SSL Certificates Configuration for QMetry Application Tomcat Server in Docker

(Note: SSL Configuration is not part of QMetry Installation and is not included as under basic QMetry support services. These are just guidelines for customers to achieve the SSL setup.) 

Step 1: Login to Docker container & Generate JKS File

# docker ps (To get the name of running container)
# docker exec -it qmetry_app_1 bash (Login to docker container)
# mkdir -p /opt/ssl
# cd /opt/ssl
# keytool -genkey -alias qmetry -keyalg RSA -keysize 2048 -keystore qtm_test_qmetry.jks

Enter keystore password: <This is the keystore password>
Re-enter new password: <This is the keystore password>
What is your first and last name?
  [Unknown]:  <Enter First Name and Last Name>
What is the name of your organizational unit?
  [Unknown]:  e.g QMetry
What is the name of your organization?
  [Unknown]:  e.g QMetry
What is the name of your City or Locality?
  [Unknown]:  e.g Santa Clara
What is the name of your State or Province?
  [Unknown]:  e.g San Francisco
What is the two-letter country code for this unit?
  [Unknown]:  e.g SF
Is CN=Firstname Lastname, OU=QMetry, O=QMetry, L=Santa Clara, ST=San Francisco, C=SF correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):  <Just hit Enter to keep same password as keystore>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 2: Generate CSR


# keytool -certreq -alias qmetry -file qtm_test_qmetry.csr -keystore qtm_test_qmetry.jks
Enter keystore password: <Enter Keystore Password as per Step 1>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 3: Send the CSR to your signing certificate authority and get certificates.

Step 4: Import certificate to jks file by replacing the name of p7b certificate.

# docker cp qtm_test_qmetry.p7b qmetry_app_1:/opt/ssl  (Copy qtm_test_qmetry.p7b to Docker's /opt/ssl directory)
# docker exec -it qmetry_app_1 bash  (Login to docker container)
# cd /opt/ssl/
# keytool -import -alias qmetry -file qtm_test_qmetry.p7b -keystore qtm_test_qmetry.jks

Enter keystore password: <Enter Keystore Password as per Step 1>
-------
----
--
... is not trusted. Install reply anyway? [no]:  yes 
Certificate reply was installed in keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore qtm_test_qmetry.jks -destkeystore qtm_test_qmetry.jks -deststoretype pkcs12".

Step 5: Edit server.xml


# vi /home/qmetry/QMetry/conf/server.xml

Step 6: Comment out the 8443 tag

<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->

Step 7: Add a new tag for port 443 by replacing keystoreFile and keystorePass in server.xml


           <Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
           minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           SSLEnabled="true" clientAuth="false"
           sslProtocol="TLS" keyAlias="<Add alias as per step 1>"
           keystoreFile= "<Add path of qmetry jks file>" e.g "/opt/ssl/qtm_test_qmetry.jks"
           keystorePass="<Add keystore password as per step 1>" />

Step 8: Change redirect port to 443 for HTTP/1.1 configuration in server.xml and save it.


<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
port="80" protocol="HTTP/1.1" redirectPort="443" useBodyEncodingForURI="true"/>

Step 9: Edit web.xml


# vi /home/qmetry/QMetry/conf/web.xml

Step 10: Change redirect port to 443 for HTTP/1.1 configuration in web.xml and save it. (add below code before </web-app> tag)


<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Step 11: Restart the tomcat services


# exit (exit the docker container)
# docker stop qmetry_app_1
# docker start qmetry_app_1

After following the above steps QMetry would be accessible via https://domain.qmetry.com/

Step 12: Modify QMetry Settings to HTTPS, ensure both QMetry and Reports servers have SSL certificates installed.


Go to Profile >> Edit >> Base URL >> Change to https.
Go to Profile >> Edit >> Report Server URL >> Change to https.

Step 13: Take the backup of the SSL certificate to root directory

# docker cp -a qmetry_app_1:/opt/ssl /root/