HTTPS Certificate Configuration

COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,
McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee
QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Prote ction, TrustedSource,
VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.
Other names and brands may be claimed as the property of others.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS
AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER
RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE
PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT
AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.

2
Contents

Overview .......................................................................................................................... 4
Generate a Keystore .......................................................................................................... 4
Generate a Certificate Signing Request (CSR) ........................................................................ 5
Import a signed certificate .................................................................................................. 5
Install the new keystore on DAM Server ............................................................................... 6
Disable HTTP (non-SSL) communication (Optional) ................................................................ 6
Enable Client Certificate Authentication (Optional) ................................................................. 6
Specify Cipher Suites to use for HTTPS (Optional) .................................................................. 7

HTTPS Certificate Configuration 3

HTTPS Certificate Configuration
Overview

Overview
McAfee DAM provides a rich Web Console that is accessible over HTTPS. The default installation of
McAfee DAM contains a pre-configured SSL certificate for HTTPS access. The pre-configured SSL
certificate is not signed by a trusted certificate authority. As a result, costumers accessing the DAM
Console over https will receive a browser security warning about the certificate.

This document explains how to replace the pre-configured SSL certificate with an organization specific
certificate.

This document assumes the reader has basic knowledge regarding SSL certificates.

Note: When running the DAM server in cluster mode, all nodes must use the same certificate or each
node must trust the other server certificates (see Import a signed certificate on how to import a
certificate as trusted).

Generate a Keystore
The keystore is used to hold the certificate used by the DAM Server. To generate a new keystore you
will need to use the keytool executable. The keytool executable can be found as part of the DAM
Server installation at the following locations:

 <Server install root>\Mcafee\McAfee Database Security \java\jre6\bin\keytool.exe. For

example: C:\Program Files\Mcafee\McAfee Database Security\java\jre6\bin\keytool.exe

To generate a new keystore:

1 Run the following command to generate a new keystore containing a new key:

<keytool dir>/keytool -genkey -alias tomcat -keystore newkeystore -keyalg RSA -

keysize 2048

2 When prompted to enter a keystore password, enter: changeit.

3 When prompted to enter first and last name, enter the hostname of the machine where the DAM
Server is installed.

4 Fill in details regarding your organization when prompted. When prompted to accept entered
details, enter: yes. When prompted to enter a key password, enter: changeit.

A new file named newkeystore is created.

Sample Output
The following is an example of the output (and sample input) when generating a new keystore:

c:\Program Files\Mcafee\McAfee Database Security\java\jre6\bin>keytool -genkey -

alias tomcat -keystore newkeystore -keyalg RSA -keysize 2048
Enter keystore password:
Re-enter new password:

4
 HTTPS Certificate Configuration
Generate a Certificate Signing Request (CSR)

What is your first and last name?

[Unknown]: Dan deMan
What is the name of your organizational unit?
[Unknown]: mycompany.com
What is the name of your organization?
[Unknown]: Mycompany
What is the name of your City or Locality?
[Unknown]: Santa Clara
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Dan deMan, OU=mycompany.com, O=Mycompany, L=Santa Clara, ST=CA, C=US corre
ct?
[no]: yesFor more information on the keytool utility, see:

http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html

Generate a Certificate Signing Request (CSR)

After a new keystore file is generated, you can generate a Certificate Signing Request (CSR).

The CSR can be used to obtain an SSL Certificate from a trusted Certificate Authority (CA).

To generate a CSR:

1 Run the following command:

<keytool dir>/keytool –certreq –file certreq.csr -alias tomcat -keystore

newkeystore

2 When prompted to enter a keystore password, enter: changeit.

A new file named: certreq.csr is created. You can use this file to generate an SSL certificate at a
trusted CA.

Import a signed certificate

After a certificate has been signed by a CA, you can import it back into the keystore.

IMPORTANT: You must import the certificates into the same keystore file that was used to generate
the private key and certificate request in the previous two steps. Additionally, you must import all CA
certificates in the chain of trust, including intermediate certificates (import with aliases: root1, root2
and so on).

To import the CA certificate:

1 Run the following command (assuming the CA certificate is included in the file: ca.cer):

keytool -import -alias root1 -file ca.cer -keystore newkeystore

2 When prompted to enter a keystore password, enter: changeit.

5
HTTPS Certificate Configuration
Install the new keystore on DAM Server

To import the signed certificate:

1 Run the following command (assuming the CA certificate is included in the file: cert.cer):

keytool -import -alias tomcat -file cert.cer -keystore newkeystore

2 When prompted to enter a keystore password, enter: changeit.

The keystore now contains the signed certificate and is ready for installation on the DAM Server.

