SSL configuration

guide

www.exchangereporterplus.com
Overview of Exchange Reporter Plus
Exchange Reporter Plus is a web-based reporting, change auditing, monitoring and content search
tool for Exchange Server, Exchange Online, and Skype for Business. It features more than 450 reports
on various Exchange entities such as mailboxes, mail traffic, public folders, OWA, and ActiveSync,
along with usage and configuration details about Skype for Business Server.

Why do you need SSL?

The purpose of this document is to help you configure SSL certification in Exchange Reporter Plus.
SSL certification protects all the sensitive information sent between users’ browsers and the
Exchange Reporter Plus server by encrypting and transmitting the information through a secure chan-
nel.

Exchange Reporter Plus is web-based software, so it's important to secure the communication
between the browser and the solution's server. SSL is standard security technology for establishing
an encrypted secure channel for communication between browsers and servers, and is used to
secure Exchange Reporter Plus' communication, too. This document explains in detail about:

Step 1: Enabling SSL in Exchange Reporter Plus

Step 2: Creating a CSR file and submitting it to a certificate authority

A. Creating a KEYSTORE file

B. Creating a CSR (certificate signing request) file

C. Adding the certificate authority-signed certificate to the keystore

Step 3: Associating Exchange Reporter Plus with the signed certificate

www.exchangereporterplus.com 01
 Step 1: Enabling SSL in Exchange Reporter Plus
1. Log in to Exchange Reporter Plus with admin credentials.

2. Go to Settings > Admin > General Settings > Product Settings.

3. Under Connection Settings, check the Enable SSL Port [https] box.

4. Enter a different port number (only if required).

5. To Encrypt the Keystore Password, select the checkbox and enter the password to be encrypted.

6. Click Save.

7. Restart Exchange Reporter Plus.

Step 2: Creating a CSR file and submitting it to a certificate

authority
Exchange Reporter Plus uses Tomcat server for which specific Keystore and CSR files need to be
created before requesting certificates from a certifying authority. Follow the steps below:

A. Creating a KEYSTORE file

1. Open Command Prompt.

2. Navigate to the <installation directory>\jre\bin folder, and execute the following command:
keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -key
store<keystore_name>.keystore

www.exchangereporterplus.com 02
3. After executing the above command, you will be prompted to answer the following questions:

a. Enter the keystore password. (Enter the key password you used in the above command or
use plain characters like changeit instead.)

b. What is your first and last name? (You can either provide the machine name or the fully
qualified domain name (FQDN) of the server hosting Exchange Reporter Plus here.)

c. What is the name of your organizational unit?

d. What is the name of your organization?

e. What is the name of your City or Locality?

f. What is the name of your State or Province?

g. What is the two-letter country code for this unit?

Once you have answered these questions, acknowledge that the entered information is correct for
the keystore file to be created.

B. Creating a CSR (certificate signing request) file

1. Open Command Prompt.

2. Navigate to the <installation directory>\jre\bin folder, and execute the following command:
keytool -certreq -alias tomcat -keyalg RSA -keystore < keystore_name >.keystore -file
<csr_name>.csr

Note: The CSR file should be submitted to the certifying authority (CA) to receive CA-signed
certificate files. Refer to the steps given in Appendix A to request a certificate from an internal CA.

www.exchangereporterplus.com 03
C. Adding a certificate authority-signed certificate to the keystore

Note: To add the CA-signed SSL certificates to the keystore, use the instructions listed for the specific
vendors below. These instructions might change depending on the certificate issued by the CA.
Please ensure you replace the example values given inside < >.

1. Download and unzip the certificate files provided by your CA.

2. Open an elevated Command Prompt and navigate to the <installation directory>\jre\bin folder.

(By default: C:\ManageEngine\Exchange Reporter Plus\jre\bin.)

3. To import the certificate into a .keystore file, run the commands from the list given below
(as applicable to your CA):

A. If your CA is GoDaddy

B. If your CA is Verisign

C. If your CA is Comodo

Adding signed certificate for certifying authority: GoDaddy

i. keytool -import -alias root -keystore <Keystore_Name>.keystore -trustcacerts -file gd_bundle.crt

ii. keytool -import -alias cross -keystore <Keystore_Name>.keystore -trustcacerts -file gd_cross_
intermediate.crt

iii. keytool -import -alias intermediate -keystore <Keystore_Name>.keystore -trustcacerts -file gd_in
termediate.crt

iv. keytool -import -alias <Alias Specified when creating the Keystore> -keystore <Key
store_Name>.keystore -trustcacerts -file <CertificateName>.crt

Adding signed certificate for certifying authority: Verisign

i. keytool -import -alias intermediateCA -keystore <Keystore_Name>.keystore -trustcacerts -file

<your_intermediate_certificate_name>.cer

ii. keytool -import -alias <Alias Specified when creating the Keystore> -keystore <Key
store_Name>.keystore -trustcacerts -file <CertificateName>.cer

Adding signed certificate for certifying authority: Comodo

i. keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <Key

store_Name>.keystore

www.exchangereporterplus.com 04
ii. keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <Key
store_Name>.keystore

iii. keytool -import -trustcacerts -alias ComtodoUTNServer -file ComodoUTNServerCA.crt -keystore

<Keystore_Name>.keystore

iv. keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <Key
store_Name>.keystore

v. keytool -import -trustcacerts -alias <Alias Specified when creating the Keystore> -file <Certifi
cate-Name>.crt -keystore <Keystore_Name>.keystore

Step 3: Associating Exchange Reporter Plus with the signed

certificate
Based on whether the certificate is for a single domain or a multi-domain/wildcard certificate, the
steps may vary.

a. For a single-domain SSL certificate

b. For a multi-domain or wildcard certificate

A. For a single-domain SSL certificate

Note: If your certificate is in CER, CRT, PEM, or any other format, convert it to the P7B format first,
and then proceed with installation. Refer to Appendix B to learn how to convert certificates to P7B
format.

