Installing SSL Certificates for QMetry Application installed with dockers

(Note: SSL Configuration is not part of QMetry Installation and is not included as under basic QMetry support services. These are just guidelines for customers to achieve the SSL setup.)

1 Step 1: Log in to the QMetry app docker container & generate java keystore JKS File
2 Step 2: Generate a certificate signing request (CSR)
3 Step 3: Send the above generated CSR to your certificate signing authority to get your SSL certificates.
4 Step 4: Import the certificate into the JKS Keystore file.
5 Step 5: Edit the QMetry tomcat server.xml
6 Step 6: Edit “web.xml” to redirect automatically to HTTPS
7 Step 7: Restart the tomcat services to update the changes.
8 Step 8: Modify the QMetry Base URL in the application to HTTPS

Step 1: Log in to the QMetry app docker container & generate java keystore JKS File

sudo su
docker ps
docker exec -it qmetry_app_1 bash
mkdir -p /opt/ssl
cd /opt/ssl
keytool -genkey -alias qmetry -keyalg RSA -keysize 2048 -keystore qmetryssl_qmetry_com.jks

-- output --

Enter keystore password: choose_a_keystore_pasword
Re-enter new password: re-enter_chosen_keystore_password
What is your first and last name?
  [Unknown]:  <Enter First Name and Last Name>
What is the name of your organizational unit?
  [Unknown]:  e.g QMetry
What is the name of your organization?
  [Unknown]:  e.g QMetry
What is the name of your City or Locality?
  [Unknown]:  e.g Santa Clara
What is the name of your State or Province?
  [Unknown]:  e.g San Francisco
What is the two-letter country code for this unit?
  [Unknown]:  e.g SF
Is CN=Firstname Lastname, OU=QMetry, O=QMetry, L=Santa Clara, ST=San Francisco, C=SF correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):  <Just hit Enter to keep same password as keystore>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12
which is an industry standard format using 
"keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 2: Generate a certificate signing request (CSR)

The above step should have generated a JKS Keystore file. In our example, it is “qmetryssl_qmetry_com.jks”. Specify a similar .csr file name and use the JKS file generated in the above step.

keytool -certreq -alias qmetry -file qmetryssl_qmetry_com.csr -keystore qmetryssl_qmetry_com.jks
Enter keystore password:

-- output --
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12
 which is an industry standard format using
"keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 3: Send the above generated CSR to your certificate signing authority to get your SSL certificates.

Step 4: Import the certificate into the JKS Keystore file.

Once the certificate .p7b file is received, import it to your JKS Keystore .jks file by replacing the certificate file name in the below example commands. Type “yes“ when prompted.

sudo su
docker cp qmetryssl_qmetry_com.p7b qmetry_app_1:/opt/ssl  (Copy qtm_test_qmetry.p7b to Docker's /opt/ssl directory)
docker exec -it qmetry_app_1 bash
cd /opt/ssl/
keytool -import -alias qmetry -file qmetryssl_qmetry_com.p7b -keystore qmetryssl_qmetry_com.jks

-- output --

Enter keystore password: <Enter Keystore Password as per Step 1>
-------
----
--
... is not trusted. Install reply anyway? [no]:  yes 
Certificate reply was installed in keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12
which is an industry standard format using 
"keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 5: Edit the QMetry tomcat server.xml

Specify the certificate name, keystore name, keystore password, and certificate file in the “server.xml“ file available under app docker directory: /home/qmetry/QMetry/conf/server.xml. Back up the file before making any changes.

Open the file in edit mode:
Comment out any existing connector port 8443 tag
Add a new tag for connector port 443 by replacing the alias under keyAlias, keystore file with path under keystoreFile, and keystore password under keystorePass .
Change redirect port to 443 for HTTP/1.1 configuration in server.xml and save it.

Save the file. Press Esc then type :wq and press enter.

Step 6: Edit “web.xml” to redirect automatically to HTTPS

Make the following changes in the “web.xml“ file to automatically redirect users to HTTPS URL, if they try to access the application using an HTTP URL.

Edit the web.xml file, after backing up the existing one.
Add the below security-constraint tag at the end of the file just before the ending </web-app> tag.

Save the file. Press Esc then type :wq and press enter.

Step 7: Restart the tomcat services to update the changes.

Type “exit“ to exit the docker container.

Restart the QMetry app docker container using the command: docker restart qmetry_app_1

Step 8: Modify the QMetry Base URL in the application to HTTPS

Login to QMetry with the “admin“ user, and go to Profile. Update the Base URL with the final QMetry HTTPS URL like: https://domain.qmetry.com

After following the above steps QMetry would be accessible via https://domain.qmetry.com/.