To enable HTTPS for Service Desk Appliance prior to 7.3 version:In this scenario, openSSL command is used to generate a key pair. See the following to generate key using the openssl command. SSH into appliance and login as root.
Copy all the certificates and keys into a single directory.
srm-tst-nsd-130:~ # mkdir /root/CAsrm-tst-nsd-130:~ # chmod 770 /root/CA/srm-tst-nsd-130:~ # cd /root/CA/
Create a private key and then generate a certificate request
srm-tst-nsd-130:~/CA # openssl genrsa -des3 -out nsd-ca.key 2048Generating RSA private key, 2048 bit long modulus....................+++...................................................................................+++ e is 65537 (0x10001)Enter pass phrase for nsd-ca.key:Verifying - Enter pass phrase for nsd-ca.key:srm-tst-nsd-130:~/CA #
Generate a self-signed root certificate from the generated private key
srm-tst-nsd-130:~/CA # openssl req -new -x509 -days 3650 -key nsd-ca.key -out nsd-ca.crtSpecify pass phrase for nsd-ca.key:Specify information that will be incorporated into your certificate request. Information includes Distinguished Name or a DN and a few mandatory fields.For a few fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pvt Ltd]: Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
Creation of key and certificate for the web server:
srm-tst-nsd-130:~/CA # openssl genrsa -des3 -out nsd-server.key 1024Generating RSA private key, 1024 bit long modulus.............++++++.............................................................................++++++ e is 65537 (0x10001)Enter pass phrase for nsd-server.key:Verifying - Enter pass phrase for nsd-server.key:
Creation of Certificate for web server:
srm-tst-nsd-130:~/CA # openssl req -new -key nsd-server.key -out nsd-server.csrSpecify pass phrase for nsd-server.key:Specify information that will be incorporated into your certificate request. Information includes Distinguished Name or a DN and a few mandatory fields.For a few fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []: Email Address []:Specify additional attributes to be sent with your certificate request.A change password []:An optional company name []:
Use of our CA to sign our key:
srm-tst-nsd-130:~/CA # openssl x509 -req -in nsd-server.csr -out nsd-server.crt -sha1 -CA nsd-ca.crt -CAkey nsd-ca.key -CAcreateserial -days 3650Signature oksubject=/C=US/ST=Utah/L=provo/O=novell/OU=epm/CN=srm-tst-nsd- 130.epm.blr.novell.com/emailAddress=ybellur@novell.comGetting CA Private KeySpecify pass phrase for nsd-ca.key:srm-tst-nsd-130:~/CA #
Take out the pass phrase from key or specify pass phrase every time whenever Apache is started. To specify pass phrase, Apache only gives you a few seconds to perform before terminating in a bulk.
srm-tst-nsd-130:~/CA # openssl rsa -in nsd-server.key -out nsd-server-npp.keySpecify pass phrase for nsd-server.key: writing RSA keysrm-tst-nsd-130:~/CA #
Move the new keys generated to the proper directories in the apache folder /etc/apache2.
srm-tst-nsd-130:~/CA # cp nsd-server.crt /etc/apache2/ssl.crt/nsd-ssl.crtsrm-tst-nsd-130:~/CA # cp nsd-server-npp.key /etc/apache2/ssl.key/nsd-ssl.keysrm-tst-nsd-130:~/CA # cp nsd-ca.crt /etc/apache2/ssl.crt/nsd-ca.crt
Launch the text editor to create a virtual host configuration file or you can use the SSH file transfer to edit the file and copy the edited file back to the same location.
srm-tst-nsd-130:~/CA # cd /etc/apache2/vhosts.d/srm-tst-nsd-130:/etc/apache2/vhosts.d # vi nsd-ssl-vhost.conf
Paste the following into the file
<IfDefine SSL><IfDefine !NOSSL><VirtualHost *:443>#Setup SSL for this virtual host SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSSLCertificateFile /etc/apache2/ssl.crt/nsd-ssl.crt SSLCertificateKeyFile /etc/apache2/ssl.key/nsd-ssl.key SSLCertificateChainFile /etc/apache2/ssl.crt/nsd-ca.crt SSLCACertificateFile /etc/apache2/ssl.crt/nsd-ca.crt SSLProtocol all -SSLv2 -SSLv3#Fix for IE browsers when using SSL with Apache SetEnvIf User-Agent ".*MSIE.*" \nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0#Custom log fileCustomLog /var/log/apache2/ssl_request_log ssl_combined#Apache sends incoming request to TomcatJkLogFile "/var/log/tomcat6/mod_jk.log" JkLogLevel errorAlias /WebObjects/LiveTime.woa/Contents/WebServerResources/ "/srv/tomcat6/webapps/LiveTime/WEB-INF/LiveTime.woa/Contents/WebServerResources/"JkMount /LiveTime/* ajp13# do not loose time with IP address lookups HostnameLookups Off# needed for named virtual hosts UseCanonicalName Off<IfModule mod_rewrite.c> RewriteEngine OnRewriteRule ^/$ /LiveTime/WebObjects/LiveTime.woa [R]</IfModule><Directory />Options Indexes FollowSymLinks AllowOverride None</Directory><FilesMatch \.(?i:gif|jpe?g|png|js)$> Order allow,denyAllow from all</FilesMatch></VirtualHost></IfDefine></IfDefine>
Save the file by pressing ESC and then tpying :wq
Apache web server requires a start up flag passing to it to enable SSL. This is available in the apache configuration file located at /etc/sysconfig
srm-tst-nsd-130:/ # vi /etc/sysconfig/apache2
Scroll down the file to find the following line:
APACHE_SERVER_FLAGS=""
Change the APACHE_SERVER_FLAGS="" to APACHE_SERVER_FLAGS="SSL”
Save the file by pressing ESC and then tpying :wq
Restart the apache server:
rcapache2 restart
Launch your browser at Service Desk Appliance.