Using secure HTTP (HTTPS) improves the security of your Novell Vibe site. During installation, you can choose to configure your Vibe site for HTTP or HTTPS. After installation, you can force secure HTTP connections.
If you want users to access the Vibe site with a secure HTTP connection, you must configure Vibe with a root certificate and a server certificate. The root certificate identifies the root certificate authority (CA) for your Vibe site. The server certificate is customized for the specific server where Vibe is installed.
Vibe uses a keystore to store certificates. The default keystore file that is installed along with Vibe is:
|
Linux: |
/opt/novell/teaming/apache-tomcat/conf/.keystore |
|
Windows: |
c:\Program Files\Novell\Teaming\ apache-tomcat\conf\.keystore |
The original certificate in the default keystore is sufficient for you to set up secure HTTP connections during initial installation, but it is self-signed and has an expiration date, so you cannot use it permanently. Soon after installation, you must obtain a permanent certificate. You can use a commercially signed certificate or a self-signed certificate. There are advantages and disadvantages to each approach.
Commercially Signed Certificate: The advantage to using a certificate signed by a commercial certificate authority (CA) is that browsers automatically accept these certificates. The disadvantage is that an additional step is required, with some wait time while you obtain the commercially signed certificate.
Self-Signed Certificate: The advantage to using a self-signed certificate is that it is quick and easy for you to do as the Vibe administrator. The disadvantage is that users receive a warning in the browser about the self-signed certificate the first time they access the Vibe site using secure HTTP. Users must manually accept the self-signed certificate, then the warning never occurs again.
After you obtain your permanent certificate, you can store it in the default Vibe keystore, or in a location of your own choosing. Vibe reads the location of its keystore from the following file:
|
Linux: |
/opt/novell/teaming/apache-tomcat/conf/server.xml |
|
Windows: |
c:\Program Files\Novell\Teaming\ apache-tomcat\conf\server.xml |
If you do not want to use the default keystore location, you must update the server.xml file to match the location you choose for your keystore.
You cannot update the Vibe .keystore file that is provided during installation. Instead, you must create a new .keystore file, then import your signed certificate into it.
Create a new directory where you want to create the new .keystore file, such as a certs directory in a convenient location.
Change to the new certs directory.
Make sure that you can access the keytool tool:
For convenient use, you might need to add its location to the PATH environment variable.
Use the following command to create a new .keystore file:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
When prompted, specify a password for the new .keystore file, then confirm the password.
IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.
Do not forget the password you specify.
When you are prompted for your first and last name, specify the fully qualified DNS name of the Vibe server, such as vibe.yourcompanyname.com.
You are then prompted for additional information about your organization:
Organizational unit
Organization
City or locality
State or province
Two-letter country code
(Conditional) If you are planning to obtain a your certificate from a commercial certificate authority (CA), respond to the additional information prompts with accurate information appropriate to your organization.
or
(Conditional) If you are planning to generate a self-signed certificate, press Enter to skip through the prompts.
When you are prompted whether the information you provided is correct, enter yes.
Press Enter to use the same password that you specified in Step 5 as the key password for Tomcat.
List the files in the certs directory to see that a new .keystore file has been created.
If you want to specify a password other than changeit for your .keystore file, as described in Step 5 in Creating a New Keystore File, then you must also specify this password in the server.xml Tomcat configuration file.
Change to the following directory:
Open the server.xml file in a text editor.
Locate the keystorePass attribute, then change the value of this attribute to your new password.
Save and close the server.xml file.
Use the following command to create a Certificate Signing Request (CSR):
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore .keystore
Enter the keystore password to create the CSR.
List the files in the certs directory to see that a new certreq.csr file has been created along with the existing.keystore file.
Use the certreq.csr file to obtain a signed certificate.:
To use a commercial certificate authority (CA), continue with Submitting the Certificate Signing Request to a Certificate Authority (CA).
or
To use a self-signed certificate, skip to Using the Certificate Signing Request to Generate a Self-Signed Certificate.
