How to replace the Web Reporter GUI Certificate

Version 1

    Motivations

    There are two main reasons for wanting to change Web Reporter's SSL certificate.

    • Security - Every installation of Web Reporter uses the same certificate by default. A skilled attacker could use this information to perform a man-in-the-middle attack to break the encryption. Any certificate other than the default will solve this problem.
    • Warnings - The default certificate is self-signed using localhost for the common name, which means that no browser is going to trust this certificate without creating an exclusion. Installing a certificate that is trusted in your organization (perhaps one issued by your own certificate authority) can eliminate certificate warning messages when accessing the Web Reporter GUI.

     

    Overview

    This process requires you to

    1. Generate a new keystore file
    2. Export the certificate
    3. Copy the files to the appropriate directory
    4. Update the config file for the new keystore
    5. Restart the service.

     

     

    Instructions

    1. Generate a new Keystore file


      Open a command prompt and cd to <install_dir>\jre1.6\bin.
      Run the command below to generate your new keystore file which contains a new private key and SSL certificate. You will be prompted for the certificate information such as the Organizational Unit and City. When prompted for "What is your first and last name?" enter the hostname of the web reporter server that you use to access the GUI. If these don't match, you will get a common name mis-match warning from the browser and Java when loading the GUI.

      keytool -genkey -alias webreporter -keyalg RSA -keystore mwr.keystore -keysize 2048 -validity 7300

      Example
      C:\Program Files\McAfee\Web Reporter (64-bit)\jre1.6\bin>keytool -genkey -alias webreporter -keyalg RSA -keystore mwr.keystore -keysize 2048 -validity 7300

      Enter keystore password: P455word

      Re-enter new password: P455word

      What is your first and last name?

        [Unknown]:  shibuya.yamanote.jr.local

      What is the name of your organizational unit?

        [Unknown]:  Technical Support

      What is the name of your organization?

        [Unknown]:  McAfee

      What is the name of your City or Locality?

        [Unknown]:  Saint Paul

      What is the name of your State or Province?

        [Unknown]:  Minnesota

      What is the two-letter country code for this unit?

        [Unknown]:  US

      Is CN=shibuya.yamanote.jr.local, OU=Technical Support, O=McAfee, L=Saint Paul, ST=Minnesota, C=US correct?

        [no]:  yes

       

       

      Enter key password for <webreporter>

              (RETURN if same as keystore password):

    2. Export the certificate from the keystore file using this command.

      keytool -export -keystore mwr.keystore -alias webreporter -file wrhost.company.com.crt


      Example:

      C:\Program Files\McAfee\Web Reporter (64-bit)\jre1.6\bin>keytool -export -keystore mwr.keystore -alias webreporter -file shibuya.yamanote.jr.local.crt

      Enter keystore password: P444word

      Certificate stored in file <shibuya.yamanote.jr.local.crt>

       


       

    3. Copy the mwr.keystore and crt file you just exported to the configuration directory below.


      <install directory>\reporter\jboss\server\default\conf\


      Example
      C:\Program Files\Web Reporter (64-bit)\reporter\jboss\server\default\conf\mwr.keystore
      C:\Program files\Web Reporter (64-bit)\reporter\jboss\server\default\conf\shibuya.yamanote.jr.local.crt

    4. Edit the configuration file to use the new keystore.

      Make a backup copy of <install directory>\reporter\jboss\server\default\deploy\jboss-web.deployer\server.xml incase you make a mistake while editing it. Then open the original file in any text editor. Set the keystoreFile and keystorePass to match.

      server.xml.png

       

    5. Restart the Web Reporter Server service