Enable SSL in Tomcat for BOXI using a Self-Signed Certificate

Document ID : KB000015564
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

We do not recommend using a self-signed certificate because browsers will not accept it as being from a trusted certificate authority.  Thus, users who access service desk using https (SSL) will see a warning in their browser saying "The security certificate presented by this website was not issued by a trusted certificate authority.", and the user will have to click on "continue to this website (not recommended)" in order to actually get to the site. This document provides the steps to do

 

Please also consider this KBA 1648573 from SAP

1648573 - How to configure SSL on Tomcat in BI 4 1648573_E_20170817.pdf

Question:

Implement The SSL in Tomcat for BOXI using a Self-Signed Certificate

Environment:
Windows 2008R2 & windows 2012Boxi 4.1
Answer:

1/ created the .pfx file in the same way as this tecdoc TEC1659789

The steps consist of

<<

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. In the Actions column on the right, click on Create Self-Signed Certificate...

4. Enter any friendly name such as "sdmsslcert" or "sdmcert" and then click OK.

5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

Next you have to export that certificate to a .pfx file.  To do this, follow these steps:

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. Right click on the certificate that you created (sdmsslcert or sdmcert), and select "Export"

4. In the "Export to" field - click the elipsis and select a directory to store your certificate, and a filename such as "sdmsslcert" or "sdmcert" (it will have a .pfx file extension), then create a password for that certificate (you will need this password later to configure tomcat to access that certificate)

5. Click OK on the Export Certificate window, then use windows explorer to navigate to the directory where you specified to save the .pfx cert file and ensure its there.
>>

 

2/ Once the .pfx file generated, identify bthe server.xml in boxi we have to update

1.png

2.png

Modify the server.xml

3.png

<Connector SSLEnabled="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
clientAuth="false" keystoreFile="C:\keystore\sdmcert.pfx"
keystorePass="Password1" keystoreType="PKCS12"
maxThreads="150" port="8493" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

 

3.png

 

Restart Tomcat_boxi and verify boxi is in SSL mode

5.png

 

 

Additional Information:

We have customer for testing purpose running ServiceDesk and Boxi on the same server.

 

1/ Apply tecdoc tec1659789 for "Enable SSL in Tomcat for CA Service Desk Manager using a Self-Signed Certificate"

TEC1659789

2/ Apply this tecdoc using the same .pfx file for boxi too

File Attachments:
TEC1144726.zip