Secure web communication
The default Model9 installation provides a self-signed web certificate. This certificate is used to encrypt the web information passed between your browser and the Model9 management server.
It is strongly recommended to generate a site-defined certificate to accommodate production-level workloads. Contact your security administrator if you wish to generate such a certificate.
You can also generate your own self-signed certificate to avoid browser security notifications using the following commands:
Verify that the server has a valid hostname by issuing:
hostname -s
Generate self-signed keys by editing the following parameters:
Parameter
Description
<password>
The keystore password
<server_dns>
The server DNS name (optional)
<server_ip>
The server IP address
<BackupServer>
The certificate common name: edit according to site standards
cd $MODEL9_HOME/keys keytool -genkey -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -keyalg RSA -ext SAN=dns:<server_dns>,ip:<server_ip> -dname "cn=<BackupServer>, ou=Java, o=Model9, c=IL" -validity 3650 chown root:root $(hostname -s)_web_self_signed_keystore.p12 chmod 600 $(hostname -s)_web_self_signed_keystore.p12 keytool -exportcert -alias tomcat -keystore $(hostname -s)_web_self_signed_keystore.p12 -storetype pkcs12 -storepass <password> -file $(hostname -s)_web_self_signed.cer
Note
When not specifying <server_dns>, remove the dns: section from the command.
Add the exported certificate (
.cer
file) to your local workstation trusted CA according to site standards and security policies.If a site certificate or new self-signed certificate was created, update the server configuration file by adding the following line:
vi $MODEL9_HOME/conf/connectorHttpsModel9.xml
Update the
keystoreFile
,keystorePass
,keyAlias
andkeyPass
settings to match the information provided by the security administrator, as shown in the following example:<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/model9/keys/web_self_signed_keystore.p12" keystoreType="PKCS12" keystorePass="changeit" keyAlias="tomcat" clientAuth="false" sslProtocol="TLS" />
Java strictly follows the HTTPS specification for server identity (RFC 2818, Section 3.1) and IP address verification. When using a host name, it is possible to fall back to the Common Name in the Subject DN of the server certificate instead of using the Subject Alternative Name. However, when using an IP address, there must be a Subject Alternative Name entry - IP address (and not a DNS name) - in the certificate.