Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The following method requires the Oracle JDK.

  2. Run the following command to create your SSL keystore. Follow the prompts to finish creating the keystore.

    Code Block
    languagebash
    keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>
  3. Export the generated public key from the keystore by running the following command:

    Code Block
    keytool -export -keystore <keystore file name from step2> -alias <alias> -file <filename>
  4. Import the public key into the java truststore (cacerts) located in the java home directory:

    Code Block
    keytool -import -alias <alias> -file <file from step 3> -keystore $JAVA_HOME/jre/lib/security/cacerts

    The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :
    https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

     

    Warning

    The password and the default access permission of the cacerts truststore should have changed upon installing the SDK. If this was not done already it should be done as the LAST STEP of this process.

Creating a Keystore with Let's Encrypt

Note

This section is a work in progress and will be updated.

Creating a Keystore with The Let's Encrypt module for FreePBX

FreePBX automates the process for obtaining a Let'sEncrypt certificate and utilizes it's own directory structure and file names to place the resulting files (The Certificate, any intermediate Certificate Authority chain and private key) on the filesystem.

First, we must compile and convert the resulting LE certificate chain and private key to PKCS12 format utilizing the OpenSSL binaries:

Code Block
openssl pkcs12 -export -in /etc/asterisk/keys/<HOSTNAME>/fullchain.pem -inkey /etc/asterisk/keys/<HOSTNAME>/private.pem -name isymphony -out isymphony.pkcs12
Note

Ensure you change the <HOSTNAME> placeholder above to reference the directory name that was created as part of the FreePBX certificate acquisition process.

You can choose the name you would like for the certificate alias and resulting pkcs12 keystore file name (-name and -out parameters). The above is only an example, though works without issue, so feel free to use it if appropriate.

The OpenSSL command will ask you for a password for the exported keystore. Be sure to set one as it is required and empty string passwords are not valid for this process. For this example, we used the password "isymphony". 

Then, you just import the resulting pkcs12 keystore into a newly created Java Keystore supplying the appropriate parameters and set the destination store password and key password:

Code Block
keytool -importkeystore -deststorepass isymphony -destkeypass isymphony -destkeystore isymphony.jks -srckeystore isymphony.pkcs12 -srcstoretype PKCS12 -alias isymphony

And your new java keystore will be in the resulting file: ./isymphony.jks file.

This file should be copied into the top level directory of your /opt/isymphony3/server/conf (or appropriate installation directory for iSymphony) directory. 

Make iSymphony Aware of the SSLKeystore

Modify /opt/isymphony3/server/conf/security.xml to make iSymphony aware of the keystore by modifying the SSLKeystore XML element with the appropriate values:

Code Block
<SSLKeystore filename="isymphony.jks" keystorePassword="isymphony" keyPassword="isymphony" certAlias="isymphony" />

Then enabling SSL on each context you would like to utilize SSL (More on this below) and restarting the iSymphonyServerV3 service should complete the configuration.

Enabling And Disabling Security

...

Context

You can enable and disable entire Security Contexts by setting the enabled attribute to true or false in the SecurityContext tag in the /opt/isymphony3/server/conf/security.xml file. A disabled Security Context will apply no restrictions to the servlet despite any of the inner settings.

...