HTTPS setup : Setting up SSL in a Distributed Queue Agent
 
Setting up SSL in a Distributed Queue Agent
It is not possible to have SSL set up in the Queue Agent if certain surfaces, such as TP3115, are connected to the Queue Agent.
To set up SSL in a distributed Queue Agent, a number of settings needs to be changed.
A private key pair and certificate signer request must be generated and stored in a java keystore file.
If HTTPS is being set up directly on the Queue Agent:
1. The keystore should be stored in <Queue Agent install dir>/conf/security. Create this directory, if it does not exist.
2. Open a terminal (bash / windows command line) and navigate to that folder.
3. Move on to step 2. below.
If the HTTPS setup is part of a Remote Upgrade:
The keystore should be stored in <installation directory>/media/<agent_profile_dir>/conf/security. Create this directory if it does not exist. Note that you need to upload a new Agent profile, which should replace the already existing one.
Before you follow the steps below, copy the existing file to a separate folder, such as tmp. Follow the steps below, then upload the new folder via the Agent Profile GUI, see“Agent Profile” .
1. Open a terminal (bash / windows command line) and navigate to that folder.
2. Create a certificate in the keystore:
keytool -keysize 2048 -genkey -alias <hostname> -keyalg RSA -dname "CN=<hostname>,O=yourCompany,L=yourCity,S=yourState,C=yourCountry" -storepass changeit -keystore keystore.jks
 
Replace <hostname> with the host name of your Queue Agent server. Also, replace the values in the -dname string, so that it matches your organisational information.
If the path to the keytool tool is not in your environment, it can be found in <Queue Agent installation directory>\app\jdk\jdk1.7.0_15\bin.
For windows operating systems, you might need to type keytool.exe.
3. Create a certificate request:
keytool -certreq -alias <hostname> -keystore keystore.jks -storepass changeit -file server-2048.csr
 
Again, replace <hostname> with the name supplied instep 2. above.
4. Send the certificate request to your certificate authority (e.g. Symantec, Comodo etc).
5. Once the certificate response has been received, it must be imported into the keystore.
The certificate response normally consists of 3 parts:
The certificate authority’s signer certificate, example: symantec-ca.cer
The certificate authority’s root certificate, example: symantec-root.cer
Your signed certificate, example: server-2048.cer
All these certificates must be imported into the keystore in the correct order (the one defined above).
6. Perform these commands (assuming that the received files match the examples above, adjust if necessary):
keytool -importcert -file symantec-ca.cer -alias symantec-issuing-ca -storepass changeit -keystore keystore.jks
keytool -importcert -file symantec-root.cer -alias symantec-root -storepass changeit -keystore keystore.jks
keytool -importcert -file server-2048.cer -alias "<hostname>" -storepass changeit -keystore keystore.jks
 
Replace <hostname> with the name given in step 2. above. Also replace symantec-issuing-ca and symantec-root with names that make sense, depending on which certificate authority you use.
Enter yes when prompted if the certificate(s) should be trusted.
The response from the last command should be "Certificate reply was installed in keystore". If it isn't, make sure that all steps have been performed in the correct order and that the arguments to the "-alias" flag match exactly what is in the keystore.
If HTTPS is being set up directly on the Queue Agent:
1. Open the <Queue Agent install dir>/conf/agent.conf file and edit it:
agent.https.keystore.password should be set to ulanBator, alternatively use whatever password you specified above, when creating and editing the keystore.
The Queue Agent must be restarted once the certificate reply has been imported and the necessary configuration changes have been made.
If HTTPS is being set up as a configuration change in a Remote Upgrade:
1. Copy the existing Agent Profile to a separate folder, such as tmp.
2. Open the <installation directory>/media/<agent_profile_dir>/conf/agent.conf file and edit it:
agent.https.keystore.password should be set to ulanBator, alternatively use whatever password you specified above, when creating and editing the keystore.
3. Upload your edited Agent Profile, that should replace the already existing one, via the Agent Profile GUI, see “Agent Profile” .
The Queue Agent must be upgraded to the Agent Profile for HTTPS to be enabled.