Adding SSL to ServiceDesk
One of this year’s short-term projects was getting our installation of ServiceDesk plus set up with SSL. I had an opportunity do to this last night with a cheap SSL cert from GoDaddy ($25 for a 2-year cert…can’t argue with that), so I thought I’d go through the process here in case anyone wants to go this route, or in case I ever need to go this route a second time.
- cd to <ServiceDesk_Home>\jre\bin ( if you’re running Windows, ServiceDesk_Home will be commonly C:\AdventNet\ME\ServiceDesk)
- Generate your keystore:
| keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore sdp.keystore |
Note: Your alias can be whatever you want it to be, just be sure to remember what it is because you’ll need to reference it later. For simplicity’s sake, we’ll name the alias domain.com for now.
When you create your keystore, you’ll get a few prompts along the way. A couple of them are worth talking about:
Enter keystore password: Put a password here. This will allow the Tomcat web server to access your keystore.
What is your first and last name? DON’T put your first and last name here. This is actually where your common name (CN) goes. As always with common names, use the EXACT FQDN that your users will type to access your site. (servicedesk.domain.com)
The rest of the prompts will be standard SSL questions — organizational unit, organization name, city, state, and country.
- Next, you need to generate the CSR:
| keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore sdp.keystore |
This will generate a CSR and put the file in <ServiceDesk_Home>\jre\bin. Use that CSR to get your cert from GoDaddy. Make sure you select ‘Tomcat’ as your web server when downloading your certificate.
The ZIP file that contains your certificate will also contain three other files:
gd_bundle.crt – GoDaddy bundle certificate (we won’t be using this)
gd_cross_intermediate.crt – GoDaddy cross-intermediate certificate
gd_intermediate.crt – GoDaddy intermediate certificate
servicedesk.domain.com – The SSL certificate for your server
You’re also going to need GoDaddy’s root certificate. I used the Legacy ValiCert root certificate and had zero problems. You get get it here. Now we’re ready to start importing certificates.
- Import your root certificate:
| keytool -import -alias root -keystore sdp.keystore -trustcacerts -file valicert_class2_root.cer |
- Import your cross intermediate certificate:
| keytool -import -alias cross -keystore sdp.keystore -trustcacerts -file gd_cross_intermediate.crt |
- Import your intermediate certificate:
| keytool -import -alias intermed -keystore sdp.keystore -trustcacerts -file gd_intermediate.crt |
- Finally, import your server’s SSL certificate:
| keytool -import -alias <your_alias_name> -keystore sdp.keystore -trustcacerts -file servicedesk.domain.com.crt |
- Move the sdp.keystore file you created from <ServiceDesk_Home>\jre\bin to <ServiceDesk_Home>\server\default\conf
- cd to <ServiceDesk_Home>\bin and run the following command to change the port and protocol that Service Desk’s web server runs on”
| changeWebServerPort.bat 443 https |
-Finally, fire up your favorite text editor and open <ServiceDesk_Home>\server\default\deploy\jbossweb-tomcat50.sar\server.xml. Find the single occurrence of “keystorepass” and change its parameter to the password you used when you created your keystore.
- Restart your ServiceDesk Plus installation.
That should be it. Open up a web browser and go to the FQDN of your ServiceDesk server (don’t forget your https://) You should get your login page without any certificate prompts. Congratulations!
One little extra I did on our ServiceDesk installation was to install IIS on the server and have it answer port 80 and forward it to https://servicedesk.ourdomain.com … that way I don’t have to tell users to remember their https, thus making the change as transparent as possible.
I hope this works for anyone who decides to use it.
Recent Comments