1. Home
  2. Security
  3. Enable HTTPS/SSL using Self-Signed certificate

Enable HTTPS/SSL using Self-Signed certificate

About

Before we start enabling SSL, if you are not familiar with SSL or have questions on it, we recommend you to read our Security using SSL (Secure Sockets Layer) article.

Self-signed certificates are not recommended for production use. The problem with using a self-signed certificate is that almost every web browser checks that an HTTPS connection is signed by a recognized Certificate Authority (CA). If the connection uses self-signed certificate, this will be flagged as insecure and error messages will pop up asking you do not trust the site, even if it is secure.

The steps below will enable SSL/HTTPS for your Linux installation. Refer to your operating system manual for equivalent commands if you are using a different operating system. These should be done after you have launched your instance in Oracle Cloud Marketplace or AWS or after completing Falcon Deploy installation using an on-premise server.

Changes after SSL

From an application user perspective, here’s what you should know regarding how you access the application before and after the change. When you first launch the Falcon Deploy application, SSL will not be enabled (It is because a certificate is required that identifies you and your organization).

Before Change

You will access the application using a browser via HTTP protocol. The web address for the Tomcat Manager application will be similar to http://hostname_or_ip:8080/manager/html. The web address for the Falcon Deploy application will be similar to http://hostname_or_ip:8080/falcon-deploy/.

After Change

You will access the application using a browser via HTTPS protocol. The web address for the Tomcat Manager application will be similar to https://hostname_or_ip:8443/manager/html. The web address for the Falcon Deploy application will be similar to https://hostname_or_ip:8443/falcon-deploy/.

Connect as falcon User

We are going to perform the steps listed here as falcon user. In most installations, this operating system user account is locked for direct access.

If you launched your instance in Oracle Cloud Marketplace, login to the server as opc user.

If you launched your instance in AWS, login to the server as ec2-user.

If you installed Falcon Deploy on an on-premise server, login using your user account.

Unlock falcon user account.

# Set SHELL for 'falcon' user
> sudo usermod -s /bin/bash falcon

# Switch to 'falcon' user
> sudo su - falcon

Create key using keytool

This example uses 365 days validity after which the key expires.

# Create directory that will store the key
> mkdir -p /falcon_deploy/app/config/ssl
> cd /falcon_deploy/app/config/ssl

# Create key using keytool. 
> $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias falcondeploy -storetype PKCS12 -keystore /falcon_deploy/app/config/ssl/keystore.p12 -keysize 2048 -validity 365

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias falcondeploy -storetype PKCS12 -keystore /falcon_deploy/app/config/ssl/keystore.p12 -keysize 2048 -validity 365
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Bonnie Ravi
What is the name of your organizational unit?
  [Unknown]:  Falcon Deploy
What is the name of your organization?
  [Unknown]:  Falcon Deploy
What is the name of your City or Locality?
  [Unknown]:  Cumming
What is the name of your State or Province?
  [Unknown]:  Georgia
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Bonnie Ravi, OU=Falcon Deploy, O=Falcon Deploy, L=Cumming, ST=Georgia, C=US correct?
  [no]:  yes

Verify the new key

> $JAVA_HOME/bin/keytool -v -list -keystore /falcon_deploy/app/config/ssl/keystore.p12

Sample Output

[falcon@falcon-deploy-ora-linux-compute ssl]$ $JAVA_HOME/bin/keytool -v -list -keystore /falcon_deploy/app/config/ssl/keystore.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: falcondeploy
Creation date: Jan 24, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Bonnie Ravi, OU=Falcon Deploy, O=Falcon Deploy, L=Cumming, ST=Georgia, C=US
Issuer: CN=Bonnie Ravi, OU=Falcon Deploy, O=Falcon Deploy, L=Cumming, ST=Georgia, C=US
Serial number: 20f6379b
Valid from: Thu Jan 24 00:09:27 GMT 2019 until: Sun Jan 21 00:09:27 GMT 2020
Certificate fingerprints:
	 MD5:  XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
	 SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
	 SHA256: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: XX XX XX XX XX XX XX XX   XX XX XX XX XX XX XX XX  ....X...X..)..X.
0010: XX XX XX XX                                        ].XX
]
]



*******************************************
*******************************************

Update Tomcat configuration

Edit the server.xml file in $TOMCAT_HOME/conf. You may have to uncomment lines by removing <!-- -->and editing the code block as shown below. Be sure to use your password for keystorePass field.

> sudo vi /opt/apache-tomcat/conf/server.xml

	 <Connector port="8443" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443"
                SSLEnabled="true"
                scheme="https"
                secure="true"
                sslProtocol="TLS"
                keystoreFile="/falcon_deploy/app/config/ssl/keystore.p12"
                keystorePass="xxxxxxxxxx" />

Restart Tomcat service

> sudo systemctl stop tomcat.service
> sudo systemctl start tomcat.service
> sudo systemctl status tomcat.service

Sample output

[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl stop tomcat.service
[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl start tomcat.service
[falcon@falcon-deploy-ora-linux-compute ssl]$ sudo systemctl status tomcat.service
● tomcat.service - Apache Tomcat
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-01-24 01:53:20 GMT; 7s ago
  Process: 30792 ExecStop=/opt/apache-tomcat/bin/shutdown.sh (code=exited, status=0/SUCCESS)
  Process: 30842 ExecStart=/opt/apache-tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 30851 (java)
   CGroup: /system.slice/tomcat.service
           └─30851 /usr/lib/jdk/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache....

Jan 24 01:53:20 falcon-deploy-ora-linux-compute systemd[1]: Starting Apache Tomcat...
Jan 24 01:53:20 falcon-deploy-ora-linux-compute startup.sh[30842]: Tomcat started.
Jan 24 01:53:20 falcon-deploy-ora-linux-compute systemd[1]: Started Apache Tomcat.

Git Workaround

When using self-signed certificates, Git will throw an error while accessing (clone, pull, push, etc.) repositories from gitbash/terminal. To avoid the error, do the following as a workaround.

# For globally disabling SSL verification 
> git config --global http.sslverify false

# For disabling ssl verification for a particular repo
> git clone -c http.sslverify=false https://hostname_or_ip:8443/falcon-deploy/git/<repo_name>.git

Validate SSL

We have completed the steps to enable SSL. Open a web browser and validate the change. Note that you should switch to HTTPS protocol and 8443 port. If you are having issues, verify Tomcat is up using sudo systemctl status tomcat.service. Also inspect the catalina.out log at /opt/apache-tomcat/logs.

Lock falcon User

Lock the falcon operating system account by removing SHELL.

# Lock falcon user 
> sudo usermod -s /sbin/nologin falcon
Updated on May 20, 2019

Related Articles