Securing the Powertech Antivirus Web Server

Trusting the certificate that ships with Powertech Antivirus

In order to assist with configuration, Powertech Antivirus ships with a TLS certificate which is only suitable for temporary use.

The certificate is self signed and contains a subject that allows it to be trusted as long as the host-name entered during the installation is used in the HS One/FAH registration process. The self signed certificate must be trusted in order to satisfy browser security requirements. In order to do this the certificate can be extracted from the PKCS12 file using the following command

sudo /opt/ptavwebsvc/jre/bin/keytool -exportcert -rfc -keystore /opt/ptavwebsvc/conf/tomcat.p12 -storetype PKCS12 -storepass 1ntagr8tion -alias tomcat -file /opt/ptavwebsvc/conf/tomcat.crt

The resulting file; /opt/ptavwebsvc/conf/tomcat.crt can be copied from the Powertech Antivirus Server and distributed to workstations and placed in the appropriate trust store.

Configuration of alternate TLS certificates for use with Powertech Antivirus.

Fortra recommends that the temporary self signed certificate should be replaced with a certificate that can be trusted by the browsers used to administer Powertech Antivirus. In order for the trust path to be complete, the certificate on the HelpSystems One Server should also be replaced.

This can be achieved by following the instructions in this section.

IMPORTANT: In the following example, replace the value <certificatefile> with the key pair you have been provided with and <filepassword> with the password used to protect the file.

To configure the Powertech Antivirus Server, the tomcat webserver configuration file /opt/ptavwebsvc/conf/server.xml must be edited.

Back up the file:

cp /opt/ptavwebsvc/conf/server.xml /opt/ptavwebsvc/conf/server.xml.bak

Copy the new certificate file into /opt/ptavwebsvc/conf/<certificatefile>
Set the permissions on /opt/ptavwebsvc/conf/<certificatefile> so that helpsys is the owner

For example; sudo chown helpsys <certificatefile>

Then find the following section in the file:

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" compression="force" keystoreFile="conf/tomcat.p12" keystorePass="1ntagr8tion" keystoreType="PKCS12" maxHttpHeaderSize="32768" maxThreads="150" port="3737" protocol="HTTP/1.1" relaxedQueryChars="^[]" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

and alter the two values:

keystoreFile=conf/certificatefile>

keystorePass=”<filepassword>"

EXAMPLE: <Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" compression="force" keystoreFile="conf/ptav.p12" keystorePass="1ntagr8tion" keystoreType="PKCS12" maxHttpHeaderSize="32768" maxThreads="150" port="3737" protocol="HTTP/1.1" relaxedQueryChars="^[]" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true"/>

Now restart the system for the changes to take effect.

TIP: If you encounter issues connecting to the website, check the tomcat logs in /opt/ptavwebsvc/logs/catalina*.log for errors. Double check the values specified for the location and name of the certificate, the password, and the permissions on the certificate file.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
6.3 | 202501200910 | January 2025