Summary
You can import your own Public-Key Cryptography Standards (PKCS) #12 certificate into InterScan Web Security Virtual Appliance (IWSVA) 6.5. The custom certificate can be used as an alternative to the default certificate generated by IWSVA.
Details
Import your PKCS #12 format certificate into the IWSVA administrator console using either of the following methods.
You need to modify the server.xml file after uploading the certificate when using this method.
- Open the IWSVA web console.
- Go Administration > Network Configuration > web console.
- Choose SSL mode.
- Upload your certificate (e.g. Cert.pfx or Cert.p12).
- Set the password.
- Click Save.
You will find that the web console cannot be opened. - Log on to the IWSVA server using the "root" account via the command line.
- Navigate to the /usr/iwss/AdminUI/tomcat/conf/ folder.
- Modify the server.xml file by adding the "keystoreType="pkcs12"" entry for port 8443 and port 9091.
<Connector port="8443" connectionLinger="60000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="3" maxSpareThreads="8" enableLookups="true" disableUploadTimeout="true" connectionTimeout="900000" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreType="pkcs12" keystoreFile="keystore" keystorePass="password" SSLEnabled="true"/>
<Connector port="9091" connectionLinger="60000" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="3" maxSpareThreads="8" enableLookups="true" disableUploadTimeout="true" connectionTimeout="900000" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreType="pkcs12" keystoreFile="keystore" keystorePass="password" SSLEnabled="true"/>When editing the server.xml file, do not use copy and paste into notepad as it may cause illegal character. - Restart the web console using the following command:
# /etc/iscan/S99IScanHttpd restart
You should be able to open web console again and use the uploaded certificate.
Change the PKCS #12 certificate to JKS format first before importing it into IWSVA:
- Use "root" to log on to the IWSVA via command-line.
- Navigate to the /usr/iwss/AdminUI/jre/bin folder.
- Upload your certificate (e.g. Cert.pfx or Cert.p12) to the /usr/iwss/AdminUI/jre/bin folder.
- Run the command below:
./keytool -importkeystore -srckeystore Cert.pfx -srcstoretype pkcs12 -destkeystore cert.jks -deststoretype jks
You can also use the same command to convert Cert.p12 into cert.jks. - Enter the destination and source keystore password. Please make sure both destination\source passwords are the same.
- Download the generated cert.jks to the customer's local disk.
- Open the IWSVA web console.
- Go to Administration > Network Configuration > web console.
- Choose SSL mode.
- Upload the generated cert.jks file.
- Set the password.
- Click Save.
- Wait for a few minutes for the new settings to take effect.
- Log on to the web console.
The certificate should now be replaced successfully.
