[KB7856] Set up an HTTPS/SSL connection for ESET PROTECT On-Prem

Issue

Solution

HTTPS

For security reasons, we recommend setting up ESET PROTECT On-Prem to use HTTPS.

Reinstall ESET PROTECT On-Prem using the All-in-one installer

Reinstall ESET PROTECT On-Prem using the All-in-one installer to generate the secure connection (HTTPS) certificate automatically.

  1. Make sure Apache Tomcat is not used by any other app than ESET PROTECT On-Prem.

  2. Uninstall Apache Tomcat. This step also uninstalls ESET PROTECT On-Prem.

  3. Download the ESET PROTECT On-Prem All-in-one installer. Use the same version as your ESET PROTECT On-Prem Server.

  4. Run the ESET PROTECT On-Prem All-in-one installer. Select Install and accept the EULA. Under Select components to install, select the check box next to ESET PROTECT Webconsole and click Next. The secure connection certificate is automatically generated during the installation.

    Figure 1-1
    Generate a custom HTTPS certificate for ESET PROTECT Web Console

    If you install ESET PROTECT On-Prem using the All-in-one installer, you can use a custom HTTPS certificate for Windows.

    1. Select the check box next to Add Custom HTTPS certificate for Webconsole and click Next.

      Figure 1-2
    2. Click Browse and select a valid Certificate (.pfx or .p12 file) and type its passphrase (or leave the Passphrase field blank if there is no passphrase). The certificate will be installed on your Tomcat server for Web Console access. Click Next to continue.

      The following requirements for a custom HTTPS certificate must be met:

      • Correct file (.pfx, .p12) selected
      • Correct passphrase entered
      • Certificate has private key
      • Certificate is valid

      Figure 1-3
  5. Complete ESET PROTECT On-Prem installation. If you installed ESET PROTECT On-Prem on a computer different from the ESET PROTECT Server, configure the connection to ESET PROTECT Server.

Use an existing certificate

ESET PROTECT On-Prem certificates

The steps below refer to certificates for Apache Tomcat, which are used to ensure secure HTTPS connections. For information about ESET PROTECT On-Prem certifications, see our Online Help topic.

The steps below are performed on a 64-bit Microsoft Windows Server operating system (with 64-bit Java and 64-bit Apache Tomcat installed). Some paths may vary depending on the operating system you are using.

  1. Move the certificate .pfx file to your Tomcat install directory (the folder name may vary –  substitute "Tomcat_folder" with the actual folder name).

    C:\Program Files\Apache Software Foundation\Tomcat_folder

  2. Open the conf folder in the Tomcat install directory and locate the Server.xml file. Edit this file using a text editor (such as Notepad ++).

    1. If there is no <‎Connector after <‎/Engine> in Server.xml (for example, when you perform a new installation of Apache Tomcat), copy the following string into the Server.xml after <‎/Engine> (use your values for keystoreFile, keystorePass, and keystoreType):

<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat_folder\certificate_file.pfx" keystorePass="Secret_Password_123" keystoreType="PKCS12" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA" />?

    1. If <‎Connector is present after <‎/Engine> in Server.xml (for example, when you restore Server.xml after Apache Tomcat upgrade), replace the values of parameters listed below with your values:

      - keystoreFile - Provide the full path to the certificate file (.pfx, .keystore, or other). If you use a non-JKS certificate (for example, a .pfx file), delete the keyAlias (it is present in Server.xml by default) and add the proper keystoreType.
      - keystorePass - Provide certificate passphrase.
      - keystoreType - Specify the certificate type
      Apache Tomcat documentation

      Read Apache Tomcat documentation for more information about the HTTP Connector.

  1. Restart the Tomcat service.

    Always use .pfx with a password

    The .pfx certificate must have a password. 


Create a new certificate and get it signed

Use a secure HTTPS/SSL connection for ESET PROTECT On-Prem.

Apache Tomcat requires Java:
  • Ensure that Java, ESET PROTECT On-Prem, and Apache Tomcat have the same bitness (32-bit or 64-bit).
  • If you have multiple Java versions installed on your system, we recommend that you uninstall earlier Java versions and keep only the latest Java.
  • Starting January 2019, Oracle JAVA SE 8 public updates for business, commercial or production use will require a commercial license. If you do not purchase a JAVA SE subscription, use this guide to transition to a no-cost alternative.
  1. Create a keystore with an SSL certificate. You must have Java installed.

    -storepass and -keypass parameters

    Values for -storepass and -keypass must be the same.

Java includes the keytool (keytool.exe), which enables you to create a certificate via the command line. You must generate a new certificate for each Tomcat instance (if you have multiple Tomcat instances) to ensure that other Tomcat instances will remain secure if one certificate is compromised.

Below is a sample command to create a keystore with an SSL certificate.

Navigate to the exact location of the keytool.exe file, for example C:\Program Files\Java\jre1.8.0_201\bin (the directory depends on the OS and Java version) and then run the command:

keytool.exe -genkeypair -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

  1. Export the certificate from the keystore. Below is a sample command to export the certificate sign request from the keystore:

    Replace values appropriately

    Replace the value "C:\Install\Tomcat\tomcat.csr" for the -file parameter with the actual path and filename where the certificate will be exported.
    Replace the value ESETPROTECT for the -ext parameter with the actual hostname of the server on which your Apache Tomcat with ESET PROTECT On-Prem is running.

keytool.exe -certreq -alias tomcat -file "C:\Install\Tomcat\tomcat.csr" -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" -ext san=dns:ESETPROTECT

  1. Get the SSL certificate signed with the Root Certificate Authority (CA) of your choice.

You can proceed to step 6 if you plan to import a Root CA later. If you choose to proceed this way, your web browser may display warnings about a self-signed certificate, and you will need to add an exception to connect to ESET PROTECT On-Prem via HTTPS.

  1. Import the root certificate and intermediate certificate of your CA to your keystore. The entity who signed your certificate usually makes these certificates available. It is necessary because the certificate reply is validated using trusted certificates from the keystore.

keytool.exe -import -alias root -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" -trustcacerts -file "C:\root.crt"

keytool.exe -import -alias intermediate -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" -trustcacerts -file "C:\intermediate.crt.pem"

  1. After you have received the signed certificate with the Root CA, import the public key of CA and then certificate (tomcat.cer) into your keystore. Below is a sample command that imports a signed certificate into the keystore:

    Replace values appropriately

    Replace the value " C:\Install\Tomcat\tomcat.cer " for the -file parameter with the actual path and file name where the signed certificate is located.

keytool.exe -import -alias tomcat -file "C:\Install\Tomcat\tomcat.cer" -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore"

If you want to use an already existing certificate (for example, company certificate), follow these instructions.

  1. Edit the server.xml configuration file so that the tag <‎Connector is written similarly to the example below:

<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" keystorePass="yourpassword"/>

This modification also disables non-secure Tomcat features, leaving only HTTPS enabled (scheme= parameter). For security reasons, you may also need to edit tomcat-users.xml to delete all Tomcat users and change ServerInfo.properties to hide the identity of the Tomcat.

  1. Restart the Apache Tomcat service.