Using secure HTTP (HTTPS) improves the security of your Novell Teaming site. During installation, you can choose to configure your Teaming site for HTTP or HTTPS. After installation, you can force secure HTTP connections.
If you want users to access the Teaming site with a secure HTTP connection, you must configure Teaming with a root certificate and a server certificate. The root certificate identifies the root certificate authority (CA) for your Teaming site. The server certificate is customized for the specific server where Teaming is installed.
Novell Teaming uses a keystore to store certificates. The default keystore file that is installed along with Teaming is:
Linux: |
/opt/novell/teaming/apache-tomcat-version/conf/.keystore
|
Windows: |
c:\Program Files\Novell\Teaming\
apache-tomcat-version\conf\.keystore
|
The original certificate in the default keystore is sufficient for you to set up secure HTTP connections during initial installation, but it is self-signed and expired, so you cannot use it permanently. Soon after installation, you must obtain a permanent certificate. You can use a commercially signed certificate or a self-signed certificate. There are advantages and disadvantages to each approach.
Commercially Signed Certificate: The advantage to using a certificate signed by a commercial certificate authority (CA) is that browsers automatically accept these certificates. The disadvantage is that an additional step is required, with some wait time while you obtain the commercially signed certificate.
Self-Signed Certificate: The advantage to using a self-signed certificate is that it is quick and easy for you to do as the Teaming administrator. The disadvantage is that users receive a warning in the browser about the self-signed certificate the first time they access the Teaming site using secure HTTP. Users must manually accept the self-signed certificate, then the warning never occurs again.
After you obtain your permanent certificate, you can store it in the default Teaming keystore, or in a location of your own choosing. Teaming reads the location of its keystore from the following file:
Linux: |
/opt/novell/teaming/apache-tomcat-version/conf/server.xml
|
Windows: |
c:\Program Files\Novell\Teaming\
apache-tomcat-version\conf\server.xml
|
If you do not want to use the default keystore location, you must update the server.xml file to match the location you choose for your keystore.
You cannot update the Teaming .keystore file that is provided during installation. Instead, you must create a new .keystore file, then import your signed certificate into it.
Create a new directory where you want to create the new .keystore file, such as a certs directory in a convenient location.
Change to the new certs directory.
Make sure that you can access the keytool tool:
For convenient use, you might need to add its location to the PATH environment variable.
Use the following command to create a new .keystore file:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
When prompted, specify a password for the new .keystore file, then confirm the password.
IMPORTANT:The default password used by Tomcat is changeit. If you want to specify a password other than this, then you must also specify this password in the server.xml Tomcat configuration file, as described in Changing Your Password for the Keystore File.
Do not forget the password you specify.
When prompted for your first and last name, specify the fully qualified DNS name of the Teaming server, such as teaming.yourcompanyname.com.
You are then prompted for additional information about your organization:
Organizational unit
Organization
City or locality
State or province
Two-letter country code
(Conditional) If you are planning to obtain a your certificate from a commercial certificate authority (CA), respond to the additional information prompts with accurate information appropriate to your organization.
or
(Conditional) If you are planning to generate a self-signed certificate, press Enter to skip through the prompts.
When prompted whether the information you provided is correct, enter yes.
Press Enter to use the same password that you specified in Step 5 as the key password for Tomcat.
List the files in the certs directory to see that a new .keystore file has been created.
If you want to specify a password other than changeit for your .keystore file, as described in Step 5 in Creating a New Keystore File, then you must also specify this password in the server.xml Tomcat configuration file.
Change to the following directory:
Open the server.xml file in a text editor.
Locate the keystorePass attribute, then change the value of this attribute to your new password.
Save and close the server.xml file.
Use the following command to create a Certificate Signing Request (CSR):
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore .keystore
Enter the keystore password to create the CSR.
List the files in the certs directory to see that a new certreq.csr file has been created along with the existing.keystore file.
