- You receive the warning message Using unencrypted connection! Please configure the webserver to use HTTPS when accessing the ESET Remote Administrator Web Console (ERA Web Console) via HTTP.
For security reasons, we recommend that you set up ERA Web Console to use HTTPS.
Move the certificate .pfx file to your Tomcat install directory.
By default, this is
C:\program files(x86)\Apache Software Foundation\Tomcat X.Xon 64-bit Windows Server systems or
C:\program files\Apache Software Foundation\Tomcat X.Xon 32-bit systems.
Open the Conf folder in the Tomcat install directory and locate the Server.xml file.Edit this file using a text editor such as Notepad ++. Copy the following string into the Server.xml:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="enter_pfx_filename_here" keystorePass="enter_password_here" keystoreType="PKCS12"/>
Restart the Tomcat service.
To use a secure HTTPS/SSL connection for ERA Web Console, follow the steps below:
- Create a keystore with an SSL certificate. You must have Java JRE installed, we recommend that you use the latest version.
Java JRA includes the Java Keytool (keytool.exe), which allows you to create a certificate via command line. You must generate a new certificate for each tomcat instance (if you have multiple tomcat instances) to ensure that if one certificate is compromised, other tomcat instances will remain secure.
Below is a sample command to create a keystore with an SSL certificate.
Navigate to the exact location of the keytool.exe file, for example
C:\Program Files (x86)\Java\jre1.8.0_40\binand then run the command):
keytool.exe -genkeypair -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
- Export the certificate from the keystore. Below is a sample command to export the certificate sign request from the keystore:
keytool.exe -certreq -alias tomcat -file "C:\Install\tomcat\tomcat.csr" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -ext san=dns:ERA6-2008R2
- Get the SSL certificate signed with the Root Certificate Authority (CA) of your choice.
You can proceed to step 5 if you plan to import a Root CA later. If you choose to proceed this way your web browser may display warnings about a self-signed certificate and you will need to add an exception to connect to ERA Web Console via HTTPS.
- Once you have received the signed certificate with the Root CA, import the public key of CA and then certificate (
tomcat.cer) into your keystore. Below is a sample command that imports a signed certificate into the keystore:
keytool.exe -import -alias tomcat -file "C:\Install\tomcat\tomcat.cer" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore"
If you want to use an already existing certificate (for example company certificate), follow these instructions.
- Edit the
server.xmlconfiguration file so that tag is written similar to the example below:
<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/>
This modification also disables non-secure tomcat features, leaving only HTTPS enabled (
scheme= parameter). For security reasons, you may also need to edit
tomcat-users.xml to delete all tomcat users and change ServerInfo.properties to hide the identity of the tomcat.
- Restart the Apache tomcat service.