B.1.2 Certificate Settings For Secure Connection Support

Describes how to support secure connections.

You must replace the certificate used for HTTPS and client authentication with a CA-signed certificate. To determine if it has been replaced, check the certificate in the "keystore" to ensure that it has been replaced with a CA-signed certificate.

Certificate Storage Directory

If you specify Use HTTPS or Use HTTPS Client Authentication during setup, a new subdirectory "keystore" for storing certificates is added to the WebAdmin Tomcat installation directory.

Example: If WebAdmin is installed in /opt/fsepv<x>webadmin:

Tomcat installation directory (/opt/fsepv<x>webadmin/tomcat/)
├── bin
├── Building.txt
├── conf
├── CONTRIBUTING.md
├── keystore
│   ├── keystore.p12             → For HTTPS
│   ├── clientbrowser.p12        → For client authentication
│   ├── clientkeystore.p12       → For client authentication
│   ├── truststore.p12           → For client authentication
│   ├── clientkeystore.conf      → For client authentication
├── …

Certificate Configuration

To configure a certificate:

1. Prepare CA-signed certificates

Certificate	Summary
keystore.p12 (private and public keys included)	One server certificate for HTTPS. Used for data encryption.
clientbrowser.p12 (private key included)	One client certificate to authenticate the browser between the browser and the server. It is registered in the user's browser. The number of certificates generated corresponds to the number of clients (browsers) accessing WebAdmin.
clientkeystore.p12 (private key included)	One client certificate for server-to-server authentication. Used internally by WebAdmin.
truststore.p12 (clientbrowser.p12 and clientkeystore.p12)	Imported public keys for all client certificates.

2. Place certificates in keystore directory

Single-server configuration

Place keystore.p12, truststore.p12 and clientkeystore.p12 files in "keystore" directory
Import clientbrowser.p12 into your browser.
If you use multiple clients (browsers), import the certificate into each browser.

Multi-server configuration

Place keystore.p12, truststore.p12 and clientkeystore.p12 files in "keystore" directory
Import clientbrowser.p12 into your browser.
If you use multiple clients (browsers), import the certificate into each browser.
Import the public key corresponding to the private key in clientkeystore.p12 into truststore.p12 on the other server you want to connect to.

3. Update certificate information in server.xml and clientkeystore.conf files

keystore.p12 and truststore.p12

Populate server.xml with the information from keystore.p12 and truststore.p12.

The server.xml file is located under/opt/fsepv<x>webadmin/tomcat/conf.

HTTPS

Set the keystorePass and keyAlias attributes to the password and alias for keystore.p12.

server.xml (/opt/fsepv<x>webadmin/tomcat/conf)

<Connector port="27515" sslProtocol="TLS"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" keystoreType="PKCS12"
    keystoreFile="/opt/fsepv<x>webadmin/tomcat/keystore/keystore.p12"
    keystorePass="password" keyAlias="alias" />

HTTPS and client authentication

Set the keystorePass and keyAlias attributes to the password and alias for keystore.p12.

Set the truststorePass attribute to the password for truststore.p12.

server.xml (/opt/fsepv<x>webadmin/tomcat/conf)

<Connector port="27515" sslProtocol="TLS"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="true" keystoreType="PKCS12"
    keystoreFile="/opt/fsepv<x>webadmin/tomcat/keystore/keystore.p12"
    keystorePass="password" keyAlias="alias" 
    truststoreType="PKCS12"
    truststoreFile="/opt/fsepv<x>webadmin/tomcat/keystore/truststore.p12"
    truststorePass="password" />

clientkeystore.p12
Populate clientkeystore.conf with the information from clientkeystore.p12.
clientkeystore.conf file is generated by WebAdmin and its filename cannot be modified.
HTTPS and client authentication
Sets the client certificate information for server authentication.
Set the password for the private key imported into clientkeystore.p12 and the password and alias for clientkeystore.p12.
clientkeystore.conf (/opt/fsepv<x>webadmin/tomcat/keystore/)
```
clientkeystore.key.pass=password
clientkeystore.store.pass=password
clientkeystore.alias=alias
```

4. Back up: Back up the certificates and server.xml file.
Point
When you uninstall WebAdmin, all certificates in the keystore directory are deleted. Also, when you reinstall WebAdmin, the server.xml file is overwritten with the default settings. Back up your data in case of incorrect operation.

5. Restart WebAdmin

Stop WebAdmin and start it again.

Refer to "B.1.4 Stopping the Web Server Feature of WebAdmin" and "B.1.3 Starting the Web Server Feature of WebAdmin" for detailed instructions.

Point

If certificates or connection failures occur, refer to the Tomcat log directory (/opt/fsepv<x>webadmin/tomcat/logs/) for detailed error messages.