Secure the OBS with a valid SSL certificate

How can I make Zimonitor to accept our OBS SSL certificate?
We have SSL certificate but it's not accepted by Zimonitor.

This article provides instruction on how to setup strong SSL security on AhsayOBS. 
FAQ: How to setup strong SSL security on AhsayOBS (3214)

 

Article ID: 3214
Reviewed: 03/06/2015

Product Version:
AhsayOBS: Pre-7.3.2.0
OS: All platforms

Description:
This article provides instruction on how to setup strong SSL security on AhsayOBS. 

This includes disabling of SSLv3 because of vulnerabilities in the protocol (e.g. susceptible to security vulnerabilities such as POODLE (Padding Oracle On Downgraded Legacy Encryption) and FREAK (Factoring RSA Export Keys)), as well as setup of a strong cipher suite (e.g. disabling the DHE_EXPORT cipher (Diffie-Hellman key exchange) susceptible to Logjam vulnerability).

Steps:
To disable SSLv3, first ensure that your AhsayOBS server is patched to version 6.21.2.0 or above (disabling of SSLv3 is only supported since version 6.21.2.0):
 

  • For AhsayOBS upgraded from version pre-6.21.2.0, you can refer to the following KB article for instruction:
    https://forum.ahsay.com/viewtopic.php?f=22&t=10686
     
  • For new installation of AhsayOBS version 6.21.2.0 or above, SSLv3 is disabled by default.

Next, to disable all weak cipher suite on AhsayOBS (including the DHE_EXPORT ciphers):
 

  1. Edit the server.xml file found under ${Install-Home}\conf
     
    • Open 'server.xml' with a text editor:
       

      server.xml

      ...

       - <Service name="Tomcat-Standalone">

            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              ...

            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...

              ...

              sslProtocol="TLS" />

       ...

    • Update the HTTPS connector, by adding the cipher parameter and values:

      ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
       

      server.xml (Updated)

      ...

       - <Service name="Tomcat-Standalone">

            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              ...

            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...

              ...

              sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
              TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
              SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

       ...

    • Save and exit from the text editor.
  2. Restart the AhsayOBS, AhsayRDR or AhsayRPS service by:
     
    • (Windows) [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Offsite Backup Server ]
       
    • (Linux) Run [ ${Install-Home} / bin / startup.sh ]

Keywords:
sslv3, SSL, https, http, v3, POODLE, poodle, freak, weak, cipher, ciphersuite, suite, key