Use the certreq.csr file to obtain a signed certificate.:
To use a commercial certificate authority (CA), continue with Submitting the Certificate Signing Request to a Certificate Authority (CA).
or
To use a self-signed certificate, skip to Using the Certificate Signing Request to Generate a Self-Signed Certificate.
You can find a commercial certificate authority (CA) on the Internet by searching for “certificate authority.” The process of obtaining a signed certificate varies from company to company. Each company provides instructions to assist you.
The certificate authority (CA) sends you a set of certificate files that you import into the Teaming keystore. You must import all of the files that you receive. Place the certificate files in a convenient location on the Teaming server, then skip to Importing the Certificate Files into the Teaming Keystore.
If you do not want to wait to receive your signed certificate from a commercial certificate authority (CA), you can generate your own self-signed certificate using ConsoleOne® or iManager. You must generate both a self-signed eDirectory™ root certificate file and a server certificate file.
NOTE:For iManager instructions, see TID 7001857: Adding SSL Certificates to Teaming for HTTPS
in the Novell Support Knowledgebase. If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Using the Certificate Signing Request to Generate a Self-Signed Certificate.
A root certificate identifies the root certificate authority (CA) for your Teaming site. In this case, eDirectory is acting as the root certificate authority.
On Linux or Windows, start ConsoleOne and authenticate to your eDirectory tree.
Expand the Security container, right-click the Tree_Name CA object, then click .
Click
.Click
to update the certificate status, then click to close the Certificate Validation dialog box.Click
to export your eDirectory root certificate into a file that can be imported into the Teaming keystore file.Click No for exporting a private key file along with the root certificate.
to accept the default ofSelect the output format for the root certificate file.
Either DER or Base64 format can be imported into the Teaming keystore file.
In the certs directory where you created the Certificate Signing Request) and the filename to use, such as SelfSignedRootCert.der.
field, specify the location (theClick
to display a summary of the options you have selected, then click to generate the root certificate file.Click Tree_Name CA object.
to close the Self Signed Certificate properties page of theContinue with Generating a Self-Signed Server Certificate File in ConsoleOne
A server certificate is customized for the specific server where Teaming is installed.
Click
.Browse to and select the certreq.csr file that you created in the certs directory, then click .
This retrieves the contents of the CSR file into the CSR window.
Click
to accept the default of using an organization certificate authority.Select
as the type of server certificate that you need, then click .Select the validity period you want for the server certificate, then click
.Review the information that you have provided, then click
.Select the output format for the server certificate file.
Either DER or Base64 format can be imported into the Teaming keystore file.
In the certs directory where you created the Certificate Signing Request) and the filename to use, such as SelfSignedServerCert.der.
field, specify the location (theClick
to create the public-key certificate file.Exit ConsoleOne.
NOTE:For iManager instructions, see TID 7001857: Adding SSL Certificates to Teaming for HTTPS
in the Novell Support Knowledgebase. If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for a procedure comparable to the one provided in Using the Certificate Signing Request to Generate a Self-Signed Certificate.
After you have obtained or generated a signed certificate, you must import the certificate files into the Teaming keystore. This section describes how to import the files associated with a self-signed certificate. The same procedure can be used to import certificate files received from a commercial certificate authority (CA).
Change to the certs directory where you created the root certificate file and the server certificate file.
Use the following command to import the root certificate file:
keytool -import -keyalg RSA -keystore .keystore -file SelfSignedRootCert.der
Enter the keystore password to add the root certificate to the Teaming keystore.
Use the following command to import the server certificate file:
keytool -import -alias tomcat -keyalg RSA -keystore .keystore -file SelfSignedServerCert.der
Enter the keystore password to add the server certificate to the Teaming keystore.
The new .keystore file is now ready for permanent use in your Teaming system.
Change to the following directory on the Teaming server:
Rename the existing .keystore file to keystorebackup.
Copy your new .keystore from the certs directory to the conf directory.
Adjust the ownership and permissions of the new .keystore file to match those of the backed up keystore file.
Restart Teaming so that Teaming rereads the updated keystore file.
