ManageEngine Forums
I've looked in the forums and documentation, and I've found some info on how to do this for your other products, but could you please provide instructions on how to setup AppManager to run SSL over port 443, and how to assign a certificate to the server so that our Sys Admins can access the site without having to remote desktop into the server.
Thank You,
Kris

Replies (2)

Paul Jacob Employee
Hi,

Steps for disabling HTTP access and enabling HTTPS:

By default the SSL port of Applications Manager is 8443.(The same can be found in AMServer.properties file under..\AppManager9\conf directory.(am.ssl.port=8443))

https://<Appmanager Hostname>:8443

You may also change it to 443 if there is no service running on 443 port.

Do following steps to enable HTTPS and disable the HTTP access.Shutdown the Applications Manager and then follow below steps:

Open the server.xml file present under the AppManager_home\working\apache\tomcat\conf\backup\ folder using textpad or wordpad.

Comment the line mentioned below present in the line number 73 to 78.

  <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080-->
    <Connector port="WEBSERVER_PORT" className="org.apache.catalina.connector.http.HttpConnector"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               debug="0" connectionTimeout="20000"
           disableUploadTimeout="true" />


Change as

 <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080
    <Connector port="WEBSERVER_PORT" className="org.apache.catalina.connector.http.HttpConnector"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               debug="0" connectionTimeout="20000"
           disableUploadTimeout="true" useBodyEncodingForURI="true" /> -->

Note :-The only change is to remove the --> from the end of the first line and add it at the end of last line.

After doing this enable the HTTPS in the AMServer.properties by changing 'am.ssl.enabled=false'  to 'am.ssl.enabled=true' .Restart Applications Manager.

From now on the http link will not be available for access.Only access will be through https://

Thanks & Regards,
Paul Jacob
Paul Jacob Employee
Hi,

Following is what you are trying to achieve. Applications Manager by default uses a self signed certificate which will prompt you with a Certificate error each time you try to connect to Applications Manager web-client.

You can choose whether to have a Certifying Authority sign the certificate or you can use a self-signed certificate. A certificate signed by a Certifying Authority is trusted by browsers, therefore the browser does not issue a warning when a user connects to the browser interface on the Master Server. Generally, Certifying Authorities charge a fee to sign a certificate. A self-signed certificate is available for use immediately after you generate the certificate because you do not have to wait for the Certifying Authority to sign it. However, a self-signed certificate is not trusted by the browser, so the browser issues a warning each time a user connects to the Master Server.

So you need to have a Certifying Authority sign the certificate or your organization may have an internal Certifying Authority to generate certificates.

1.)As you have illustrated in your document you have to create a key database or keystore (key.jks) and make a CSR to Certifying Authority: (Refer details from below link where in the example is using IBM Key Manager utility. Steps will differ for different CA's and you have to follow the steps as provided by your CA)

Note: In your CSR if you use paulp-0558.csez.zohocorpin.com in this case you can only use this key database or keystore only for the installation of Applications Manager on the paulp-0558 server. It is recommended that you create a CSR with *.csez.zohocorpin.com so that you can use the same key database or keystore in all your installations of Applications Manager.(You have enterprise setup and this is recommended) Note: paulp-0558.csez.zohocorpin.com is only an example FQDN.


Now after the request is signed you have to follow "Receiving a CA certificate" steps in above link and receive CA-signed certificates into your same key database or keystore:

Now that you have the key.jks file with the proper signed certificates installed you need to use the same key.jks file in Applications Manager.

To change the keystore in Applications Manager go to the ..\AppManager_home\working\apache\tomcat\ directory. Copy your key.jks file here. (In this case as the name of keystore is different you can simply copy your file to ..\AppManager_home\working\apache\tomcat\ directory.)

* Each key database or keystore file will have its own password for opening it.(You have entered it when you generated the key database or keystore. You should be knowing the same.

* We need to specify the key database or keystore file name and password of keystore file in \AppManager_home\working\apache\tomcat\conf\backup\server.xml file.Open this file in a text editor and search for KEYSTORE_FILE. There will be only 2 occurences in that file as follows:

keystoreFile="KEYSTORE_FILE" keystorePass="appmanager" truststoreFile="KEYSTORE_FILE" truststorePass="appmanager"

You need to update your key database or keystore file name here (..\AppManager_home\working\apache\tomcat\key.jks) and yourpassword.

Example:

keystoreFile="D:\AppManager11\working\apache\tomcat\key.jks" keystorePass="yourpassword" truststoreFile="D:\AppManager11\working\apache\tomcat\key.jks" truststorePass="yourpassword"

Save change and restart Applications Manager to start using your signed SSL certificate.

Thanks & Regards,
Paul Jacob