You can find a commercial certificate authority (CA) on the Internet by searching for “certificate authority.” The process of obtaining a signed certificate varies from company to company. Each company provides instructions to assist you.
The certificate authority sends you a set of certificate files that you import into the Vibe keystore. Import these files into the same keystore that you used to create the original certificate request. You must import all of the files that you receive.
Change to the certs directory where you created the root certificate file and the server certificate file.
Use the following command to import the root certificate file:
keytool -import -alias root -keyalg RSA -keystore .keystore -file CertificateAuthorityCert.der
Enter the keystore password to add the root certificate to the Vibe keystore.
Use the following command to import the server certificate file:
keytool -import -alias tomcat -trustcacerts -keyalg RSA -keystore .keystore -file CertificateAuthorityCert.der
Enter the keystore password to add the server certificate to the Vibe keystore.
If you do not want to wait to receive your signed certificate from a commercial certificate authority (CA), you can generate your own self-signed certificate using ConsoleOne or iManager. You must generate both a self-signed eDirectory root certificate file and a server certificate file.
NOTE:For iManager instructions, see TID 7001857: Adding SSL Certificates to Teaming for HTTPS
in the Novell Support Knowledgebase. If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Using the Certificate Signing Request to Generate a Self-Signed Certificate.
A root certificate identifies the root certificate authority (CA) for your Vibe site. In this case, eDirectory is acting as the root certificate authority.
On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.
Expand the Security container, right-click the Tree_Name CA object, then click .
Click .
Click to update the certificate status, then click to close the Certificate Validation dialog box.
Click to export your eDirectory root certificate into a file that can be imported into the Vibe keystore file.
Click to accept the default of No for exporting a private key file along with the root certificate.
Select the output format for the root certificate file.
Either DER or Base64 format can be imported into the Vibe keystore file.
In the field, specify the location (the certs directory where you created the Certificate Signing Request) and the filename to use, such as SelfSignedRootCert.der.
Click to display a summary of the options you have selected, then click to generate the root certificate file.
Click to close the Self Signed Certificate properties page of the Tree_Name CA object.
Continue with Generating a Self-Signed Server Certificate File in ConsoleOne
A server certificate is customized for the specific server where Vibe is installed.
Click .
Browse to and select the certreq.csr file that you created in the certs directory, then click .
This retrieves the contents of the CSR file into the CSR window.
Click to accept the default of using an organization certificate authority.
Select as the type of server certificate that you need, then click .
Select the validity period you want for the server certificate, then click .
Review the information that you have provided, then click .
Select the output format for the server certificate file.
Either DER or Base64 format can be imported into the Vibe keystore file.
In the field, specify the location (the certs directory where you created the Certificate Signing Request) and the filename to use, such as SelfSignedServerCert.der.
Click to create the public-key certificate file.
Exit ConsoleOne.
After you have obtained or generated a signed certificate, you must import the certificate files into the Vibe keystore. This section describes how to import the files associated with a self-signed certificate. For information about how to import the files for a certificate that you receive from a certificate authority, see Submitting the Certificate Signing Request to a Certificate Authority (CA).
Change to the certs directory where you created the root certificate file and the server certificate file.
Use the following command to import the root certificate file:
keytool -import -alias root -keyalg RSA -keystore .keystore -file SelfSignedRootCert.der
Enter the keystore password to add the root certificate to the Vibe keystore.
Use the following command to import the server certificate file:
keytool -import -alias tomcat -keyalg RSA -keystore .keystore -file SelfSignedServerCert.der
Enter the keystore password to add the server certificate to the Vibe keystore.
The new .keystore file is now ready for permanent use in your Vibe system.
Change to the following directory on the Vibe server:
Rename the existing .keystore file to keystorebackup.
Copy your new .keystore from the certs directory to the conf directory.
Adjust the ownership and permissions of the new .keystore file to match those of the backed-up keystore file.
Restart Vibe so that Vibe rereads the updated keystore file.
