Securing HelpSystems Insite

HelpSystems Insite supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) communications to and from both your web browser and Product Connections. Steps include:

  • Generating a Certificate. If your organization already has a signed Certificate Authority (CA), these steps are not required and will be skipped. If not, you can use these instructions to generate a self-signed certificate.
  • Enabling the Certificate on Windows or Linux.
  • Accessing the Insite server with your browser.
  • Troubleshooting

Note: Additional information is available on the Apache Tomcat website.

Generating a Self-Signed Certificate

Note: If your organization already has a signed Certificate Authority (CA), skip to the Enabling the Certificate section below.

You must first generate a .keystore file. Make sure to note the password you enter, as you'll need this later.

For Windows

Insite comes packaged with its own JVM. To generate the .keystore file on Windows, do the following:

  1. Open the Command Prompt and go to the following directory:

    C:\Program Files (x86)\Help Systems\HelpSystems Insite\jvm\bin

  2. Enter the following command to generate the key using the keytool:

    keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore hsinsite.keystore

  3. After creating a password, you'll be prompted for your organization's information. When asked for your first and last name, specify the domain name of the server that users will enter in order to connect to Insite (e.g. 10.60.152.64) to help ensure that their certificates are valid when connecting to the server.

  4. After you have filled the requested fields, press Enter. The resulting hsinsite.keystore file is located in your working directory (C:\Program Files (x86)\Help Systems\HelpSystems Insite\jvm\bin).

For Linux:

  1. Enter the following command:

    "$JAVA_HOME/bin/keytool" -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore hsinsite.keystore

  2. After creating a password, you'll be prompted for your organization's information. When asked for your first and last name, specify the domain name of the server that users will enter in order to connect to Insite. For your first and last name if you do not have a DNS entry for the Insite server you are going to connect to you can use the IP address (e.g. 10.60.152.64). This helps ensure that their certificates are valid when connecting to the server.
  3. The resulting hsinsite.keystore file is located in your working directory.

Enabling the Certificate

  1. Stop the HelpSystems Insite Server service.
    • On Windows, run services.msc to open the Services Manager.
    • Right-click HelpSystems Insite Server and choose Stop.
  2. Copy the Certificate Authority file into the installation:
    • Windows: C:\Program Files(x86)\Help Systems\HelpSystems Insite\conf\
  3. Open and edit the server.xml file as follows. This file's location depends on the directory where the portal server is installed (see step 2). Note: You can edit the server.xml file with any text editor. Be sure to create a backup a copy of the original file before editing. If you are not familiar with the XML format, we recommend using an XML-aware editor such as XML Notepad or Notepad++.
    1. Comment out the code block for protocol="HTTP/1.1":

      Connector SSLEnabled="false" compression="force" connectionTimeout="20000" port="3040" protocol="HTTP/1.1" scheme="http" secure="false"/

    2. Add the following code block, replacing the italicized text with information specific to your configuration:

      Connector SSLEnabled="true" clientAuth="false" compression="force" keystoreFile="your-ca-path/filename” keystorePass=”your-ca-password” keystoreType="your-keystore-type" maxHttpHeaderSize="32768" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

    3. Uncomment and change redirectPort="8009" to redirectPort="8443" in the Connector for protocol="AJP/1.3".

    Note: Make sure the port 8009 is available and not being used by another process on the system. You can submit the command from a DOS prompt to view the assigned ports to verify:

    netstat -a | find "8009"

    If port 8009 is already in use and 'listening', change 8009 to a different port like 8008:

  4. Save your changes to server.xml.
  5. Start the HelpSystems Insite Server to complete the configuration process.

Accessing the Page

  • Change your browser links to use https (instead of http) and the correct port (8443).

  • https://insite-server-ip-address:8443/HelpSystems/#HelpSystems/Home

  • https://insite-server-domain-name:8443/HelpSystems/#HelpSystems/Home

    • (depending on the criteria required by your Certificate Authority).

Note: If you are using a self-signed certificate, your browser will warn you the certificate is invalid, indicate the page is a possible security threat, and may ask you to define an exception in order to access the page.

Troubleshooting

Should you run into issues, see the below for possible solutions:

  • Check the firewall configuration on the server to make sure the Insite https port is allowed incoming connections (port 8443 in example server.xml).
  • On the Insite server system, check that "nslookup myserver.<domainname>.com" returns the correct IP address.
    • If it does not, then do A or B:
      • Have your server added to DNS by I.T.
      • Add the appropriate entry to the server's hosts file.
  • If the Insite server is hosted on a Windows system that is joined to <domainname>.com:
    • On *client* system check that "nslookup myserver.<domainname>.com" returns the correct IP address
  • If Insite server is not joined to the <domainname> domain then on browser client systems the "hosts" file needs to be modified to include an entry for myserver.<domainname>.com
    • Windows hosts file located at: c:\Windows\system32\Drivers\etc\hosts
    • *nix hosts file located at: /etc/hosts
    • Example entry for "myserver":
      • 10.60.10.56 myserver.<domainname>.com
  • After ensuring the above, navigate in browser to https://myserver.<domainname>:8443 and the connection should be secure without any browser warnings or adding certs to the client system.

 

Copyright © HelpSystems, LLC.
All trademarks and registered trademarks are the property of their respective owners.x
3.00 | 201903200859 | March, 2019