Cloud Data Manager

Secure web communication

The default Model9 installation provides a self-signed web certificate. This certificate is used to encrypt the web information passed between your browser and the Model9 management server.

It is strongly recommended to generate a site-defined certificate to accommodate production-level workloads. Contact your security administrator if you wish to generate such a certificate.

You can also generate your own self-signed certificate to avoid browser security notifications using the following commands:

  1. Verify that the server has a valid hostname by issuing:

    hostname -s
  2. Generate self-signed keys by editing the following parameters:

    Parameter

    Description

    <password>

    The keystore password

    <server_dns>

    The server DNS name (optional)

    <server_ip>

    The server IP address

    <BackupServer>

    The certificate common name: edit according to site standards

    cd $MODEL9_HOME/keys
    keytool -genkey -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -keyalg RSA -ext SAN=dns:<server_dns>,ip:<server_ip> -dname "cn=<BackupServer>, ou=Java, o=Model9, c=IL" -validity 3650
    chown root:root $(hostname -s)_web_self_signed_keystore.p12
    chmod 600 $(hostname -s)_web_self_signed_keystore.p12
    keytool -exportcert -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -file $(hostname -s)_web_self_signed.cer

    Note

    When not specifying <server_dns>, remove the dns: section from the command.

  3. Add the exported certificate (.cer file) to your local workstation trusted CA according to site standards and security policies.

  4. If a site certificate or new self-signed certificate was created, update the server configuration file by adding the following line:

    vi $MODEL9_HOME/conf/connectorHttpsModel9.xml
  5. Update the keystoreFile, keystorePass, keyAlias and keyPass settings to match the information provided by the security administrator, as shown in the following example:

    <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
         maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
         keystoreFile="/model9/keys/web_self_signed_keystore.p12"
         keystoreType="PKCS12" keystorePass="changeit" keyAlias="tomcat"
         clientAuth="false" sslProtocol="TLS" />

    Java strictly follows the HTTPS specification for server identity (RFC 2818, Section 3.1) and IP address verification. When using a host name, it is possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name. However, when using an IP address, there must be a Subject Alternative Name entry - IP address (and not a DNS name) - in the certificate.