When you run the Vibe installation program, you can choose between non-secure and secure HTTP connections, as described in HTTP/HTTPS Ports
in Basic Installation
in the Kablink Vibe OnPrem 3 Installation Guide.
With additional configuration, you can force users from a non-secure HTTP connection to a secure HTTPS connection.
With Novell Vibe, you can use Novell Access Manager to force secure HTTP connections. For more information, see Configuring Single Sign-On with Novell Access Manager
in Advanced Installation and Reconfiguration
in the Kablink Vibe OnPrem 3 Installation Guide.
To reconfigure Tomcat, you must update two configuration files (both named web.xml) under two different directories (ssf and ssfs). The ssf directory name refers to SiteScape Forum, a legacy product name. The ssf directory contains the main Vibe Web application that you use when you interact with your browser. The ssfs directory name refers to SiteScape File System. The ssfs directory contains the Vibe WebDAV application that you use to access files on a remote WebDAV server from the Vibe site.
Log in to the Vibe server with sufficient rights to edit the web.xml files (root on Linux, Administrator on Windows).
Modify the web.xml file under the ssf directory:
Change to the directory where the web.xml file is located.
Make a backup copy of the web.xml file, then open the web.xml file in a text editor.
Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
(Conditional) If users access the Vibe site with Internet Explorer, replace the following single line provided above:
<url-pattern>/*</url-pattern>
with the following set of lines:
<!-- Patterns from web.xml.tmpl. --> <url-pattern>/a/*</url-pattern> <url-pattern>/ws/*</url-pattern> <url-pattern>/rss/*</url-pattern> <url-pattern>/atom/*</url-pattern> <!-- Patterns from subdirectories of webapps/ssf. --> <url-pattern>/applets/*</url-pattern> <url-pattern>/css/*</url-pattern> <url-pattern>/help/*</url-pattern> <url-pattern>/help_doc/*</url-pattern> <url-pattern>/i/*</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/js/*</url-pattern>
For Internet Explorer, this list of URL patterns forces secure HTTP connections for everything except the /s/* pattern (document files with extensions such as .odt and .doc) and the /ical/* pattern (calendar .ics files).
Save the modified web.xml file, then exit the text editor.
Modify the web.xml file under the ssfs directory:
Change to the directory where the web.xml file is located.
Make a backup copy of the web.xml file, then open the web.xml file in a text editor.
Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Save the modified web.xml file, then exit the text editor.
You can set up the Apache Web server to front your Vibe site and use a meta refresh to redirect users to a secure URL.
Install the Apache Web server on one server.
Configure Apache to listen on port 80.
Create an index.html file similar to the following example:
<html>
<head>
<meta http-equiv="refresh" content="0;url=https://vibe_url" />
<title>Redirected to Secure Vibe</title>
</head>
<body>
This page is used to redirect to the Secure Vibe server. If your
browser does not automatically redirect you in a few seconds, click
<a href="https://vibe_url">here</a> to go to the secure page.
</body>
</html>
Replace vibe_url with the URL to your Vibe site.
Place the index.html file in the document root directory of the Apache Web server.
Restart the Apache Web server.
Vibe includes URLs to Vibe site locations in e-mail messages and notifications. By default, the URLs are formed with http rather than https. You can reconfigure Vibe to default to https for Vibe site URLs.
Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).
Change to the following directory:
Make a backup copy of the ssf-ext.properties file.
Open the ssf-ext.properties file in a text editor.
Locate the following lines:
adapter.web.protocol=context-http servlet.web.protocol=context-http rss.web.protocol=context-http ical.web.protocol=context-http ssfs.web.protocol=context-http simpleurl.web.protocol=context-http
Change http to https.
adapter.web.protocol=context-https servlet.web.protocol=context-https rss.web.protocol=context-https ical.web.protocol=context-https ssfs.web.protocol=context-https simpleurl.web.protocol=context-https
Save the ssf-ext.properties file, then exit the text editor
Restart Vibe to put the change into effect.