Install the new keystore on DAM Server

To install the new keystore on DAM Server:

1 Copy the new keystore file: newkeystore, generated in the previous steps, to the DAM conf dir.
Name the file custom-keystore in the conf dir. Conf dir is located at:

<Server install root>\McAfee\McAfee Database Security\conf.

For example: C:\Program Files\Mcafee\McAfee Database Security\conf

2 Open the server.xml file for editing located in the conf dir. Search for the keystore entry (it is part
of the Connecter element). Modify the keystore entry to point to the copied custom-keystore file.
Keystore value will be:

keystore="<Server install root>\McAfee\McAfee Database Security\conf\custom-keystore" ,

for example: keystore=" C:\Program Files\McAfee\McAfee Database Security\conf\custom-
keystore"
3 Restart the DAM Server.

Disable HTTP (non-SSL) communication (Optional)

To enforce SSL communication for all DAM Console access, it is possible to disable HTTP (non-SSL)
communication to the DAM Server. To disable HTTP communication modify the configuration file
server.xml located in the DAM conf dir. Conf dir is located at:

<Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Delete or comment out the “Connector” element which does not have “scheme=https” enabled. This
connector is usually listening on port 8080.

It is also possible to enable HTTP communication only for local connections (from the same machine)
by adding the attribute: address="127.0.0.1" to the “Connector” entry.

Enable Client Certificate Authentication (Optional)

It is possible to configure client certificate authentication. Depending upon company policy, client side
certificates usually qualify for 2-factor authentication. With this enabled only users with a valid ssl
client certificate will be able to connect to the console.

To configure client certificate authentication modify the configuration file server.xml located in the
DAM conf dir. Conf dir is located at:

6
 HTTPS Certificate Configuration
Specify Cipher Suites to use for HTTPS (Optional)

<Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Modify the SSL Connector element by changing the value of the attribute clientAuth from "false" to
"true".

Add to the SSL Connector element the attribute truststoreFile with the value of the keystore
containing trusted CA certificates to use for validating client certificates. This file may be the same as
used for the keystore element. See sections: “Generate a Keystore” and “Import a signed certificate”
on how to create a keystore and import trusted certificates.

Sample configuration change

The following is a sample configuration change of the connector element in sever.xml:

<Connector port="8443" server="McAfee WebServer" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="true" truststoreFile="C:\Program Files (x86)\Mcafee\McAfee Database
Security\httpsKeystore\.keystore" sslProtocol="TLS" keystore="C:\Program Files
(x86)\McAfee\McAfee Database Security\httpsKeystore\.keystore" />

Specify Cipher Suites to use for HTTPS (Optional)

It is possible to specify the cipher suites that are used for HTTPS communication, thereby disabling
cipher suites that do not match company policy.

The cipher suites are specified by modifying the configuration file server.xml located in the DAM conf
dir. Conf dir is located at:

 <Server install root>\McAfee\McAfee Database Security\conf . For example: C:\Program

Files\McAfee\McAfee Database Security\conf.

Open the server.xml file for editing and modify the SSL Connector element by adding to it an attribute
ciphers with a value of a comma separated list of supported ciphers.

After the configuration change, you need to restart the DAM Server for the change to take effect.

Sample configuration change

The following is a sample configuration change of the connector element in sever.xml:

<Connector port="8443" server="McAfee WebServer" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystore="C:\Program Files (x86)\McAfee\McAfee
Database Security\httpsKeystore\.keystore" ciphers="SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

Supported ciphers
List of supported ciphers (more info available at:
http://download.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJ
SSEProvider ):

7
HTTPS Certificate Configuration
Specify Cipher Suites to use for HTTPS (Optional)

 SSL_RSA_WITH_RC4_128_MD5
 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
 SSL_DH_anon_WITH_RC4_128_MD5
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 TLS_KRB5_WITH_RC4_128_SHA
 TLS_KRB5_WITH_RC4_128_MD5
 TLS_KRB5_WITH_3DES_EDE_CBC_SHA
 TLS_KRB5_WITH_3DES_EDE_CBC_MD5
 TLS_KRB5_WITH_DES_CBC_SHA
 TLS_KRB5_WITH_DES_CBC_MD5
 TLS_KRB5_EXPORT_WITH_RC4_40_SHA
 TLS_KRB5_EXPORT_WITH_RC4_40_MD5
 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5