Accessing Celoxis using SSL

For the purpose of this article, let's assume that Celoxis has been installed on a Linux server at /usr/local/celoxis and is accessed as http://celoxis.acme.com:8888

Default SSL

Celoxis comes with a self-signed SSL certificate and accessible on port 8843 as https://celoxis.acme.com:8843. Accessing websites that serve self-signed SSL certificates gets a warning in Chrome and other browsers saying that the site is not secure. You can install a certificate from a know provider like Verisign, Thawte, RapidSSL, etc. to overcome this issue.

Installing your own SSL Certificate

Each provider comes with their own instructions. However, we are going to look at the most common scenario.

Stop Celoxis

Stop Celoxis as we are going to overwrite a file.

Go to the <Celoxis-Install-Dir>
$ cd /usr/local/celoxis
Generate a Key Pair

Give the password as celoxis. The reason will be evident at the end of the chapter. Instead of celoxis.acme.com, you would put in your own hostname.

$ keytool -genkey -alias celoxis -keyalg RSA -keystore celoxis.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  celoxis.acme.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:  Acme
What is the name of your City or Locality?
  [Unknown]:  Santa Clara
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=celoxis.acme.com, OU=Unknown, O=Acme, L=Santa Clara, ST=CA, C=US correct?
  [no]:  yes

Enter key password for 
    (RETURN if same as keystore password):
$
Generate a Certificate Request (CSR)

We will be generating the CSR in a file certreq.csr.

$ keytool -certreq -keyalg RSA -alias celoxis -file certreq.csr -keystore celoxis.jks
Enter keystore password:
$
List the files

We have the two expected files.

$ ls
celoxis.jks certreq.csr
$
Get the SSL certificate

You would now go to one of the SSL certificate issuers like Verisign, RapidSSL, GeoTrust, etc. and use the certreq.csr file to request and SSL certificate. They will ensure that you are owner of the domain you requested for and issue you a certificate.

You would get two files in PEM format. One will be your certificate and the other your chain to the CA certificate.

Let's assume that the chain is available in the file chain.crt and your certificate in certificate.crt.

Copy these two files to <Celoxis-Install-Dir>.

Import the two files into our keystore
$ keytool -import -trustcacerts -alias intermediate -file chain.crt -keystore celoxis.jks
Enter keystore password:
$
keytool -import -trustcacerts -alias celoxis -file certificate.crt -keystore celoxis.jks
Enter keystore password:
$

Our keystore is now ready!

Overwrite Celoxis's keystore with our keystore
$ cp celoxis.jks /usr/local/celoxis/psa_12.0.x/.keystore
$
Change 8843 to 443 (the default SSL port)

Open <Celoxis-Install-Dir>/psa_12.0.x/conf/server.xml and change the port number as shown from the left to the right.

<Connector port="8843"
...
   scheme="https"
   secure="true"
   keystoreFile=".keystore"
   keystorePass="celoxis"
...
/>
<Connector port="443"
...
   scheme="https"
   secure="true"
   keystoreFile=".keystore"
   keystorePass="celoxis"
...
/>
Start Celoxis

Start Celoxis and point your browser to https://celoxis.acme.com. You should be taken to the Celoxis login screen.