The Faddom server comes pre-configured with a self-signed SSL certificate. It is recommended to replace the certificate with one of your own. Following are instructions on changing the certificate that the Faddom server uses.
Creating a new certificate
In most cases, you will want to create a new certificate for Faddom using your organization's CA. If for some reason you want to create a new self-signed certificate, you can use OpenSSL and the following command:
sudo openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 365
sudo openssl pkcs12 -export -out keyStore.p12 -inkey key.pem -in cert.pem
In this guide, we will show how to update the certificate using a certificate and key in the PKCS12 format, but this can be done using other common formats as well.
Creating a Java key store
Once you have a new certificate and key, you need to convert it to a format that is usable by tomcat. This can be done using the java keytool utility. This utility is available in any java installation and is also included in the Faddom virtual appliance.
In order to create a new keystore, use the following command:
sudo keytool -importkeystore -destkeystore <path> -srckeystore keyStore.p12 -srcstoretype PKCS12
Enter the password for your key when prompted and set a password for the new keystore.
Note that in Windows you may need to navigate to C:\<Faddom Install>\Java\Bin for Keytool.
Updating the Faddom server to use the new certificate
Once you have a keystore, copy it to a location that the Faddom server can access. By default, it is located in the conf folder under the tomcat installation folder (The default is /usr/local/tomcat/conf in Linux or <Install Dir>\Tomcat\conf in Windows).
To change the keystore that Tomcat uses, you now need to edit the server.xml file. This is located in the same conf folder that is mentioned above. In that folder, locate the Connector element listening on port 9443. Change the keystoreFile attribute and point it at your new keystore. Also, make sure to update the keystorePass attribute to the correct password for your keystore.
You will need to change the owner of the keyStore you just created to grant Tomcat the permissions to use it. For Linux the command is
sudo chown -R illuminitserver:illuminitserver <keystorepath>
For Windows, you can amend this by right-clicking on the file (you may need to enable Show Hidden Folders) and opening Properties > Security tab > Advanced > Change Owner select NetworkService
Once you have made the changes, restart the Tomcat service either from the Services Console in Windows or on Linux using the command:
sudo systemctl restart tomcat
Check the catalina.out log file in the logs folder under the tomcat folder to make sure that there are no errors.
You should now be using the new certificate in your server.