Topics: |
How to: |
The Hypertext Transfer Protocol over Secure Socket Layer (https) establishes an encrypted Secure Socket Layer (SSL) connection, and should be used to secure communications between WebFOCUS Business User Edition and browsers assigned to end users. There are many configuration options that enable the use of this protocol, one of which is the Apache Tomcat configuration, as described in this section. WebFOCUS Business User Edition uses this configuration by default.
To activate Secure Socket Layer-based communications, create a self-signed certificate for Java. You can optionally submit it to a Certificate Authority to establish it as a trusted certificate. The keytool utility that creates the certificate also modifies the connection type from open to SSL. Therefore, you must comment out the default Connector Protocol setting in the Tomcat server.xml file, and ensure that a setting for the new SSL Connector Protocol appears there instead.
To create a Self-Signed Certificate with Java:
drive:\ibi\WebFOCUS_BUE82\jre\bin
keytool -genkeypair -alias mykey -ext san=dns:dnsName1,dns:dnsName2… -keyalg RSA -validity 720 -keystore /path_to_keystore/keystore -keysize 2048 –storepass MyPassword
where:
Is the name, or alias, of the entity (the subject) that will present this certificate for authentication. You can include multiple names to ensure that all versions of the subject names are recognized. For multiple alternative names use the syntax, dns:first_dnsName,dns:second_dnsName and so on.
For example, dns:bue,dns:bue.ibi.com.
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
Note: The name mykey is important if you need to issue a -certreq (certificate request) for a certificate signed by a Certificate Authority.
The command prompt displays the first in a series of questions.
If they are not correct, Type n and retype the keytool command from step 2.
If they are correct, the new Self-Signed Certificate is ready for use.
Until you identify the new self-signed certificate to the browser as a Trusted Certificate, the browser will display errors when you use it. During the initial testing period, you can add the new self-signed certificate directly to the Trusted Certificate Authority of those browsers included in the test. However, to fully establish the new certificate as a trusted certificate, you typically request certification for it from a Certificate Authority using the following request:
keytool -certreq -alias mykey -storepass MyPassword –file ./mykey.csr –keystore /path_to_keystore/keystore
where:
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
You can then send the certificate request file (mykey.csr) to a Certificate Authority to sign, and when the authority returns the signed certificate, import it into the keystore.
To import your certificate from the CA, type the following command:
keytool –import –alias mykey –file ./mykey.crt –keystore /path_to_keystore/keystore
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
If your CA is an internal CA, then type the following command to import the certificate from your Certificate Authority.
keytool –import –alias CA –trustcacerts –file ./ca.crt –keystore /path_to_keystore/keystore
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
The Tomcat server.xml file is located in the following directory:
drive:\ibi\WebFOCUS_BUE82\tomcat\conf
<Connector connectionTimeout="20000" maxPostSize="-1" port="26000" protocol="HTTP/1.1" redirectPort="26001" useBodyEncodingForURI="true"/>
The keytool utility also establishes an SSL connector on port 443. This connection replaces the old http based connection. Therefore, if it does not appear in the file, you must type this updated version of the connector tag, with its attributes and values, as shown in the following example.
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" SSLEnabled="true" keystoreFile="C:/users/path_to_keystore/keystore" keystorePass="MyPassword" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"/>
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
WebFOCUS | |
Feedback |