we obtained a domain falcon-deploy-demo.com. A DNS lookup of this domain name will redirect to the IP address of the server where Falcon Deploy is installed. We will be installing a CA certificate signed for the domains – falcon-deploy-demo.com and www.falcon-deploy-demo.com.

Connect as falcon User

We are going to perform the steps listed here as falcon user. In most installations, this operating system user account is locked for direct access.

If you launched your instance in Oracle Cloud Marketplace, login to the server as opc user.

If you launched your instance in AWS, login to the server as ec2-user.

If you installed Falcon Deploy on an on-premise server, login using your user account.

Unlock falcon user account.

# Set SHELL for 'falcon' user
> sudo usermod -s /bin/bash falcon

# Switch to 'falcon' user
> sudo su - falcon

Create key using keytool

# Create directory that will store the key
> mkdir -p /falcon_deploy/app/config/ssl
> cd /falcon_deploy/app/config/ssl

# Create key using keytool. 
> $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias falcon-deploy-demo.com -storetype PKCS12 -keystore /falcon_deploy/app/config/ssl/keystore.p12 -keysize 2048 -validity 365

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias falcon-deploy-demo.com -storetype PKCS12 -keystore /falcon_deploy/app/config/ssl/keystore.p12 -keysize 2048 -validity 365
Enter keystore password:
What is your first and last name?
  [Unknown]:  falcon-deploy-demo.com
What is the name of your organizational unit?
  [Unknown]:  Falcon Deploy
What is the name of your organization?
  [Unknown]:  Falcon Deploy
What is the name of your City or Locality?
  [Unknown]:  Cumming
What is the name of your State or Province?
  [Unknown]:  Georgia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=falcon-deploy-demo.com, OU=Falcon Deploy, O=Falcon Deploy, L=Cumming, ST=Georgia, C=US correct?
  [no]:  yes

Note: Common Name (CN) should match the fully qualified domain name (FQDN) of your server. This is the address part that you enter before the port number in a web browser.

Verify the new key

> $JAVA_HOME/bin/keytool -v -list -keystore /falcon_deploy/app/config/ssl/keystore.p12

Generate CSR (Certificate Signing request)

A CSR is an encoded code block that is given to a Certificate Authority when applying for an SSL Certificate. In our case, we will generate it on the server where Falcon Deploy application is installed. It will contain the public key from the key pair we generated in previous step. It also contains the information we used when generating the key pair. Eg: CN=falcon-deploy-demo.com, OU=Falcon Deploy, O=Falcon Deploy, L=Cumming, ST=Georgia, C=US.

# User keytool -certreq to generate the csr
> $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias falcon-deploy-demo.com -file falcon-deploy-demo_com.csr -keystore /falcon_deploy/app/config/ssl/keystore.p12

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias falcon-deploy-demo.com -file falcon-deploy-demo_com.csr -keystore /falcon_deploy/app/config/ssl/keystore.p12
Enter keystore password:
[falcon@falcon-deploy-ora-linux-compute ssl]$ ls -ltr
total 12
-rw-rw----. 1 falcon deploy 5085 Jan 26 21:28 keystore.p12
-rw-rw----. 1 falcon deploy 1113 Jan 26 21:29 falcon-deploy-demo_com.csr

Obtain the Certificate

Work with your internal team to obtain the certificate. In case you work directly with a CA, you will have to follow their validation method to prove you own the domain.

Install the certificate

Copy the certificate files to the same directory as your keystore (/falcon_deploy/app/config/ssl). Ensure you install the certificate file to the same keystore and using the same alias name that was used when generating the CSR.

The import/install method depends on the certificate format (file type) you received.

.p7b or .cer

If you received a .p7b or .cer file, it already contains the ‘root’ and ‘intermediate’ certificates. In that case, the import is completed in a single step.

# Import the certificate
> $JAVA_HOME/bin/keytool -importcert -trustcacerts -file falcon-deploy-demo.com.p7b -alias falcon-deploy-demo.com -keystore /falcon_deploy/app/config/ssl/keystore.p12

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ $JAVA_HOME/bin/keytool -importcert -trustcacerts -file falcon-deploy-demo.com.p7b -alias falcon-deploy-demo.com -keystore /falcon_deploy/app/config/ssl/keystore.p12
Enter keystore password:
Certificate reply was installed in keystore

If successful, you will see ‘Certificate reply was installed in keystore’ message.

.crt

If you received a .crt file, you will need to import the root certificate, intermediate certificates and the certificate issued for your domain name to the keystore separately starting from the root certificate and ending with the certificate for your domain name.

Example commands

# Import commands for .crt files
> $JAVA_HOME/bin/keytool -import -alias root -keystore /falcon_deploy/app/config/ssl/keystore.p12 -trustcacerts -file root.crt
> $JAVA_HOME/bin/keytool -import -alias intermediate -keystore /falcon_deploy/app/config/ssl/keystore.p12 -trustcacerts -file intermediate.crt
> $JAVA_HOME/bin/keytool -import -alias falcon-deploy-demo.com -keystore /falcon_deploy/app/config/ssl/keystore.p12 -trustcacerts -file falcon-deploy-demo.com.crt

Validate

You can use the same command you used earlier to validate the installed certificate.

> $JAVA_HOME/bin/keytool -v -list -keystore /falcon_deploy/app/config/ssl/keystore.p12

Update Tomcat configuration

Edit the server.xml file in $TOMCAT_HOME/conf. You may have to uncomment lines by removing <!-- -->and editing the code block as shown below. Be sure to use your password for keystorePass field.

# Please change the version number if required to match the software version that came with your download.
> sudo vi /opt/apache-tomcat/conf/server.xml

	 <Connector port="8443" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443"
                SSLEnabled="true"
                scheme="https"
                secure="true"
                sslProtocol="TLS"
                keystoreFile="/falcon_deploy/app/config/ssl/keystore.p12"
                keystorePass="xxxxxxxxxx" />

Restart Tomcat service

> sudo systemctl stop tomcat.service
> sudo systemctl start tomcat.service
> sudo systemctl status tomcat.service

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl stop tomcat.service
[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl start tomcat.service
[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl status tomcat.service
● tomcat.service - Apache Tomcat
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-01-27 05:24:04 GMT; 3s ago
  Process: 7543 ExecStop=/opt/apache-tomcat/bin/shutdown.sh (code=exited, status=0/SUCCESS)
  Process: 7584 ExecStart=/opt/apache-tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 7593 (java)
   CGroup: /system.slice/tomcat.service
           └─7593 /usr/lib/jdk/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.j...

Jan 27 05:24:04 falcon-deploy-ora-linux-compute systemd[1]: Starting Apache Tomcat...
Jan 27 05:24:04 falcon-deploy-ora-linux-compute startup.sh[7584]: Tomcat started.
Jan 27 05:24:04 falcon-deploy-ora-linux-compute systemd[1]: Started Apache Tomcat.

Validate SSL

We have completed the steps to enable SSL. Open a web browser and validate the change. Note that you should switch to HTTPS protocol and 8443 port. If you are having issues, verify Tomcat is up using sudo systemctl status tomcat.service. Also inspect thecatalina.out log at /opt/apache-tomcat/logs.

As mentioned in the beginning of this documentation, you should see SSL enabled on https://hostname_or_ip:8443/falcon-deploy/

CA issued certificate
Screenshot showing SSL enabled on Domain where Falcon Deploy is installed.

Lock falcon User

Lock the falcon operating system account by removing SHELL.

# Lock falcon user 
> sudo usermod -s /sbin/nologin falcon
Updated on April 30, 2019

Related Articles