Secured Socket Layer (SSL) is a protocol which provides the secured way of communication between the client and server with the help of the certificates. When using Apache Tomcat as a server for the deployment of SailPoint, the data that we are dealing with is sensitive in nature. With the help of Self Sign certificates, we can secure Sailpoint IdentityIQ which is hosted on tomcat server without the need of certificate authority (CA).
1 . Creation of Self Sign Certificate
Step 1: Open up the command prompt
Step 2 : Make sure java is installed and type the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/keystore/file/keystore_name
Step 3: Enter the password. The default password for tomcat is “changeit“.
Step 4: Enter all the details for the keystore. i.e. Name, name of OU, name of organization, city, state, country.
Step 5: Hit enter if you want the same password for the keystore. Then keystore will be generated in the specified location.
2 . Configuring the Tomcat Server
Step 1: Navigate to CATALINA_HOME
Step 2: Navigate into the conf directory.
Step 3: Open the server.xml file.
Step 4: comment the default connector port
<Connector port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”200000″
redirectPort=”8443″ />
——————————————————-
<!–
<Connector port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”200000″
redirectPort=”8443″ />
–>
Step 5: Add the following connector port to the file.
<Connector port=”8443″ protocol=”HTTPS/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/path/to/keystore/file/” keystorePass=”<password>” />
Step 6: Save the file and start the tomcat server
Step 7: Check the tomcat server URL
https://localhost:8443/identitiyiq
Note: The browser will throw the exception saying that the site is not secure, this is due to the self sign certificate which has not been signed off by the CA. You can add the exception in browser and proceed.
The following is the detailed demo for the above steps mentioned: