2.5. Running NetSpyGlass via encrypted HTTP connection

The url used by the UI backend is set in the configuration parameter ui.url. The choice between http and https protocol is determined by the protol specified in the url. To activate SSL just configure the url like this:

ui {
    url = "https://localhost:9100"
}

2.5.1. Keystore

SSL requires keys which are stored in the keystore. Keystore is located in the file ${home}/etc/keystore where ${home} is NetSpyGlass home directory set via configuration parameter “home”.

You need to create the keystore before you can start NetSpyGlass in SSL mode. To do this, use the following command (this command must be executed when current directory is the NetSpyGlass home):

keytool -keystore etc/keystore -alias netspyglass -genkey -keyalg RSA

Keytool is part of the standard JRE distribution and should be installed in the same directory where your Java interpreter is.

This tool will ask you several questions, including the password for the keystore. This looks like this:

/var/tmp/nw2 > keytool -keystore etc/keystore -alias netspyglass -genkey -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:  dev1.happygears.net
What is the name of your organizational unit?
[Unknown]:  Eng
What is the name of your organization?
[Unknown]:  Happygears
What is the name of your City or Locality?
[Unknown]:  Los Gatos
What is the name of your State or Province?
[Unknown]:  CA
What is the two-letter country code for this unit?
[Unknown]:  US
Is CN=dev1.happygears.net, OU=Eng, O=Happygears, L=Los Gatos, ST=CA, C=US correct?
[no]:  yes
Enter key password for <jetty>
(RETURN if same as keystore password):

Once keystore is created, you need to add keystore password to the configuration. First, run script nsgpasswd.sh to get the password in obfuscated format. This script takes two parameters on the command line, the first is user name and the second is password to encrypt. We dont need user name for the keystore password so we can pass any word in its place, but the second argument should be your keystore passwoed. Here is how this command looks like (I am using ‘test1234’ as a password in this example):

./nsgpasswd.sh x test1234
2014-10-16 17:04:59,103 INFO [Log                       ] Logging initialized @70ms
test1234
OBF:1mf31j8x1lts1ltu1lq41lq61j651mbj
MD5:16d7a4fca7442dda3ad93c9a726597e4
CRYPT:k.PbUrWl3ZCTs

You can only use clear text or obfuscated versions of the password in the config. Copy and paste it to the configuration file in the parameter ui.ssl.keystorePassword like so:

ui {
    url = "https://0.0.0.0:9101/"

    ssl {
        keystorePassword = "OBF:1mf31j8x1lts1ltu1lq41lq61j651mbj"
        certificateAlias = "netspyglass"
    }

Now you should be able to start UI backend server with SSL support. As usual, watch log file logs/errors.log for errors.