Configuring SSL for the Web Application

Since the Traverse Web Application is pure HTML based, the GUI component can be accessed using both regular and secure (SSL) HTTP protocol. By default SSL is already enabled on the default port 443 with a Kaseya certificate, but to enable or change the certificate for SSL, use the following steps:

Note: These changes will need to be re-applied when you install a new version of Traverse.

Configuring SSL for the Web Application

1. The application server (Apache Tomcat) used by Traverse uses a JKS format keystore. Traverse by default ships with a keystore with a self-signed certificate. If you are not ready to install a valid key yet, you can skip to Step 10. Otherwise, first rename or move the existing keystore located at <TRAVERSE_HOME>/plugin/web/webapp.keystore
2. Create a private/public (RSA) key pair using the following command:

<TRAVERSE_HOME>/apps/jre/bin/keytool -genkey -keyalg RSA -storepass changeit -alias tomcat -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore

1. Answer the questions, making sure to specify the fully-qualified domain name when asked for first/last name. Do not use comma (,) in any of the answers as it will cause problems. When asked for key password for tomcat, press return/enter.
2. Generate a Certificate Signing Request (CSR) using the following command:

<TRAVERSE_HOME>/apps/jre/bin/keytool -certreq -storepass changeit -alias tomcat -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore -file my_new_key.csr

1. You will need to send the CSR (my_new_key.csr) to a valid certificate authority (CA) such as Verisign or Thawte. Usually the CA will send you a signed certificate via email. If you are acting as your own CA, the CSR can be signed using OpenSSL or other SSL tools.
2. Save the certificate in my_new_cert.pem and make sure that the certificate begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. All other text above/below the specified section should be deleted.
3. Import the new certificate into a new keystore using:

<TRAVERSE_HOME>/apps/jre/bin/keytool -import -v -trustcacerts -alias tomcat -storepass changeit -file my_new_cert.pem -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore

1. When asked Trust this certificate?, answer yes and the certificate will be installed into the keystore.
2. Verify that the certificate has been imported correctly using:

<TRAVERSE_HOME>/apps/jre/bin/keytool -list -v -storepass changeit -keystore <TRAVERSE_HOME>/plugin/web/webapp.keystore

1. Edit <TRAVERSE_HOME>/apps/tomcat/conf/server.xml using a text editor and check that the following section is uncommented and not enclosed between (<!-- .. -->) :

<Connector port="443"

  minProcessors="20" maxProcessors="80"

  enableLookups="false" allowChunking="false"

  acceptCount="100" scheme="https" secure="true"

  clientAuth="false" sslProtocol="TLS"

  keystorePass="mypassword"

  keystoreFile="conf/.keystore"

  compression="off" debug="0"

  URIEncoding="UTF-8" />

1. Make sure that the keystore, keystorepass and port parameters are set correctly. On a Windows platform, the path would be specified as /C:/Program Files (x86)/Traverse/plugin/web/webapp.keystore in this file.
2. To configure Tomcat to use only SSL (https), you can disable the standard http request handler as described below.
3. Save the file and restart the Web Application if already running. On Linux or Solaris hosts:

<TRAVERSE_HOME>/etc/webapp.init restart

1. On Windows hosts, click Launch Traverse Service Controller from the Windows Start menu to display the Traverse Service Controller. First clear the Web Application check box and click Apply to stop the Web Application. Then wait 15-30 seconds, select the Web Application check box and click Apply to start the Web Application.
2. Wait 15-30 seconds for the Web Application to initialize and use your web browser to connect to https://your_traversetraverse_host/ and you should see the Traverse login page.

Disabling non-SSL Web Application server

If you want to use only SSL, you can disable the non-SSL server of the Web Application by performing the following steps:

1. Edit <TRAVERSE_HOME>/apps/tomcat/conf/server.xml using a text editor and locate the following Connector section for port 80:

<!-- define standard http request handler -->
<Connector port="80" minProcessors="20" maxProcessors="80" enableLookups="false" allowChunking="false" acceptCount="100" redirectPort="443" compression="off" debug="0" URIEncoding="UTF-8" />

1. Comment out the section by adding "<!--" and "-->" as follows:

<!-- define standard http request handler -->

<!-- disabled

<Connector port="80" minProcessors="20" maxProcessors="80" enableLookups="false" allowChunking="false" acceptCount="100" redirectPort="443" compression="off" debug="0" URIEncoding="UTF-8" />

-->

1. Save the file and restart the Web Application if already running. On non-Windows hosts:

<TRAVERSE_HOME>/etc/webapp.init restart

On Windows hosts, click Launch Traverse Service Controller from the Windows Start menu to display the Traverse Service Controller. First clear the Web Application check box and click Apply to stop the Web Application. Then wait 15-30 seconds, select the Web Application check box and click Apply to start the Web Application.

The Web Application should now be accessible only via the https://your_traverse_host/ URL and not http (plain text).

 Redirecting non-SSL Port to SSL Port Automatically

Edit <TRAVERSE_HOME>/webapp/WEB-INF/web.xml and add the following block of data immediately after the opening <web-app> tag structure:

<!-- This block forces SSL for all connections  -->

<security-constraint>

  <web-resource-collection>

  <web-resource-name>Entire Application</web-resource-name>

  <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <user-data-constraint>  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  </user-data-constraint>

</security-constraint>

Now restart the Web Application to activate the new settings.