HTTPS settings

• Activate HTTPS only checkbox to automatically redirect HTTP requests to HTTPS
• WARNING: In such configuration, remote agents will not be able to connect if you don't add the server certificate into their truststore (unless using a certificate coming from a trusted authority)

• Redpeaks HTTPS port number is set to 8443 by default

• If you are running on Linux:
  • Set the new HTTPS port in HTTPS redirection port field
  • Using port 443 is not always possible: ports below 1024 require elevated privileges
  • Example routing rule: iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443
  • Restart the Redpeaks service from the Maintenance menu

• If you are running on Windows:
  • Set the new HTTPS port in HTTPS redirection port field.
  • Run: [REDPEAKS_HOME]\\bin\\pro_monitorw.exe
  • Open the Java tab
  • Change the -Dhttp.port.ssl value to the new port number
  • Restart the promonitor service

• The default certificate embedded with the server will not work in Multi-instance mode: agents will refuse the connection because the certificate is not bound to the server IP address
• You must generate a self-signed certificate bound to the correct IP or hostname
• All generated certificates are stored in: [REDPEAKS_HOME]/certificates/.keystore

• The default certificate uses localhost as Common Name (CN)
• To connect to the server using HTTPS and a hostname, you must install or generate a proper certificate

Generating a Self-signed certificate

• Click Generate a self-signed certificate
• Enter the hostname or IP
• Save the certificate

Generating a Certificate manually

• Follow the procedure here

Certificates from a trusted authority

• Follow the procedure below

• To establish a secure connection with a system using a self-signed certificate, you must trust the certificate
• Once trusted, you must connect using the Common Name (CN) of the certificate
• This applies to:
  • REST API connector
  • Secure LDAP
  • Secure plugin
  • Secure primary server (agents)
  • Secure SAPControl or portal

Import certificate from remote sites:

• Click Download and install a self-signed certificate
• Enter the URL as hostname:port (443 by default)
• Enter the certificate's CN (visible in browser certificate details)

• Copy the certificate file (.cer) into [REDPEAKS_HOME]/certificates/
• Import it:

keytool -import -trustcacerts -keystore [REDPEAKS_HOME]/certificates/.keystore -storepass agentilKeyStore \
 -noprompt -alias yourAliasName -file [REDPEAKS_HOME]/certificates/certificate.cer

• Import an external PKCS12 keystore:

keytool -importkeystore -srckeystore yourKeyStore.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
 -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore

NOTE:

• Redpeaks keystore (server keys) and truststore (trusted certificates) are stored in the same file [REDPEAKS_HOME]/certificates/.keystore

In some cases, you have:

• a private key file (server.key)
• a server certificate (server.crt or server.cer)
• one or more CA / intermediate certificates (root.cer, intermediate.cer)

The recommended way to provide a complete chain to Redpeaks is to build a PKCS12 (.p12) file containing

• private key
• server certificate
• intermediate and root certificates (full chain)

• Open your .cer files
  • If you see —–BEGIN CERTIFICATE—–, they are already in PEM format
  • If the file is binary, convert from DER to PEM

openssl x509 -inform DER -in intermediate.cer -out intermediate.crt
openssl x509 -inform DER -in root.cer -out root.crt

• Concatenate intermediate and root certificates (in this order)

cat intermediate.crt root.crt > chain.pem

• Create a PKCS12 file containing:
  • the private key
  • the server certificate
  • the full chain

Example:

openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12

You will be asked for an export password: use “agentilKeyStore” if you want to import it directly with default Redpeaks keystore password

• Import the newly created fullcert.p12 into Redpeaks keystore:

keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 \
 -srcstorepass agentilKeyStore -destkeystore [PRO_MONITOR_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore

• After this, the alias used (“pro_monitor” in the example) should contain:
  • Entry type: PrivateKeyEntry
  • Certificate chain length: 2 or 3 (server + intermediate (+ root))

• See Troubleshooting certificate issues