Pasos para habilitar SSL

Paso 1: Definición del puerto SSL

Logon to ADAudit Plus with an account that has administrative privileges.

Navigate to Admin > General Settings > Connection.

Enable SSL by checking the checkbox, then enter the port number [default: 8444] you plan on using for ADAudit Plus and save changes

Now stop ADAudit Plus by navigating through Start > All Programs > ADAudit Plus > Stop ADAudit Plus.

Step 2: Create the Keystore

The keystore is a password protected file that contains all the keys that the server will use for SSL transactions.

• To create the certificate keystore file, from <installation directory> \ jre \bin, execute the following command in the command prompt:

  keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName>.keystore

  Replace <your key password> with a password of your choice. Replace <domainName> with the name of your domain.

• Type in your keystore password. To avoid confusion, enter the same password as your 'keypass'.
• Provide information based on the following guidelines:
  

  What is the first and last name?	The NetBIOS (if the DNS domain name is test.example.com, the NetBIOS domain name is test) or FQDN name (an FQDN for a hypothetical mail server might be mymail.example.com. The hostname is mymail, and the host is located within the domain example.com) of the server on which ADAudit Plus is running.
  What is the name of your Organizational Unit?	The department name that you want to appear in the certification.
  What is the name of your organization?	Provide the legal name of your organization.
  What is the name of your city?	Enter the city name as provided in your organization’s registered address.
  What is the name of your state/province?	Enter the State/Province as provided in your organization’s registered address.
  What is your country code?	Provide the 2-letter code of the country your organization is located in.
  Password	Enter a password of at least 6 characters.

  

Step 3: Generate the Certificate Signing Request (CSR)

• To create a csr (Certificate Signing Request) file from the <installation directory> \ jre \ bin, execute the following command in the command prompt:

  keytool -certreq -alias tomcat -keyalg RSA -keystore <domainName>.keystore -file <domainName>.csr

  

(or)

• To create a Certificate Signing Request (CSR) with Subject Alternative Name (SAN), execute the following command in the command prompt:

  keytool -certreq -alias tomcat -keyalg RSA -ext
  SAN=dns:server_name,dns:server_name.domain.com,dns: server_name.domain1.com
  -keystore <domainName>.keystore -file <domainName>.csr

  

Step 4: Issue the SSL certificate

A. Issue the SSL certificate using external Certifying Authority (CA)

• To request a certificate from an external CA, submit the CSR to that CA. You can locate the CSR file at <installation_dir>\ADAudit Plus\jre\bin.
• Unzip the certificates returned by your CA and put them in <install_dir>/jre/bin folder
• Open the command prompt and navigate to <install_dir>/jre/bin folder
• Now, run the respective commands from the below list as applicable to your CA:

For "GoDaddy" certificates

• keytool -import -alias root -keystore <domainName>.keystore -trustcacerts -file
  gd_bundle.crt
• keytool -import -alias cross -keystore <domainName>.keystore -trustcacerts -file
  gd_cross.crt
• keytool -import -alias intermed -keystore <domainName>.keystore -trustcacerts
  -file gd_intermed.crt
• keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file
  <domainName>.crt

For "Verisign" certificates

• keytool -import -alias intermediateCA -keystore <domainName>.keystore
  -trustcacerts -file < your intermediate certificate.cer>
• keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts -file <domainName>.cer

For "Comodo" certificates

• keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore
  <domainName>.keystore
• keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt
  -keystore <domainName>.keystore
• keytool -import -trustcacerts -alias ComodoUTNServer -file
  ComodoUTNServerCA.crt - keystore <domainName>.keystore
• keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore
  <domainName>.keystore

For "Entrust" certificates

• keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore> -trustcacerts
  -file entrust_root.cer
• keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore> -
  trustcacerts -file entrust_2048_ssl.cer
• keytool -import -alias -keystore <keystore-name.keystore> -trustcacerts -file
  <domain-name.cer>

Purchased directly from Thawte

• keytool -import -trustcacerts -alias tomcat -file <certificate-name.p7b> -keystore
  <keystore-name.keystore>

Purchased through the Thawte reseller channel:

• keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer> -keystore
  <keystore-name.keystore>
• keytool -import -trustcacerts -alias thawtecasec -file <SSL_SecondaryCA.cer> -
  keystore <keystore-name.keystore>
• keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore
  <keystore-name.keystore>>

B. Issue the SSL certificate using an internal Certifying Authority (CA)

An internal CA is a member server or domain controller in a specific domain that has been assigned the Certifying Authority role.

• Connect to the Microsoft Certificate Services of your internal CA and click the Request a certificate link.
• Under Advanced Certificate Request, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file option.
• Copy the content from your CSR file and paste it under the Saved Request field.
• Select Web Server from the drop under Certificate Template and click Submit.
• The certificate will be issued when you click the Download Certificate Chain link and select the PKCS #7 Certificates types. The downloaded certificate will be of the .p7b file format.
• Copy the .p7b file to the \ManageEngine\ADAudit Plus\jre\bin folder.
• Return to Microsoft Certificate Services, click the Home link on the top-right corner and click the Download a CA Certificate, Certificate Chain, or CRL link to download the CA root certificate.
• Click the Download CA certificate link to download and save the root certificate. The downloaded file should be in the .cer format.
• Copy the .cer file to the <installation_dir>\ManageEngine\ADAudit Plus\jre\bin folder.
• Open the command prompt, navigate to <installation_dir>\ManageEngine\ADAudit Plus\ jre\bin folder, and execute the following command to import the internal CA certificate into the .keystore file.

  keytool import trustcacerts alias tomcat file certnew.p7b keystore <keystore_name>.keystore

• Add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file by executing the following command:

  keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

Note: Open the .cer file to get the name of your internal CA and provide 'changeit' as the keystore password when prompted.

Step 5: Bind the certificates to ADAudit Plus

• Copy the <domainName>.keystore file from <install_dir>\jre\bin folder and paste it in <install_dir>\conf folder
• Open ‘server.xml’ file located at <install_dir>\conf folder
• Replace the value of keystoreFile with ‘./conf/<domainName>.keystore’ and keystorePass with the password that you used in Step 1
• Save ‘server.xml’ file and close it
• Restart ADAudit Plus again for the changes to take effect.