Using Fabric Manager Web Server with SSL
Fabric Manager Web Server uses TCP port 80 by default. If you want to install SSL certificates and use Fabric Manager Web Server over HTTPS (using TCP port 443 or another custom port), you need a certificate for each external IP address that accepts secure connections. You can purchase these certificates from a well-known Certificate Authority (CA).
To enable SSL, users must set up the keystore to use either self-signed certificate or a certificate from a trusted third party company like Verisign.
To create a local certificate, follow these steps:
- Set up a keystore to use self-signed certificate (local certificate). From the command line, issue the following command:
%JAVA_HOME%/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Program Files\Cisco Systems\MDS 9000\keystore"- Enter your name, organization, state, and country. Enter changeit when prompted for a keystore password. If you prefer to use your own password, don't forget to change the keystorepass attribute in the server.xml file. When prompted for a key password, press enter or use the same password as the keystore password.
Note You can now follow the steps in the next section for modifying Fabric Manager Web Server to use SSL.
To set up a keystore to use CA certificate, follow these steps:
Complete Steps 1 and 2 above and then Step 3.
To create a CSR, follow these steps:
- Create a local certificate (as described in the previous section).
Note You must enter the domain of your website in the field first and last name in order to create a working certificate.
- The CSR is then created with with this command:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore "C:\Program Files\Cisco Systems\MDS 9000\keystore"- Now you have a file called certreq.csr. The file is encoded in PEM format. You can submit it to the certificate authority. You can find instructions for submitting the file on the Certificate Authority website. You will receive a certificate.
- Once you have your certificate, you can import it into you local keystore. First, you must import a Chain Certificate or Root Certificate into your keystore. You can then import your certificate.
- Download a Chain Certificate from the Certificate Authority where you obtained the certificate.
- For Verisign.com commercial certificates, go to:
- For Verisign.com trial certificates, go to:
- For Trustcenter.de, go to:
For Thawte.com, go to:
To modify Fabric Manager Web Server to use SSL, follow these steps:
- Stop Fabric Manager Web Server if you have already launched it. If you installed this on Windows, you can stop the service using Windows Services under Administrative Tools.
- Use a text editor to open \tomcat\conf\server.xml from the directory where Fabric Manager Web Server is installed. You see the following lines in the beginning after some copyright information:
<Connector className="org.apache.catalina.connector.http.HttpConnector" port="80" minProcessors="5" maxProcessors="75" enableLookups="false" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="60000"/> <!-- Define an SSL HTTP/1.1 Connector on port 8443 --> <!-- <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS"/> </Connector> -->- Comment the first <Connector> element and uncomment the second one. Note that the port changes from 8443 to 443 and keystore and keypass are added. Your file should look like the following example:
<!-- <Connector className="org.apache.catalina.connector.http.HttpConnector" port="80" minProcessors="5" maxProcessors="75" enableLookups="false" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="60000"/> --> <!-- Define an SSL HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.catalina.connector.http.HttpConnector" port="443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="C:\Program Files\Cisco Systems\MDS 9000\keystore" keystorePass="changeit"/> </Connector>- Save this file.
- Restart Fabric Manager Web Server.
Note If you restart Fabric Manager Server with SSL enabled, you must restart Fabric Manager Web Server. If you want to stop and restart Fabric Manager Server with SSL disabled, then you must restart Fabric Manager Web Server.
Copyright © 2002-2007, Cisco Systems, Inc. All rights reserved.