How-To Guides
Configuration Guides

Enable HTTPS for Web Portal

8min

By default, Kron PAM is configured to HTTP on port 80. Krontech recommends using HTTPS in any production environment. This section provides a detailed step-by-step guide for creating a certificate, a Java KeyStore (JKS) file, and configuring the web portal for HTTPS.

Do not forget to replace the company name with your company name in the commands given under the following topics.

Generating a Private Key and a CSR

This topic provides commands to create a Private Key and a Certificate Signing Request (CSR). If you already have a valid certificate and key, you can skip this step.

  1. Go to the certification directory with the command below. cd /u01/netright-tomcat/conf/cert/
  2. Run the command below for the key and CSR files. openssl req -newkey rsa:2048 -nodes -keyout <company-name.key> -out <company-name.csr>
  3. Submit the CSR to your preferred signing authority to receive your certificate. Alternatively, if you want to run with a self-signed certificate, run the following command to generate a self-signed certificate from your Private Key and CSR. openssl x509 -signkey <company-name.key> -in <company-name.csr> -req -days 365 -out <company-name.crt>

Creating a JKS file

You must create a JKS file to use the certificate with Apache Tomcat. This topic provides the steps to create a JSK file from an existing x509 certificate.

  1. Convert the x509 certificate to the p12 format. You’ll be prompted to create an export password after the command. Define a password. openssl pkcs12 -export -in <company-name.crt> -inkey <company-name.key> -certfile <company-name.crt> -out <company-name.keystore.p12>
  2. Now using the new p12 file, run the following command to create the JKS file. You’ll be prompted to create a destination Keystore password after the command. Define a password. Then the system will ask for the source Keystore password which is created in the previous step as an export password. /usr/java/jdk1.8.0_131/jre/bin/keytool -importkeystore -srckeystore <company-name.keystore.p12> -srcstoretype pkcs12 -destkeystore <company-name.jks> -deststoretype JKS
  3. By default, the JKS alias is set as 1. If you want to change the JKS alias or password you can use the following commands. keytool -changealias -keystore <path/to/jks> -alias <current-alias> keytool -keypasswd -alias <alias> -keystore <path/to/jks>

Configuring Web Server

  1. Open an SSH connection to Kron PAMwith the root account.
  2. Open and edit lines 87-111 of the following file: /u01/netright-tomcat/conf/server.xml. Remove the comment tags highlighted in red. Change the keystoreFile, keystorepass and keystore alias parameters highlighted in blue.

  • Open and edit lines 4683-4694 of the following file: /u01/netright-tomcat/conf/web.xml. Remove the comment tags highlighted in red.


  • Open and edit the following file: /u01/netright-tomcat/netright/netright.properties. Change line 18 as shown below. Append a new property to line 19 as shown below. 18 : netright.baseurl=http://127.0.0.1:80 change as 18 : netright.baseurl=https://127.0.0.1:443 19 : netright.cookie.secure=true
  • Restart the Web Portal Service with the following command. systemctl restart netright-tomcat

Configuring SSH Proxy

  1. Open and edit the following file: /u01/nssoapp/conf/nsso.properties. Change line 4 as shown below. 4 : netright.baseurl=http://127.0.0.1
  2. Restart the SSH Proxy service with the following command. systemctl restart nssoapp

Configuring Radius Server

  1. Open and edit the following file: /etc/raddb/sc_radiusd.conf. Change line 1 as shown below. 1: sc_base_url=http://127.0.0.1 change as 1: sc_base_url=https://127.0.0.1:443
  2. Restart the Radius service with the following command. systemctl restart radiusd



PREVIOUS
Changing Master Key
NEXT
Enable TLSv1.3 At HTTP Proxy
Docs powered by Archbee