====== Ahsay Backup SSL Notes ======

See also **[[https://www.sonoracomm.com/wiki/doku.php?do=search&id=ahsay|Other Ahsay pages in this wiki]]**

Ahsay OBS comes with a 'dummy' SSL certificate that works.

===== Force the Web Interface to Use SSL =====

https://help.ahsay.com/display/2/articleDirect/index.aspx?aid=2291

<file>
vim /opt/obs/webapps/obs/WEB-INF/web.xml
</file>

Locate ''[Enforce SSL]'' section near the bottom.

Remove the XML comment tags ("<!--" and "-->") and save.

<file>
vim /opt/obs/webapps/ROOT/WEB-INF/web.xml
</file>

Now add this just above the ''</web-app>'' closing tag:

<file>
<security-constraint>
       <web-resource-collection>
           <web-resource-name>Automatic SSL Forwarding</web-resource-name>
           <url-pattern>*.html</url-pattern>
           <url-pattern>/*</url-pattern>
       </web-resource-collection>
           <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           </user-data-constraint>
</security-constraint>
</file>

Restart OBS:

<file>
/etc/init.d/obsr stop

/etc/init.d/obsr start
</file>

===== Install Commercial SSL Certificate =====

List keys in keystore:

<file>
/opt/obs/java/bin/keytool -list -keystore /opt/obs/conf/keystore
</file>

:!: Use the default password for the following: ''changeit''

Delete the existing cert:

''/opt/obs/java/bin/keytool -delete -alias tomcat -keystore /opt/obs/conf/keystore''

Generate an RSA key pair:

''/opt/obs/java/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore /opt/obs/conf/keystore''

Press <enter> for the (default) keystore password (changeit)

Certificate request for a commercial cert:

<file>
/opt/obs/java/bin/keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /opt/obs/conf/keystore
</file>

Import the intermediate certificate(s) first, then the primary cert:

:!: Comodo PositiveSSL Domain Validated intermediate certs shown.

:!: You don't need to import a cert if it already exists.

<file>
/opt/obs/java/bin/keytool -import -alias intermediate -trustcacerts -file /path/to/SectigoRSADomainValidationSecureServerCA.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias intermediate1 -trustcacerts -file /path/to/AAACertificateServices.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias intermediate1 -trustcacerts -file /path/to/USERTrustRSAAAACA.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias tomcat -trustcacerts -file /path/to/hostname.yourdomain.com.crt -keystore /opt/obs/conf/keystore
</file>

Restart OBSR:

<file>
service obsr stop && service obsr start
</file>

Make sure SSL port 443 is listening:

<file>
netstat -tapn
</file>

===== Install a Commercial Wildcard Certificate =====

FIXME Unverified

These are instructions on how to import an existing wildcard certificate.

  - Download the keystore file from your backup server
    * <file>/opt/obs/conf/keystore</file>
  - Download the free KeyStore Explorer and install on your computer
    * Linux, Mac or Windows
    * Requires Sun Java
    * https://keystore-explorer.org
  - Open the downloaded keystore file in KeyStore Explorer
  - Delete the ''tomcat'' entry
    * The default password is ''changeit''
  - Import the commercial key pair
    - **Tools -> Import Key Pair**
    - Choose OpenSSL, but it could be different for your cert
    - De-select ''Encrypted Private Key''
    - Select your Private Key (probably a ''.key'' file)
    - Select your Certificate (probably a ''.crt'' file)
    - Click Import
  - On the next screen, change the alias to ''tomcat'' and click OK
  - Enter ''changeit'' (twice) as the password and click OK
  - Save the keystore file
  - Upload it back to the original location on your Ahsay backup server
  - Restart your Ahsay backup server