Product Documentation

To configure an OpenTrust adapter to use HTTP by using a self-signed certificate

Dec 21, 2015

If you want the adapter to be accessible using HTTPS, you need to configure the Tomcat connector accordingly. You can configure the adapter by using a self-signed certificate. This process uses openssl and java keytool.

  1. Create a directory called certs. In that directory, create another directory called ca.
  2. Create a root CA. You need to adapt the subject name and passwords to fit your needs. In the certs directory, issue the following commands:
    openssl genrsa -aes256 -passout pass:zenprise -out ca/ca.key 1024 
     
    openssl req -new -x509 -passin pass:zenprise -key ca/ca.key -out ca/ca.pem -days 3650 -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN=ZenTestCA/emailAddress=none@zenprise.com" 
     
    openssl x509 -inform PEM -in ca/ca.pem -outform DER -out ca.crt
  3. Create an HTTPS certificate using that CA. Change at least the CN to fit the XenMobile OpenTrust Adapter server name. For example:
    openssl genrsa -aes256 -passout pass:zenprise -out server-key.pem 1024 
     
    openssl req -new -passin pass:zenprise -subj "/C=US/ST=CA/L=RWC/O=Zenprise/OU=Zenprise/CN="MyServerName.zenprise.com"/emailAddress=none@zenprise.com" -days 3650 -key server-key.pem > server.csr 
     
    openssl x509 -req -passin pass:zenprise -in server.csr -out server-crt.pem -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial -CAserial ca.srl
  4. Create a p12 containing your key and certificate.
    openssl pkcs12 -export -in server-crt.pem -inkey server-key.pem -out MyServerName.p12 -name server
  5. Create a java keystore containing that PKCS12 file.
    keytool -importkeystore -deststorepass changeit -destkeypass changeit  -destkeystore keystore.jks -srckeystore MyServerName.p12  -srcstoretype PKCS12 -alias server
  6. Modify the Tomcat server.xml file to create the HTTPS connector. The file needs to reference the keystore previously created.
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
     
    maxThreads="150" scheme="https" secure="true" 
     
    clientAuth="false" sslProtocol="TLS" 
     
    keystoreFile="C:\Zenprise\Apache Software Foundation\Tomcat 7.0\conf\keystore.jks" keystorePass="changeit"/>
  7. Import the root cert in the java keystore of DeviceManager so that this server certificate can be trusted. On the Device Manager server, issue the following command:
    ke​ytool -import -trustcacerts -alias root -file ca.crt -keystore cacerts
    The keystore file used by Java (cacerts) is usually located in: C:\Program Files\Java\jdk1.6.0_22\jre\lib\security