Guide: Enabling SSL on Tomcat With The Java Management Packs for SCOM 2012

Here is a quick guide for enabling SSL on Tomcat with the SCOM 2012 Java Management Pack (download here).  As this Java APM Management Pack (download here) extends the previous MP, this content applies here too.

Before getting started with this, you should certainly reference the appropriate Tomcat documentation for the specifics of configuring that version of Tomcat (Tomcat 5.5, Tomcat 6, Tomcat 7).

Step #1: Generate Key

If you already have a certificate great (also why are you reading this guide)!  Otherwise, you need to generate a key for the Tomcat server to have.  Once we tell Tomcat that it needs to use this key, then we'll need to make SCOM aware that said key identifies the application server.

The JAVA SDK contains a keytool. This command-line tool is a means of generating a certificate.  Look around online for some tips on using the tool (for example).

Sample output of running the tool might look similar to this:

 Prompt>: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -validity 1000
 Enter keystore password changeit
 Re enter the password changeit
 What is your first and last name? This value should be the FQDN of the application server. omx-xxx-xx.contoso.com
 What is the name of your organizational unit? Enter some value
 What is the name of your organization? Enter some value
 What is the name of your City or Locality? Enter some value
 What is the name of your State or Province? Enter some value
 What is the two-letter country code for this unit? Enter some value
 Select Y to confirm the choices 
 Enter key password for <tomcat> This must be the same as the keystore key (Tomcat oddity - changeit)
 Re-enter new password:
 

Once complete, the output file ( .keystore) is placed in “Users\<userid> ” folder.  Move this to an appropriate location

Step #2: Setup Tomcat

For the platform specific details, please refer to the appropriate documentation in for your version of Tomcat (Tomcat 5.5, Tomcat 6, Tomcat 7).

For versions 6.0 and prior, in the Tomcat conf directory edit the server.xml file.

  <Connector port="8443" 
 protocol="HTTP/1.1"
 SSLEnabled="true" 
 maxThreads="150" 
 scheme="https" 
 secure="true" 
 clientAuth="false" 
 sslProtocol="TLS" />

Note: for Tomcat 7 you need to configure the protocol depending on the SSL provider you would like to use. If you want to use the JSSE SSL provider you should set the protocol to "org.apache.coyote.http11.Http11Protocol".  

  <Connector port="8443"
 protocol="org.apache.coyote.http11.Http11Protocol" 
 SSLEnabled="true"
 maxThreads="150"
 scheme="https"
 secure="true" 
 clientAuth="false"
 sslProtocol="TLS" 
 keyAlias="tomcat"
 keystoreFile=".keystore"
 keypass="changeit"/>

Now, let's do a quick sanity check.  Start Tomcat and try to access BeanSpy via HTTPS.  As we have not completed the setup yet, there should be a certificate security error if you access https://omx-xxx-xx.contoso.com:8443/BeanSpy/Stats.  Continue through the error and you should see the Stats page.
 

Step #3: Export Certificate from KeyStore

The final step is that now we need to export the certificate from the Keystore and make it available to the Windows machine that will connect to the Agent.  If the Tomcat instance is running on a Windows machine, you should import the certificate to that Windows machine.  If the Tomcat instance is running on Linux or will be Universally discovered, the certificate should be imported to the Management Server machine(s) (i.e. each machine in the management pool).

First, let's export the certificate:

 Prompt> %JAVA_HOME%\bin\keytool -export -keystore C:\Users\SCXSVC\.keystore -file Tomcat.cer -alias tomcat

 Next, we need to import the certificate into the NTAuth store.

1. Start Microsoft Management Console (Mmc.exe),
2. We need to add the PKI Health snap-in.   In the File menu, click Add/Remove Snap-in.
3. In the list of snap-ins, click Certificates.
4. Click Add.
5. Select “Local Computer” then click Finish.
6. Click OK.
7. On the “Trusted Root Certification Authorities” context menu select “All tasks” and “Import”.
8. Select Next.
9. Browse for the certificate file and select Next.
10. Select “Place all certificates in the following store” and select the “Trusted Root Certification Authorities” store.
11. Click Next.
12. Click Finish.

 Finally, let's re-run the check from Step #2 and verify there is no longer a certificate error.