Foglight for Virtualization 7.0 Standard uses Tomcat under the covers to serve the web interface. To replace the SSL certificate, follow the instructions below. I started with a password-protected PFX file that had the password foglight.

1. Copy the PFX file to the server to the /usr/local/tomcat/conf directory
2. Run the following to convert the PFX in to a Java keystore file, entering foglight for all password prompts: /usr/local/jre1.6.0_43/bin/keytool -importkeystore -srckeystore /usr/local/tomcat/conf/foglight.pfx -srcstoretype pkcs12 -destkeystore /usr/local/tomcat/conf/foglight.jks -deststoretype JKS
3. Open /usr/local/tomcat/conf/server.xml in your favourite editor

4. Replace the Connector section with SSL with the following:

   1 2 3 4 5 6 7 8 9 10

   <Connector server="VKernel" port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/foglight.jks" keystorePass="foglight" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />

5. Restart Tomcat with service tomcat restart

After a restart, the web interface will now be using the new certificate.

For reference, the username and password for the appliance is vkernel/vkernel and the su password is password.

Comment and share

As of v45, Chrome is now blocking HTTPS sites with weak Diffie-Hellman public keys. Whilst this is good for everyone, it does cause certain things to stop working. Our Foglight for Virtualization Standard instance stopped working with Chrome and had to be fixed. Although this applies for Foglight, it can be used for any Tomcat 7 instance.

1. SSH in to the Foglight virtual machine. Default username is vkernel and password is vkernel also.
2. Change to root by typing su -. Default password is password.
3. Type nano /usr/local/tomcat/conf/server.xml to edit the Tomcat config file.
4. Under the HTTPS config section (starts with <Connector server="VKernel" port="443" maxHttpHeaderSize="8192" ....), you will find a cipher list like ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ....". Replace this with: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
5. Press Ctrl + X and then y to save the file.
6. Type service tomcat stop then service tomcat start to reload the config file

You should now be able to access the site properly with Chrome v45+.

Comment and share