I heard Xima now supports SSL for Tomcat in Chronicall 3.10.1. How do we enable it?
Answer
As of 4.0, Chronicall natively supports the use of SSL with some easier to implement configuration but must operate on Port 80 & Port 443.
Older Versions
We support this setup as of 3.10.1 as well, with two ways of completing it detailed below the 4.0 instructions
Steps (4.0 and above)
- Open Chronicall/ACR and navigate to Admin (System) > System Settings > Basic Settings
- Click on the ellipsis next to SSL Proxy Configuration
- Configure the SSL Proxy
- Switch "SSL Proxy Enabled" to "True"
- Input the Local IP of the Chronicall/ACR Server
- Copy the "DNS Record" to a Notepad or somewhere similar for future use.
- NOTE: In version 4.2.3 and above, you will see a new setting "Enable HTTP 1.1"
- If the customer is on IP Office 11.0.4.2 build 58 or higher, set to "True"
- If they are on IP Office 11.0.4.1 build 11 or older, set to "False"
- Select OK, and then Save
- Switch "SSL Proxy Enabled" to "True"
- Restart the Chronicall/ACR service
- You will now need to wait approx. 5 minutes for the server to create an nginx task in the task manager.
- You can also monitor the Chronicall/ACR folder for a new nginx folder to be created which should contain an nginx.pid file once complete
- The Chronicall folder is typically found:
- Windows
- C:\Program Files (x86)\Xima Software\Chronicall
- C:\Program Files\Chronicall
- Linux
- /var/lib/Chronicall
- Windows
- The Avaya Call Reporting folder is typically found:
- Windows
- C:\Program Files\Avaya Call Reporting
- Linux
- /var/lib/Avaya Call Reporting
- Windows
- The Chronicall folder is typically found:
- You can also monitor the Chronicall/ACR folder for a new nginx folder to be created which should contain an nginx.pid file once complete
- Once the nginx task is up and running you can take that DNS Record that was copied earlier and paste it into Google Chrome or Internet Explorer
- If using Chrome, be sure to add '/web' to the end of the DNS Record URL
- This will navigate you to the new SSL enabled Chronicall/ACR
Steps (3.10.1 to 3.12)
Note: The keystore will be created in the working directory of your terminal when you execute the "keytool" command in step 1. The best practice is to navigate to the chronicall directory and then execute the command from there. Example:
If you do not want to use a .jks cert, you can import a PFX keystore instead with the alias of 'chronicall' (i.e. chronicall.pfx)
Self Signed Cert
This is the easiest way but it will not display a green bar and comes with a warning page in your browser
- Create a keystore and self-signed certificate using the Java keytool:
- In an administrator/sudo command line navigate to \Chronicall\java\bin
- Type "keytool -keystore chronicallkeystore.jks -genkey -alias chronicall -keyalg RSA" and follow the prompts. Remember what you set as the keystore password.
- Update Chronicall settings at Admin (System) > System Settings > Advanced Settings > HTTPS Configuration
- Set “HTTPS Enabled” to true
- Set “Keystore Path” to the path of chronicallkeystore.jks (it should be located in same directory as keytool)
- Set the port to be used
- Set the Keystore Password to match the one used when creating the keystore
- Set allow Self-Signed to true
- Restart Chronicall Services - Open ie and navigate to https://[TheirIpHere]:[configuredPort]/
You should see a warning page that allows you to continue to navigate to chronicall. The warning page is present because the Cert did not come from a known Certificate Authority.
Requesting and Importing a Certificate from a known Certificate Authority
This costs time money and usually some additional configuration
- Create a keystore
-
keytool -keysize 2048 -genkey -alias chronicall -keyalg RSA -keystore chronicallkeystore.jks
- Follow the prompts
-
- Create a CSR (Certificate Signing Request)
-
keytool -certreq -keyalg RSA -alias chronicall -file chronicall.csr -keystore chronicallkeystore.jks
- Follow the prompts
-
- Send the chronicall.csr file ,usually located in same directory as the keytool, to your CA provider
- Once your certificate is issued import the root certificate
-
keytool -import -alias root -keystore chronicallkeystore.jks -trustcacerts -file [name of the root certificate]
-
- Import the intermediate certificate
-
keytool -import -alias intermed -keystore chronicallkeystore.jks -trustcacerts -file [name of the intermediate certificate]
-
- Import the issued certificate
-
keytool -import -alias tomcat -keystore chronicallkeystore.jks -trustcacerts -file [name of the certificate]
-
- Update the settings.xml file with the correct keystore location in the Tomcat directory.
- Update Chronicall settings
- Set “HTTPS Enabled” to true
- Set “Keystore Path” to the path of chronicallkeystore.jks (usually Java/jre/bin)
- Set “Keystore Password” to password