PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

How do I configure the EventSentry Web Reports to use SSL / TLS?

Article ID: 371
Category: Web Reports
Applies to: 3.4 and newer
Updated: 2024-09-19

Note: These instructions are only for EventSentry 3.4 and newer. For older versions, please see [knowledge base article 238]

Step 1: Prepare the Certificate

Open a command prompt as an administrator and navigate to the following folder (the directory may change depending on where you installed EventSentry):
cd "\Program Files\EventSentry\WebReports\jre\bin"

There are two paths you can take now. Please follow the one that applies to you.

Step 2 Option A: Generate a Self-Signed Certificate Keystore

keytool.exe -genkey -keyalg RSA -alias eventsentry -keystore eventsentry.jks -validity 360 -keysize 2048
In this example, we will use the password "changeit" but you can use whatever password you want. Be sure to make a note of your password, as you will need it when you create your connector in step 3. Use the machine's FQDN for the "First and Last Name" field. Fill in the location data as needed, verify the entered information when prompted, and type "yes" to confirm.

1
2
3
4
5
6
7

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  server.domain.local
[...]
Is CN=server.domain.local [...] correct?
  [no]: yes

Step 2 Option B: Use a Certificate Authority Keystore

Run the following command to generate a keystore:
keytool.exe -genkey -alias eventsentry -keyalg RSA -keystore eventsentry.jks
In this example, we will use the password "changeit" but you can use whatever password you want. Be sure to make a note of your password, as you will need it when you create your connector in step 3. Use the machine's FQDN for the "First and Last Name" field. Fill in the location data as needed, verify the entered information when prompted, and type "yes" to confirm.

1
2
3
4
5
6
7

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  server.domain.local
[...]
Is CN=server.domain.local [...] correct?
  [no]: yes

Create the certificate request:

keytool.exe -certreq -keyalg RSA -alias eventsentry -file certreq.req -keystore eventsentry.jks

Follow the instructions from your CA on submitting the certificate request. You will use the certreq.req file created in the last command. In this example, after submitting the certificate request the CA gave a ZIP file containing a chain of certificates.

If your CA recommends specific instructions, follow those instead of the ones here. In our case, these were the steps we had to take to import the certificates.

1
2
3
4

keytool.exe -importcert -alias AddTrustExternalCARoot -file c:\certs\AddTrustExternalCARoot.crt -keystore eventsentry.jks
keytool.exe -importcert -alias ComodoUTNSGCCA -file c:\certs\ComodoUTNSGCCA.crt -keystore eventsentry.jks
keytool.exe -importcert -alias EssentialSSLCA_2 -file c:\certs\EssentialSSLCA_2.crt -keystore eventsentry.jks
keytool.exe -importcert -alias UTNAddTrustSGCCA -file c:\certs\UTNAddTrustSGCCA.crt -keystore eventsentry.jks

Then after the chain is complete, import the server specific certificate provided by your CA:
keytool.exe -importcert -alias eventsentry -file c:\certs\server_domain_local.crt -keystore eventsentry.jks

Step 3: Configure the Web Reports to Use Your Keystore

Move the keystore to the conf folder:
move eventsentry.jks "C:\Program Files\EventSentry\WebReports\conf"

The message "1 file(s) moved." confirms that file was generated and was correctly moved.

Configure a SSL connector by editing the server.xml file, by default located in:
C:\Program Files\EventSentry\WebReports\web\conf\server.xml

Look for the first instance of "<Connector.../>" and insert the following below that section making sure the "keystorePass" and "keystoreFile" lines match the password you set in step 2 and the filename/path where your jks file is placed:

1
2
3
4
5
6
7
8

<!-- SSL "Connector" -->
    <Connector port="8443" relaxedQueryChars="[]" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" disableUploadTimeout="true" enableLookups="false"
               clientAuth="false" sslProtocol="TLS" scheme="https" secure="true"
               SSLEnabled="true" keystorePass="changeit"
               keyAlias="eventsentry"
               keystoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" 
               sslEnabledProtocols="TLSv1.2"/>

Note: The "sslEnabledProtocols" setting can be configured to use TLSv1.3, if the clients connecting to WebReports support it.

If you would also like to disable HTTP, look for this connector:

1
2
3

<Connector port="8080" relaxedQueryChars="[]" protocol="HTTP/1.1"
              connectionTimeout"20000"
              redirectPort="8443" />

Either delete it or comment it out (enclose it in <!-- and -->)

Step 4: Restart EventSentry Web Reports service

After restarting the "EventSentry Web Reports" service, navigate to https://server.domain.local:8443 to test & access the web reports through SSL.


Support Resources

Knowledge Base Knowledge Base
Documentation Documentation
Screenshot Screencasts
Blog Blog

Contact Support

Phone 1-877-NETIKUS
Email support@netikus.net

Try EventSentry on-premise

FREE 30-day evaluation

Download Now