Security
This section will explain how to configure Clip to use HTTPS, how to configure Clip with a Trusted Certificate and how to use an OBM (OMi) self signed certificate with Clip.
Clip HTTPS Port
Clip is configured to listen on port 9443 for https connections by default. This configuration can be found in the tomcat's server.xml file ( [ClipHome]\apache-tomcat\conf\server.xml ). The following screenshot shows the HTTPS connector. The keystore "AppLink.jks" is defined here and it contains a self-signed certificate (with keyAlias "tomcat") that can be used out of the box:
Server Certificate Installation
To configure Clip with a Trusted Certificate from a Certification Authority, you need to import your own custom certificate:
Open a command window ( Windows: "CMD", Linux: shell ), and change the current directory to [ClipHome]\apache-tomcat
to generate your new key-CSR pairing, run "keytool" and provide the required information:
keytool -genkey -alias YourAlias -keyalg RSA -keysize 2048 -keystore AppLink.jks
CODEIn the 1st field (What is your first and last name?) put your CLIP external instance name, for example "clip.yourdomain.com". If you plan to use wildcard certificates, in the 1st field put "*.yourdomain.com"
- After you have supplied all information, type in the field "[no]" – yes and put the password "need2know" (or you can change it to another one, but this also requires a change in the file server.xml ).
Next, use keytool to actually create the Certificate Signing Request. Again, 'yourdomain' is the name of the domain you are securing. (without the * character if you are ordering a Wildcard Certificate):
keytool -certreq -alias YourAlias -keyalg RSA -file yourdomain.csr -keystore AppLink.jks
CODE- Enter the keystore password.
- Then the SSL Certificate CSR file is created. Open the CSR with a text editor, and copy and paste the text (including the BEGIN and END tags) into the Certificate Provider web order form (DigiCert, Symantec, GeoTrust, Thawte, etc.).
Download your SSL Certificate bundle file (your_domain_name.p7b) from your Certificate Provider Account to the same folder where your keystore is. The one .p7b file contains all of the necessary certificates for your keystore.
The certificate must be installed to the same keystore that was used to generate your CSR. You will get an error if you try to install it to a different keystore.
to install the certificate file, run the "keytool" command again, provide the keystore password and confirm :
keytool -import -trustcacerts -alias YourAlias -keystore AppLink.jks -file Certificate_name.p7b
CODE- If the certificate is installed correctly, you will receive a message stating "Certificate reply was installed in keystore"
- If it asks if you want to trust the certificate. Choose y or yes.
Configure the keyAlias i.e. YourAlias in the <Connector> element ([ClipHome]\apache-tomcat-?.?.??\conf\server.xml).
- Provide the keystore pass and confirm
- Stop and Start the CLIP service. If all was done correctly, you will see that your CLIP instance use the new certificate and there are no any Certificate warning/error in the Browser.
Trusted Certificates Installation
If a connected system uses a self-signed certificate, Clip does not trust this certificate when establishing a connection by default. Therefore the certificate has to be added to the Clip JVM TrustStore. In order to do so, the "keytool" command has to be executed:
CLIP_HOME\jre\bin\keytool -import -alias myOMiCertificate -file omiCertificate.cer -keystore "CLIP_HOME\jre\lib\security\cacerts"
The default password is "changeit". If the certificate is exported from a web browser, please choose the certificate format X.509 (PEM).