Product Documentation

Configuring an SSL Certificate from an External Certificate Authority

Jan 20, 2015

Before you configure an external Certificate Authority (CA) by using SSL, the following files should be on the Device Manager server and accessible by the Device Manager server:

  • An external SSL certificate file in .p12 format issued by a trusted CA that includes the root and intermediate. The file name, externalSsl.p12, is used as an example in this procedure.
  • A password for the .p12 certificate file should be known by the installing party.
You need to configure two XML files: The pki.xml file located in the \..\tomcat\webapps\zdm\WEB-INF\classes directory and the server.xml file located in the \..\tomcat\conf directory.
  1. Locate the pki.xml file in \..\tomcat\webapps\zdm\WEB-INF\classes.
  2. To configure the external SSL certificate, add an "externalSslCert" bean to the file as shown in the following example. Modify the bold fields appropriately. The keyStorePath should reference the .p12 certificate file located on the server. The keyStorePass should contain the password for the .p12 file.
     
     
    <bean id="externalSslCert" class="com.sparus.nps.pki.def.KeyStoreParams" 
     
    p:keyStoreType="PKCS12" 
     
    p:keyStorePath="C:\ExternalSSL_Cert\qamdm01\externalSsl.p12" 
     
    p:entryAlias="" 
     
    p:keyStorePass="xxxxxxx" 
     
    p:publiclyTrusted="true" 
     
    /> 
    
  3. Set externalSslCert as the sslCertificate property. Replace the highlighted line with the proper bean name you specified in the preceding step.
  4. Locate the server.xml file located in the \..\tomcat\conf directory.
  5. Locate the Connector port=" 443 " and modify the following two parameters for this connector to bind the external SSL certificate to this port. The keystoreFile should point to the .p12 certificate file located on the server. The keystorePass parameter should contain the password for the .p12 file.
    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="5" maxSpareThreads="100" enableLookups="false" redirectPort="-1" acceptCount="100" connectionTimeout="30000" disableUploadTimeout="true" maxKeepAliveRequests="-1" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" clientAuth="want" SSLEnabled="true" keystoreFile="C:\ExternalSSL_and_Signing_Cert\ExternalSsl.p12" keystorePass="xxxxxxxx" truststoreFile="C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks"
  6. Locate the Connector port="8443" as shown in the following example. The keystoreFile should point to the .p12 certificate file located on the server. The keystorePass parameter should contain the password for the .p12 file.
    <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="20" minSpareThreads="5" maxSpareThreads="5" enableLookups="false" redirectPort="-1" acceptCount="100" connectionTimeout="30000" disableUploadTimeout="true" maxKeepAliveRequests="-1" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" keystoreFile="C:\ExternalSSL_and_Signing_Cert\ExternalSsl.p12” keystorePass="xxxxxxxx" truststoreFile="C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks" truststoreType="JKS" truststorePass="notMeaningFul" keystoreType="PKCS12"
  7. Restart the Device Manager server.