Preparation
To set up SSL, a number of settings need to be changed.
A private key pair and certificate signer request must be generated and stored in a java keystore file.
The keystore used should be the default keystore for Orchestra. This file is located in <installation directory>\conf\security and is called keystore.jks.
Open a terminal (bash / windows command line) and navigate to that folder.
1. Create a certificate in the keystore:
keytool -keysize 2048 -genkey -alias <hostname> -keyalg RSA -dname "CN=<hostname>,O=yourCompany,L=yourCity,S=yourState,C=yourCountry" -storepass changeit -keystore keystore.jks
Replace
<hostname> with the FQDN (Fully Qualified Domain Name) of your Orchestra server. A FQDN is a combination of a host name and domain name, which is unique - no other server has the same FQDN. Example:
FQDN orchestra-central.company.com.
Also, replace the values in the -dname string, so that it matches your organisational information.
If the path to the keytool tool (keytool.exe) is not in your environment, it can be found in <installation directory>\app\jdk1.7.0_67\bin. Enter a separate key password, if you like, when asked, or press Enter to use the same password as for the keystore (changeit).
2. Create a certificate request:
keytool -certreq -alias <hostname> -keystore keystore.jks -storepass changeit -file server-2048.csr
Again, replace <hostname> with the FQDN supplied in step 1.
3. Send the certificate request to your certificate authority (e.g. Symantec, Comodo, etc).
4. Once the certificate response has been received it must be imported into the keystore.
The certificate response normally consists of 3 parts:
• The certificate authority’s signer certificate, example: symantec-ca.cer
• The certificate authority’s root certificate, example: symantec-root.cer
• Your signed certificate, example: server-2048.cer
All these certificates must be imported into the keystore in the correct order (the one defined above).
Perform these commands (assuming that the received files match the examples above, adjust if necessary)
keytool -importcert -file symantec-ca.cer -alias symantec-issuing-ca -storepass changeit -keystore keystore.jks
keytool -importcert -file symantec-root.cer -alias symantec-root -storepass changeit -keystore keystore.jks
keytool -importcert -file server-2048.cer -alias "<hostname>" -storepass changeit -keystore keystore.jks
Replace <hostname> with the FQDN given in step 1. Also replace symantec-issuing-ca and symantec-root with names that make sense, depending on which certificate authority you use.
Enter yes when prompted if the certificate(s) should be trusted.
The response from the last command should be "Certificate reply was installed in keystore". If it is not, make sure that all steps have been performed in the correct order and that the arguments to the "-alias" flag match exactly what is in the keystore.