Using SSL with Canvas

Create your own keystore and SSL certificate
 

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Canvas is installed:

    cd C:\CWAS\conf
     
  3. Create your own keystore and generate a Certificate Signing Request:

    ..\jre\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore canvas.keystore -keysize 2048
     
  4. Enter a password and write it down so you can use it later:

    Enter keystore password: 
     
  5. Enter the details for the certificate: 
     
    • First and last name (Common Name (CN)): Enter the domain of you are going to use for Canvas (i.e. canvas.mycompany.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com". NOTE: The Common Name above must match the URL people are going to use to access Canvas
    • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization, i.e. the name of the department making the request.
    • Organization (O): If your company or department, exclude any special characters such as & or @ from the name.
    • Locality or City (L): The locality field is the city or town name, for example: New York. 
    • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Florida
    • Country Name (C): Use the two-letter code for the country, for example: US, AU, UK, etc.
       
  6. Confirm that the details are correct, type 'y' and press <Enter>:

    Is CN=demo.cubewise.com, OU=Unknown, O=Cubewise, L=North Sydney, ST=New South Wales, C=AU correct? 
    [no]: y
     
  7. Press <Enter> and use the same password as entered in Step 4

    Enter key password for <canvas>
    (RETURN if same as keystore password): [Enter]
     
  8. Generate a Certificate Signing Request (CSR) to be used by a certificate Authority (Symantec, Thawte, DigiCert, GeoTrust, Go Daddy, etc)

    ..\jre\bin\keytool -certreq -alias tomcat -file canvas.csr -keystore canvas.keystore
     
  9. Enter the password your created in step 4:

    Enter keystore password: 
     
  10. Follow the steps of your Certificate Authority to purchase a new certificate using the canvas.csr file that was created in the previous step.

    NOTE: The canvas.csr file will be in the conf directory where Canvas is installed
     
  11. At this point you should make a copy of the canvas.keystore file so you have a backup if you encounter problems when importing certificates


Import Your X.509 Certificate into the Key Store
 

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Canvas is installed

    cd C:\CWAS\conf
     
  3. First import any root/intermediate certificate(s) as instructed by your Certificate Authority, these need to be imported BEFORE your certificate is imported:
     
    1. Save any root/intermediate certificates to the conf directory, i.e. root.cer
    2. Execute, replacing -alias and -file options for each certificate:

      ..\jre\bin\keytool -import -trustcacerts -alias root -keystore canvas.keystore -file root.cer
       
    3. Enter the password from above and press enter
       
  4. Import your actual certificate into the key store:
     
    1. Save the certificate to the conf directory, i.e. canvas.cer.
    2. Execute, the alias needs to be canvas: 

      ..\jre\bin\keytool -import -trustcacerts -alias tomcat -keystore canvas.keystore -file canvas.cer
       
    3. Enter the password from above and press enter
       
  5. If you get: Certificate reply was installed in keystore. The certificate has been successfully installed in the keystore

    If you receive this error, keytool error: java.lang.Exception: Failed to establish chain from reply, you need to install the appropriate intermediate certificates

Update the Connector Settings for the New Key Store

  1. Open conf/server.xml (in the Canvas install directory)

You will need to add the following code between <Service and <Engine section:

     <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="C:/CWAS/conf/canvas.keystore" keystorePass="password"
           clientAuth="false" sslProtocol="TLS"
           
           URIEncoding="UTF-8"
           compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
           compression="on"
           compressionMinSize="2048"
    />

You can choose a different port number, in this example we are using 8443.

The server.xml file should look like this:

Finally restart the Cubewise Application Server service and you should now be able to access Canvas through the new port in this example 8443:

  • https://localhost:8443/samples