Securing SailPoint deployed on Tomcat server

• Securing SailPoint deployed on Tomcat server
• Creation of Self Sign Certificate
• Configuring the Tomcat server
• Accessing the Tomcat Server with Custom Domain Name
• Access website through FQDN in Windows Server

 

Securing SailPoint deployed on Tomcat server

Secured Socket Layer (SSL) is a protocol that provides a secured way of communication between the client and server with the help of the certificates. When using Apache Tomcat as a server for the deployment of SailPoint, the data that we are dealing with is sensitive in nature. With the help of Self Sign certificates, we can secure Sailpoint IdentityIQ which is hosted on a tomcat server without the need for certificate authority (CA).

 

Creation of Self Sign Certificate

Step 1: Open up the command prompt.

Step 2: Make sure java is installed and type the following command:

 

keytool -genkey -alias iiq -keyalg RSA -keystore www.example.com.jks

 

Step 3: Enter the password. The default password for tomcat is “changeit”.

Step 4: Enter all the details for the Keystore. i.e., Name, name of OU, name of organization, city, state, country.

Step 5: Hit enter if you want the same password for the Keystore. Then Keystore will be generated in the specified location.

 

Example:

 

 

 

 

 

 

 

Figure 1: Example Commands

 

Configuring the Tomcat server

Step 1: Navigate to CATALINA_HOME

Step 2: Navigate into the conf directory

Step 3: Open the server.xml file

Step 4: comment the default connector port

<Connector port="8080" protocol="HTTP/1.1"    
connectionTimeout="20000"  redirectPort="8443" />

Step 5: Add the following connector port to the file

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:\ssl\www.example.com.jks" keystorePass="changeit"  certificateKeyAlias="iiq" clientAuth="false" sslProtocol="TLS"/>

 

 

Example:

 

 

 

 

 

Figure 2: Connector type and config

 

Step 6: Save the file and start the tomcat server.

Step 7: Check the tomcat server URL.

https://localhost:8443/identitiyiq

Note: The browser will throw the exception saying that the site is not secure, this is due to the self-sign certificate which has not been signed off by the CA. You can add the exception in the browser and proceed.

 

Accessing the Tomcat Server with Custom Domain Name

Step 1: Navigate to c:\Windows\system32\drivers\etc\hosts

Step 2: Open the host's file with Notepad

Step 3: Add Local IP Address with Custom URL

Example:

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 3: Hosts file with configuration 

 

Step 4: Save the hosts file and Start the Tomcat server

Step 5: Access the Tomcat Server using https://www.example.com:8443/identityiq.

 

Access website through FQDN in Windows Server

• A fully qualified domain name, sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System. It specifies all domain levels, including the top-level domain and the root zone.
• In Windows Server OS, do not need to do Step No. 3 from above.
• For Example, FQDN: www.sailpoint.com find below picture for reference.

 

 

 

 

 

 

 

 

 

Figure 4: System Information

• Go to Chrome browser
• Enter URL like computer name [.] Domain name.

www.sailpoint.com

Find below screenshot for reference.

 

 

 

 

 

 

 

 

 

 

 

 

Figure 5: Reference Base URL

Base URL: https://www.sailpoint.com/identityiq/login.jsf?prompt=true

 

Regards,

Rakesh Vadnala