Настройка HTTPS в LiveUpdate Administdation Utility

[rustikxxx 0]

Добренький денечек или вечерочек.

Сталкнулся с проблемой использования https в параметрах конфигурирования Source Servers (получение обновлений) и Distribution Centers (раздача обновлений) продукта Symantec Liveupdate Administrator 2.2.2.9. А состоит она в том, что при выборе использования протокола https (443) не проходит тест связи с центром раздачи (connection faild). А по гуглу понял, что надо лопатить конфиг сервера ТомСат, а в нем (C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\conf\server.xml) написано следующее:

By default, a non-SSL HTTP/1.1 Connector is established on port 8080.

You can also enable an SSL HTTP/1.1 Connector on port 8443 by

following the instructions below and uncommenting the second Connector

entry. SSL support requires the following steps (see the SSL Config

HOWTO in the Tomcat 5 documentation bundle for more detailed

instructions):

* If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or

later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".

* Execute:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)

with a password value of "changeit" for both the certificate and

the keystore itself.

Скачал JSSE, кинул jarы куда надо, выполнил со стандартным паролем, декоментировал текст: (и перезапустил комп)

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

И ничего.... ни с указанием 443его порта, ни с 8443... не проходит тест связи. ЧТО ДЕЛАТЬ? Даже в документации столь тонкий момент не описан .

[rustikxxx 0]

Добренький денечек или вечерочек.

Сталкнулся с проблемой использования https в параметрах конфигурирования Source Servers (получение обновлений) и Distribution Centers (раздача обновлений) продукта Symantec Liveupdate Administrator 2.2.2.9. А состоит она в том, что при выборе использования протокола https (443) не проходит тест связи с центром раздачи (connection faild). А по гуглу понял, что надо лопатить конфиг сервера ТомСат, а в нем (C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\conf\server.xml) написано следующее:

By default, a non-SSL HTTP/1.1 Connector is established on port 8080.

You can also enable an SSL HTTP/1.1 Connector on port 8443 by

following the instructions below and uncommenting the second Connector

entry. SSL support requires the following steps (see the SSL Config

HOWTO in the Tomcat 5 documentation bundle for more detailed

instructions):

* If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or

later, and put the JAR files into "$JAVA_HOME/jre/lib/ext".

* Execute:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)

with a password value of "changeit" for both the certificate and

the keystore itself.

Скачал JSSE, кинул jarы куда надо, выполнил со стандартным паролем, декоментировал текст: (и перезапустил комп)

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

И ничего.... ни с указанием 443его порта, ни с 8443... не проходит тест связи. ЧТО ДЕЛАТЬ? Даже в документации столь тонкий момент не описан .

Configuring LiveUpdate Administrator (LUA) 2.2 to require Secure Socket Layer (SSL) connections to the Console.

> Question/Issue:

How do I configure LUA server 2.2 to use SSL?

> Solution

LUA uses Apache Tomcat (a fully functional web server using Java Applets) to host its Management and Configuration website. The Default Production and Default Testing Distribution centers are also housed in the same website. This website is configured to utilize Hyper Text Transfer Protocol (HTTP) by default. This is the supported configuration for the LUA Tomcat server.

Apache Tomcat can be configured to make use of HyperText Transfer Protocol over Secure Socket Layer (HTTPS). Modifying the LUA Tomcat server to support HTTPS connections requires several steps.

Create a Java Keystore File:

The steps below will create a self-signed certificate for use with the LUA Tomcat web server:

Open a command-prompt window and browse to the Binary directory under the Java Home directory (example: C:\Program Files\Java\jre1.6.0_07\bin).

enter the following command: "keytool -genkey -alias tomcat -keyalg RSA -keystore <path to LUA Tomcat folder>.keystore" (example: 'keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\.keystore"')

Follow the on-screen prompts and provide:

A keystore password (make a note of this password as it will be required later)

A first and last name (recommended: the FQDN/hostname of the LUA server).

An organizational unit name (recommended: the name of the department or sub-group the LUA server belongs to).

The name of your organization (recommended: the full name of your company/organization).

The name of a city or locality (recommended: the physical location of your LUA server).

A two-letter Country Code (recommended: the Country Code for the country where the LUA server will reside).

The keytool will display the data provided for the above prompts for verification, type "y" and press the Enter key.

After the certificate attribute information is verified, you will be prompted for the keystore password you entered in Step 3.1, enter the password again. and press the Enter key.

Verify that a file called .keystore is created in the LUA Tomcat folder.

Modifying LUA Configuration Files:

The steps below will modify the LUA Tomcat server to utilize HTTPS instead of HTTP. It is also possible to configure Tomcat to listen on both an HTTP port and HTTPS port.

Stop the LUA Apache Tomcat service.

Browse to the server.xml file used by the LUA Tomcat server (example: C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\conf\server.xml).

Create a backup copy of server.xml for recovery purposes.

Open the original server.xml in a text editor. In this file you will need to disable the HTTP port, enable the HTTPS port, and configure the HTTPS connection to utilize the Java Keystore created previously.

To disable the HTTP port:

Below is the default XML element that describes the LUA Website:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->

<Connector port="7070" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" redirectPort="8443" acceptCount="100"

connectionTimeout="20000" disableUploadTimeout="true" />

To disable the HTTP website from being created when the LUA Apache Tomcat service starts up, comment out the Connector element as below:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->

<!--

<Connector port="7070" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" redirectPort="8443" acceptCount="100"

connectionTimeout="20000" disableUploadTimeout="true" />

-->

To enable the HTTPS port:

Server.xml also contains an XML element describing an HTTPS website. By default this is commented out as below:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<!--

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

-->

Remove the comment tags from the element as below:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

To configure the HTTPS port:

You will need to add the following values to the Connector element:

keystoreFile="<path_to_keystore>.keystore"

keystorepassword="<keystorepassword>" (this will be the password created at the time the .keystore file was created)

Below is an example of a properly modified entry:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\.keystore" keystorepass="secretpassword" />

Modify the LUA shortcut to point to the correct port:

Browse to the LUA server folder (C:\Program Files\Symantec\LiveUpdate Administrator by default).

Right-click on LiveUpdate Administrator shortcut and choose Properties.

Click on the Web Document tab.

Modify the URL string to reflect the changes made to the LUA website location. (https://localhost:<LUA server port>/lua).

Modifying the Default LUA Distribution Centers:

The steps below will modify the Default Production Distribution and Default Testing Distribution Centers to reflect the port and protocol changes made in the previous steps. These modifications are not necessary for any Distribution Centers other than the default Distribution Centers.

Log into the LUA server

Click on Configure->Distribution Centers.

For both the Default Production and Default Testing Distribution Centers:

Check the check box next to the name of the Distribution Center requiring editing and click the Edit button.

On the Edit Distribution Center page, click on the local LUA server in the list of Locations and click the Edit button.

On the Edit location page, select the HTTPS protocol, and modify the port to the port configured in server.xml and click the OK button.

After clicking OK, you will be returned to the Edit Distribution Center page - verify the status of the local LUA location has changed to Ready from Unreachable.

Click OK to return to the Distribution Centers page.

[rustikxxx 0]

Да, и пароль нужно везде указывать: Changeit