When you run the Novell Teaming Installation program, you can choose between non-secure and secure HTTP connections, as described in HTTP/HTTPS Ports
in Basic Installation
in the Novell Teaming 2.1 Installation Guide.
With additional configuration, you can force users from a non-secure HTTP connection to a secure HTTPS connection.
With Novell Teaming, you can use Novell Access Manager to force secure HTTP connections. For more information, see Configuring Single Sign-On with Novell Access Manager
in Advanced Installation and Reconfiguration
in the Novell Teaming 2.1 Installation Guide.
To reconfigure Tomcat, you must update two configuration files (both named web.xml) under two different directories (ssf and ssfs). The ssf directory name refers to SiteScape® Forum, a legacy product name. The ssf directory contains the main Teaming Web application that you use when you interact with your browser. The ssfs directory name refers to SiteScape File System. The ssfs directory contains the Teaming WebDAV application that you use to access files on a remote WebDAV server from the Teaming site.
Log into the Teaming server with sufficient rights to edit the web.xml files (root on Linux, Administrator on Windows).
Modify the web.xml file under the ssf directory:
Change to the directory where the web.xml file is located.
Make a backup copy of the web.xml file, then open the web.xml file in a text editor.
Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
(Conditional) If users access the Teaming site with Internet Explorer*, replace the following single line provided above:
<url-pattern>/*</url-pattern>
with the following set of lines:
<!-- Patterns from web.xml.tmpl. --> <url-pattern>/a/*</url-pattern> <url-pattern>/ws/*</url-pattern> <url-pattern>/rss/*</url-pattern> <url-pattern>/atom/*</url-pattern> <!-- Patterns from subdirectories of webapps/ssf. --> <url-pattern>/applets/*</url-pattern> <url-pattern>/css/*</url-pattern> <url-pattern>/help/*</url-pattern> <url-pattern>/help_doc/*</url-pattern> <url-pattern>/i/*</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/js/*</url-pattern>
For Internet Explorer, this list of URL patterns forces secure HTTP connections for everything except the /s/* pattern (document files with extensions such as .odt and .doc) and the /ical/* pattern (calendar .ics files).
Save the modified web.xml file, then exit the text editor.
Modify the web.xml file under the ssfs directory:
Change to the directory where the web.xml file is located.
Make a backup copy of the web.xml file, then open the web.xml file in a text editor.
Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Save the modified web.xml file, then exit the text editor.
You can set up the Apache* Web server to front your Novell Teaming site and use a meta refresh to redirect users to a secure URL.
Install the Apache Web server on one server.
Configure Apache to listen on port 80.
Create an index.html file similar to the following example:
<html>
<head>
<meta http-equiv="refresh" content="0;url=https://teaming_url" />
<title>Redirected to Secure Teaming</title>
</head>
<body>
This page is used to redirect to the Secure Teaming server. If your
browser does not automatically redirect you in a few seconds, click
<a href="https://teaming_url">here</a> to go to the secure page.
</body>
</html>
Replace teaming_url with the URL to your Teaming site.
Place the index.html file in the document root directory of the Apache Web server.
Restart the Apache Web server.
Novell Teaming includes URLs to Teaming site locations in e-mail messages and notifications. By default, the URLs are formed with http rather than https. You can reconfigure Teaming to default to https for Teaming site URLs.
Log into the Teaming server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).
Change to the following directory:
Make a backup copy of the ssf-ext.properties file.
Open the ssf-ext.properties file in a text editor.
Locate the following lines:
adapter.web.protocol=context-http servlet.web.protocol=context-http rss.web.protocol=context-http ical.web.protocol=context-http ssfs.web.protocol=context-http simpleurl.web.protocol=context-http
Change http to https.
adapter.web.protocol=context-https servlet.web.protocol=context-https rss.web.protocol=context-https ical.web.protocol=context-https ssfs.web.protocol=context-https simpleurl.web.protocol=context-https
Save the ssf-ext.properties file, then exit the text editor
Restart Teaming to put the change into effect.