Configuring CA Executive Insight › Use HTTPS to Secure Communication › Configure the Tomcat SSL

Configure the Tomcat SSL

Use the following steps to configure SSL for a self-signed certificate or trusted certificate provider:

1. To generate a self-signed certificate, from the command line, run the following command:

   $JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
   

   On UNIX, make sure that the directory in which you generate the keystore file has appropriate permissions.

   Note: For more details about specifying a different keystore file location, see the Tomcat documentation.

2. Answer the prompts appropriately.

   Note: Both passwords should be the same.

   File 'keystore' is generated.

3. Copy the generated keystore file to the following directory:

   Install_dir\config\
   

   Install_dir

   Specifies the directory where CA Executive Insight is installed.

4. Obtain valid certificates and import them into the keystore file.
5. Use a text editor to open the server.xml file for each installation where you would like to configure HTTPS:
   • For server installation, go to: install_dir\product\ServerAndUI\plugins\catalina.start.osgi.config.fragment_1.0.0\conf
   • For web UI installation, go to: install_dir\product\WebUI\plugins\catalina.start.osgi.config.fragment_1.0.0\conf
6. Uncomment the following SSL connector by removing the comment around the connector after the line below:

   <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
   

7. Update the port number, if necessary, and modify the value for 'keystorePass=' with the password that you used in Step 2:

   <Connector
   	port="8443"
   	scheme="https"
   	secure="true"
   	clientAuth="false"
   	keystoreFile="${catalina.home}/config/keystore"
   	keystorePass="changeit"
   	sslProtocol="TLS"
   	compression="2048" 
    	compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css" 
    	useSendfile="false"
   />
   

8. Update the protocol and port for the web UI installation, if necessary, by editing the following:

   install_dir\config\execWebUIConfig.properties
   

   1. Modify these properties:

      execinsight.backendserver.protocol=https
      execinsight.backendserver.port=8443
      

9. Restart the CA Executive Insight server.

   Note: For a web UI installation restart both the server and web UI servers.

10. To access the CA Executive Insight web interface with SSL, use:

    https://hostname:<SSL port number>/
    

11. To access the CA Executive Insight administrative UI with SSL, use:

    https://hostname:<SSL port number>/admin/
    

    Note: Enter the SSL port number that you specified in the server.xml file.

    Note: The hostname for the administrative UI will be the server installation host and not the web UI host if you have an internet accessible deployment.

Once the SSL is up and functional with the self-signed certificate; you are ready to implement an official Certificate Authority provided certificate.