Reinstall ESET PROTECT using the All-in-one installer to automatically generate the secure connection (HTTPS) certificate.
Make sure Apache Tomcat is not used by any other application than ESET PROTECT.
Uninstall Apache Tomcat. This step also uninstalls ESET PROTECT.
Download the ESET PROTECT All-in-one installer. Use the same version as your ESET PROTECT Server.
Run the ESET PROTECT All-in-one installer. Select Install and accept the EULA. Under Select components to install, select the check box next to ESET PROTECT Web Console and click Next The secure connection certificate is automatically generated during the installation.
The steps below are performed on a 64-bit Microsoft Windows Server operating system (with 64-bit Java and 64-bit Apache Tomcat installed). Some paths may vary depending on the operating system you are using.
C:\Program Files\Apache Software Foundation\Tomcat_folder
conf folder in the Tomcat install directory and locate the
Server.xml file. Edit this file using a text editor (such as Notepad ++).
If there is no
</Engine> in Server.xml (for example when you perform a new installation of Apache Tomcat), copy the following string into the Server.xml after
</Engine> (use your values for
<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat_folder\certificate_file.pfx" keystorePass="Secret_Password_123" keystoreType="PKCS12" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA" />?
<Connector is present after
</Engine> in Server.xml (for example when you restore Server.xml after Apache Tomcat upgrade), replace the values of parameters listed below with your values
- keystoreFile- Provide the full path to the certificate file (
.pfx, .keystore, or other). If you use a non-JKS certificate (for example, a
.pfxfile), delete the
keyAlias(it is present in Server.xml by default) and add the proper
- keystorePass- Provide certificate passphrase.
- keystoreType- Specify the certificate type.
Restart the Tomcat service.
Use a secure HTTPS/SSL connection for ESET PROTECT.
Create a keystore with an SSL certificate. You must have Java installed.
Java includes the keytool (
keytool.exe), which enables you to create a certificate via the command line. You must generate a new certificate for each tomcat instance (if you have multiple tomcat instances) to ensure that if one certificate is compromised, other tomcat instances will remain secure.
Below is a sample command to create a keystore with an SSL certificate.
Navigate to the exact location of the keytool.exe file, for example
C:\Program Files\Java\jre1.8.0_201\bin (the directory depends on the OS and Java version) and then run the command:
keytool.exe -genkeypair -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files\Apache Software Foundation\
Tomcat_folder\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
Export the certificate from the keystore. Below is a sample command to export the certificate sign request from the keystore:
keytool.exe -certreq -alias tomcat -file "C:\Install\Tomcat\tomcat.csr" -keystore "C:\Program Files\Apache Software Foundation
\Tomcat_folder\tomcat.keystore" -ext san=dns:ESETPROTECT
Get the SSL certificate signed with the Root Certificate Authority (CA) of your choice.
You can proceed to step 6 if you plan to import a Root CA later. If you choose to proceed this way your web browser may display warnings about a self-signed certificate and you will need to add an exception to connect to ESET PROTECT via HTTPS.
Import the root certificate and intermediate certificate of your CA to your keystore. These certificates are usually made available (on web page) by the entity who signed your certificate. It is necessary because the certificate reply is validated using trusted certificates from the keystore.
keytool.exe -import -alias root -keystore "C:\Program Files\Apache Software Foundation\
Tomcat_folder\tomcat.keystore" -trustcacerts -file "C:\root.crt"
keytool.exe -import -alias intermediate -keystore "C
:\Program Files\Apache Software Foundation\
Tomcat_folder\tomcat.keystore" -trustcacerts -file "C:\intermediate.crt.pem"
After you have received the signed certificate with the Root CA, import the public key of CA and then certificate (
tomcat.cer) into your keystore. Below is a sample command that imports a signed certificate into the keystore:
keytool.exe -import -alias tomcat -file "C:\Install\Tomcat\tomcat.cer" -keystore "C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore"
If you want to use an already existing certificate (for example company certificate), follow these instructions.
server.xml configuration file so that the tag
<Connector is written similarly to the example below:
<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat_folder\tomcat.keystore" keystorePass="yourpassword"/>
This modification also disables non-secure Tomcat features, leaving only HTTPS enabled (
scheme= parameter). For security reasons, you may also need to edit
tomcat-users.xml to delete all Tomcat users and change ServerInfo.properties to hide the identity of the Tomcat.
Restart the Apache Tomcat service.