Securing QueueMetrics (Tomcat) With A SSL Certificate

Introduction

These instructions should hopefully help you with implementing on your QueueMetrics installation which runs on Tomcat 6 as of this post. A CSR will be generated on the server and processed by an internal Microsoft certificate authority. This document will also describe how to redirect HTTP traffic to HTTPS to ensure encryption. Digicert was also used for reference.

Instructions

SSH into the server and change directories to where the keystore utility resides:

cd /usr/local/queuemetrics/jdk1.6.0_22/bin/

Generate an empty Java keystore:

./keytool -genkey -alias foo -keystore keystore.jks
./keytool -delete -alias foo -keystore keystore.jks

Generate a Java keystore and key pair:

./keytool -genkey -alias queuemetrics.domain.net -keyalg RSA -keystore keystore.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore:

/usr/local/queuemetrics/jdk1.6.0_22/bin/keytool -certreq -alias queuemetrics.domain.com -keystore keystore.jks -file queuemetrics.domain.com.csr

Copy the CSR:

cat queuemetrics.domain.net.csr

Go to https://ca.domain.com/certsrv/ and request certificate then select advanced certificate and paste in the CSR. This process will be the same but have a different interface when using another CA.

Download the certificate (not certificate chain) with DER encoding as well as the CA root certificate as both will be needed.

tomcat ssl

Upload the certificates to the server and move the files to /usr/local/queuemetrics/jdk1.6.0_22/bin/

Install the CA root certificate:

keytool -import -trustcacerts -alias root \
        -file ca_root.cer -keystore keystore.jks

Install the site certificate:

/usr/local/queuemetrics/jdk1.6.0_22/bin/keytool -import -trustcacerts \
   -alias server -file queuemetrics_domain_net.cer \
   -keystore queuemetrics.domain.net.jks

Edit the Tomcat configuration file and enter the path to the certificate in the keystoreFile section, enter the keystore password in the keepass section, SSLEnabled should be set to true, and the port should be set to 443 as that is the default port for HTTPS.

nano /usr/local/queuemetrics/tomcat/conf/server.xml
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100"
secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="/usr/local/queuemetrics/jdk1.6.0_22/bin/certificates queuemetrics_domain_net.jks"
scheme="https" keypass="secret" />
This link will show you how to also have HTTP requests redirect to HTTPS.

Restart QueueMetrics:

service queuemetrics restart

Once this is done you should be able to access your QueueMetrics (or other Tomcat based website/application) by going to https://queuemetrics.domain.com and assuming you have the CA installed on your system as well will not be told that the certificate is invalid.

Removing obsolete Diffie-Hellman ciphers

On modern browsers, the default Tomcat SSL configuration will show an error like "Server has a weak, ephemeral Diffie-Hellman public key". In order to overcome this error, you have to disable the weak Diffle-Hellman ciphers in your server.xml file.

This is how the Connector stanza should look like:

<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
secure="true"
SSLEnabled="true"
clientAuth="false"
keyAlias="<yourdomain.com>"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
sslProtocol="TLS"
keystoreFile="<your keystorefile>"
scheme="https"
keypass="<your keystore password>" />

Thanks to Julian Franke for the suggestion.