Table of Contents

Ahsay Backup SSL Notes

See also Other Ahsay pages in this wiki

Ahsay OBS comes with a 'dummy' SSL certificate that works.

Force the Web Interface to Use SSL

https://help.ahsay.com/display/2/articleDirect/index.aspx?aid=2291 

vim /opt/obs/webapps/obs/WEB-INF/web.xml

Locate [Enforce SSL] section near the bottom.

Remove the XML comment tags (“<!–” and “–>”) and save. 

vim /opt/obs/webapps/ROOT/WEB-INF/web.xml

Now add this just above the </web-app> closing tag: 

<security-constraint>
       <web-resource-collection>
           <web-resource-name>Automatic SSL Forwarding</web-resource-name>
           <url-pattern>*.html</url-pattern>
           <url-pattern>/*</url-pattern>
       </web-resource-collection>
           <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           </user-data-constraint>
</security-constraint>

Restart OBS: 

/etc/init.d/obsr stop

/etc/init.d/obsr start

Install Commercial SSL Certificate

List keys in keystore: 

/opt/obs/java/bin/keytool -list -keystore /opt/obs/conf/keystore

:!: Use the default password for the following: changeit

Delete the existing cert:

/opt/obs/java/bin/keytool -delete -alias tomcat -keystore /opt/obs/conf/keystore

Generate an RSA key pair:

/opt/obs/java/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore /opt/obs/conf/keystore

Press <enter> for the (default) keystore password (changeit)

Certificate request for a commercial cert: 

/opt/obs/java/bin/keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /opt/obs/conf/keystore

Import the intermediate certificate(s) first, then the primary cert:

:!: Comodo PositiveSSL Domain Validated intermediate certs shown.

:!: You don't need to import a cert if it already exists. 

/opt/obs/java/bin/keytool -import -alias intermediate -trustcacerts -file /path/to/SectigoRSADomainValidationSecureServerCA.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias intermediate1 -trustcacerts -file /path/to/AAACertificateServices.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias intermediate1 -trustcacerts -file /path/to/USERTrustRSAAAACA.crt -keystore /opt/obs/conf/keystore

/opt/obs/java/bin/keytool -import -alias tomcat -trustcacerts -file /path/to/hostname.yourdomain.com.crt -keystore /opt/obs/conf/keystore

Restart OBSR: 

service obsr stop && service obsr start

Make sure SSL port 443 is listening: 

netstat -tapn

Install a Commercial Wildcard Certificate

FIXME Unverified

These are instructions on how to import an existing wildcard certificate.

  1. Download the keystore file from your backup server
    • /opt/obs/conf/keystore
  2. Download the free KeyStore Explorer and install on your computer
  3. Open the downloaded keystore file in KeyStore Explorer
  4. Delete the tomcat entry
    • The default password is changeit
  5. Import the commercial key pair
    1. Tools → Import Key Pair
    2. Choose OpenSSL, but it could be different for your cert
    3. De-select Encrypted Private Key
    4. Select your Private Key (probably a .key file)
    5. Select your Certificate (probably a .crt file)
    6. Click Import
  6. On the next screen, change the alias to tomcat and click OK
  7. Enter changeit (twice) as the password and click OK
  8. Save the keystore file
  9. Upload it back to the original location on your Ahsay backup server
  10. Restart your Ahsay backup server