Securing the IWSVA console

Trend Micro recommends that you establish a secure connection (HTTPS) to the InterScan Web Security Virtual Appliance (IWSVA) management console. IWSVA uses the Tomcat Web server; to set up the HTTPS connection you will need to create a new keystore that contains a single self-signed certificate using the keytool command-line utility included with IWSVA.

• Notes:
  
  1. If you have Access Control Settings enabled, add the HTTPS port to the list of accessible HTTPS ports (see below).
  
  2. If you are using IWSVA with one or more Damage Cleanup Service servers, see below for important configuration information.

To establish a HTTPS connection on the Tomcat Web server:

1. Open a terminal and change to the following directory:

/etc/iscan/AdminUI/jre/bin

2. Type the following and press Enter.

./keytool  -genkey -alias tomcat -keyalg RSA -keystore ./mykeystore

3. Follow the on-screen instructions; specify your own unique password when prompted for a password. The file mykeystore is generated in the current working directory.

4. Put the mykeystore file into the proper directory.

• If you have only one IWSVA server using the keystore file for encryption, then from the computer used to open the Web Console, copy the mykeystore file into the Tomcat base directory, renaming it mykeystore.tmp: cp /etc/iscan/AdminUI/jre/bin/mykeystore to /etc/iscan/AdminUI/tomcat/keystore.tmp. Proceed to step 7.

• If you have several IWSVA servers using the same keystore file for encryption, then copy the mykeystore file from the local computer that you are using to the IWSVA console. Proceed to step 5.

5. From the Administration > Network Configuration > Web Console page, select the SSL mode option and then click Browse to locate the keystore file on the local computer.

6. Click Upload to upload the mykeystore file. The file is copied to  /etc/iscan/Admin/UI/tomcat/mykeystore.tmp on the server machine. You can use the same mykeystore file to encrypt several machines using this method.

7. From the Administration > Network Configuration > Web Console page, enter the SSL password used to create the mykeystore file.

8. Enter the port number you wish to use for the SSL connection and then save this information.

9. The IWSVA Web Console redirects you to the correct port number and then the Login page opens in the Web Console.

If the IWSVA Web Console does not redirect you to the correct port number, then complete the remaining steps.

10. Go to URL https://hostname:port and specify the correct port.

11. After setting up HTTPS access, rather than using http://<IWSVA server>:1812, use the following URL (and port) to open the IWSVA console:

https://<iwsva server>:8443

See also:

• Enable HTTPS Connection to the IWSVA Console

• Redirect Clients to DCS When IWSVA is using HTTPS