Steps to install the P7B certificate in Exchange Reporter Plus

1. Place the P7B file in <installation directory>\jre\bin. (By default: C:\ManageEngine\Exchange

Reporter Plus\jre\bin.)

2. Open an elevated Command Prompt and navigate to <installation directory>\jre\bin.

3. Execute the following command: Keytool -import -alias tomcat -trustcacerts -file cert.p7b -key
store <certificate_file_name>.keystore

4. Copy the keystore file to: <installation directory>\conf (by default: C:\ManageEngine\Exchange
Reporter Plus\conf).

5. Back up the server.xml file at <installation directory>\conf.

www.exchangereporterplus.com 05
6. Edit the server.xml file by replacing the value of the following SSL connector tags at the bottom of
the page:

keystoreFile with ./conf/.keystore and

keystorePass password with whatever password you entered during the CSR generation.

For example: <Connector SSLEnabled="true" acceptcount="100" clientauth="false" connection-

timeout="20000" debug="0" disableuploadtimeout="true" enablelookups="false" keystorefile="./-
conf/<certificate_file_name>.keystore" keystorepass="<password>" maxsparethreads="75"
maxthreads="150" minsparethreads="25" name="SSL" port="9251" scheme="https" secure="true"
sslprotocol="TLS" sslprotocols="TLSv1,TLSv1.1,TLSv1.2"><connector>

7. Save the changes.

8. Restart Exchange Reporter Plus. If you are able to view the Exchange Reporter Plus login console
without any warning from the browser, you have successfully installed your SSL certificate in
Exchange Reporter Plus.

B. For a multi-domain or wildcard certificate

1. Copy the PFX/PKCS12 certificate file and paste it under the path <installation directory>\conf.
(By default: C:\ManageEngine\Exchange Reporter Plus\conf.)

2. Open the server.xml file (present in <installation directory>\conf) in a text editor of your choice.
Go to the end of the XML file, and search for the Connector tag that starts with <Connector
SSLEnabled=”true” ……/>.

3. Now, edit the following values inside that connector tag:

keystoreFile=”./conf/<certificate_file_name.pfx>”
keystorePass=”<password>”
keystoreType=”PKCS12”

eg. <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTime-

out="20000" debug="0" disableUploadTimeout="true" enableLookups="false" keystoreFile="./-
conf/<certificate_file_name>.pfx" keystorePass="PASSWORD" keystoreType="PKCS12"
maxSpareThreads="75" maxThreads="150" minSpareThreads="25" name="SSL" port="443"
scheme="https" secure="true" sslProtocol="TLS"/>

4. Restart ExchangeReporter Plus. If you are able to view the Exchange Reporter Plus login console
without any warning from the browser, you have successfully installed your SSL certificate in
Exchange Reporter Plus.

www.exchangereporterplus.com 06
Appendix A
Request a certificate from Microsoft Certificate Services (internal CA)

1. Connect to Microsoft Certificate Services, and click the Request a certificate link.

2. Click Advanced Certificate Request.

3. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a
renewal request by using a base-64-encoded PKCS #7 file.

4. Open the CSR file using an editor, copy the content, and paste it under Saved Request.

5. Select Web Server as Certificate Template.

6. Click the Submit button.

7. The certificate will be issued when you click the Download certificate chain link and select the
PKCS #7 Certificates types. The downloaded file name should be certnew.p7b.

Note: Copy and paste the certificate file to the <installation directory>\jre\bin folder.

8. Click the Home tab in the top-right corner, and click the Download a CA certificate, chain
certificate, or CRL link to download the CA root certificate.

9. Click the Download CA certificate link and save the root certificate. The downloaded file name
should be certnew.cer.

Note: Copy and paste the certificate file to the <installation directory>\jre\bin folder.

10. Navigate to <installation directory>\jre\bin using Command Prompt to import the internal CA
certificate into the .keystore file by executing the following command: keytool –import
–trustcacerts –alias tomcat –file certnew.p7b –keystore <keystore_name >.keystore

11. Add your internal CA's root certificate to the list of trusted CAs in the Java cacerts file by
executing the following command: keytool -import -alias <internal CA_name> -keystore
..\lib\security\cacerts -file certnew.cert

Note: Open the certnew.cer file to get the internal CA name, and provide a suitable password
when prompted.

www.exchangereporterplus.com 07
Appendix B
Steps to convert CER, CRT, and PEM certificates to P7B format

1. Double-click the domain certificate to open it in the Certificate Window.

2. In the Details tab, click Copy to File.

3. In the Certificate Export Wizard that appears, click Next.

4. Select P7B as the file format, and click Next.

5. Type the File Name, or browse to export the specific file in P7B format.

6. Review the information given, and click Finish.

Exchange Reporter Plus is an analysis, monitoring, and change auditing solution for Exchange Online and Exchange
Servers. It features over 450 unique reports on various Exchange entities such as mailboxes, public folders, Outlook
Web Access, and ActiveSync. Customize reports to track room mailbox usage, break down email response times, and
locate messages based on keywords in their content. Configure alerts in Exchange Reporter Plus for instant notifica-
tions on critical changes that require your immediate attention.