Open a command prompt as an administrator and navigate to the following folder (depends on where you installed EventSentry):
cd "\Program Files\EventSentry\WebReports\jre\bin"
Run the following command to generate a keystore:
keytool.exe -genkey -alias eventsentry -keyalg RSA -keystore eventsentry.jks
In this example the password is "changeit". Use the FQDN of the machine for the "First and last name" value.
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: server.domain.local
Create the certificate request:
keytool.exe -certreq -keyalg RSA -alias eventsentry -file certreq.req -keystore eventsentry.jks
Follow the instructions from your CA on submitting the certificate request. You will use the certreq.req file created in the last step. In this example, the CA gave a ZIP file containing a chain of certificates.
If your CA recommends specific instructions, follow those instead of the ones here. In our case, these were the steps we had to take to import the certificates.
keytool.exe -importcert -alias AddTrustExternalCARoot -file c:\certs\AddTrustExternalCARoot.crt -keystore eventsentry.jks keytool.exe -importcert -alias ComodoUTNSGCCA -file c:\certs\ComodoUTNSGCCA.crt -keystore eventsentry.jks keytool.exe -importcert -alias EssentialSSLCA_2 -file c:\certs\EssentialSSLCA_2.crt -keystore eventsentry.jks keytool.exe -importcert -alias UTNAddTrustSGCCA -file c:\certs\UTNAddTrustSGCCA.crt -keystore eventsentry.jks
Then after the chain is complete, import the new server specific certificate provided by the CA:
keytool.exe -importcert -alias eventsentry -file c:\certs\<servername_domain_local>.crt -keystore eventsentry.jks
Move the keystore to the conf folder:
move eventsentry.jks "C:\Program Files\EventSentry\WebReports\conf"
Configure a SSL connector by editing the server.xml file, by default located in:
Look for the first instance of "<Connector.../>" and insert the following below that section making sure the "keystorePass" and "keystoreFile" lines match your particular instance:
<!-- SSL "Connector" --> <Connector port="8443" relaxedQueryChars="" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" disableUploadTimeout="true" enableLookups="false" sslProtocol="TLS" scheme="https" secure="true" SSLEnabled="true" keystorePass="changeit" keyAlias="eventsentry" keystoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" SSLVerifyClient="require" truststoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" truststorePass="changeit" clientAuth="true" />
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.
Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.
A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
This will require a valid certificate chain from the client before accepting a connection.
This is the keystore where the CA and signed certifications exist and can be the same as our keystoreFile.
If you would also like to disable HTTP, look for this connector:
<Connector port="8080" relaxedQueryChars="" protocol="HTTP/1.1" connectionTimeout"20000" redirectPort="8443" />
Either delete it or comment it out (enclose it in <!-- and -->)
After restarting the "EventSentry Web Reports" service, navigate to https://server.domain.local:8443 to test & access the web reports through SSL.