How do I configure the EventSentry Web Reports to use SSL/TLS?

Note: These instructions are only for EventSentry 3.4 and newer. For older versions, please see [knowledge base article 238]

Step 1: Prepare the Certificate

Open a command prompt as an administrator and navigate to the following folder (depends on where you installed EventSentry):
cd "\Program Files\EventSentry\WebReports\jre\bin"

There are two paths you can take now. Please follow the one that applies to you.

Step 2 Option A: Generate a Self-Signed Certificate Keystore

keytool.exe -genkey -keyalg RSA -alias eventsentry -keystore eventsentry.jks -validity 360 -keysize 2048
In this example the password is "changeit". Use the FQDN of the machine for the "First and last name" value.

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  server.domain.local

Step 2 Option B: Use a Certificate Authority Keystore

Run the following command to generate a keystore:
keytool.exe -genkey -alias eventsentry -keyalg RSA -keystore eventsentry.jks
In this example the password is "changeit". Use the FQDN of the machine for the "First and last name" value.

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  server.domain.local

Create the certificate request:

keytool.exe -certreq -keyalg RSA -alias eventsentry -file certreq.req -keystore eventsentry.jks

Follow the instructions from your CA on submitting the certificate request. You will use the certreq.req file created in the last step. In this example, the CA gave a ZIP file containing a chain of certificates.

If your CA recommends specific instructions, follow those instead of the ones here. In our case, these were the steps we had to take to import the certificates.

keytool.exe -importcert -alias AddTrustExternalCARoot -file c:\certs\AddTrustExternalCARoot.crt -keystore eventsentry.jks
keytool.exe -importcert -alias ComodoUTNSGCCA -file c:\certs\ComodoUTNSGCCA.crt -keystore eventsentry.jks
keytool.exe -importcert -alias EssentialSSLCA_2 -file c:\certs\EssentialSSLCA_2.crt -keystore eventsentry.jks
keytool.exe -importcert -alias UTNAddTrustSGCCA -file c:\certs\UTNAddTrustSGCCA.crt -keystore eventsentry.jks

Then after the chain is complete, import the server specific certificate provided by your CA:
keytool.exe -importcert -alias eventsentry -file c:\certs\server_domain_local.crt -keystore eventsentry.jks

Step 3: Configure the Web Reports to Use Your Keystore

Move the keystore to the conf folder:
move eventsentry.jks "C:\Program Files\EventSentry\WebReports\conf"

Configure a SSL connector by editing the server.xml file, by default located in:
C:\Program Files\EventSentry\WebReports\web\conf\server.xml

Look for the first instance of "<Connector.../>" and insert the following below that section making sure the "keystorePass" and "keystoreFile" lines match your particular instance:

<!-- SSL "Connector" -->
    <Connector port="8443" relaxedQueryChars="[]" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" disableUploadTimeout="true" enableLookups="false"
               clientAuth="false" sslProtocol="TLS" scheme="https" secure="true"
               SSLEnabled="true" keystorePass="changeit"
               keyAlias="eventsentry"
               keystoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" 
               sslEnabledProtocols="TLSv1.2"/>

If you would also like to disable HTTP, look for this connector:

<Connector port="8080" relaxedQueryChars="[]" protocol="HTTP/1.1"
              connectionTimeout"20000"
              redirectPort="8443" />

Either delete it or comment it out (enclose it in <!-- and -->)

Step 4: Restart EventSentry Web Reports service

After restarting the "EventSentry Web Reports" service, navigate to https://server.domain.local:8443 to test & access the web reports through SSL.