|
How to: |
The Hypertext Transfer Protocol over Secure Socket Layer (https) establishes an encrypted Secure Socket connection, and should be used to secure communications between WebFOCUS and browsers assigned to end users. There are many configuration options that enable the use of this protocol, one of which is the Apache Tomcat configuration, as described in this section.
To activate Secure Socket Layer-based communications, create a self-signed certificate for Java. You can optionally submit it to a Certificate Authority to establish it as a trusted certificate. The keytool utility that creates the certificate also modifies the connection type from open to SSL. Therefore, you must comment out the default Connector Protocol setting in the Tomcat server.xml file, and ensure that a setting for the new SSL Connector Protocol appears there instead.
Finally, the establishment of SSL security requires the replacement of the default connections between WebFOCUS and the internal applications that create graphs or deliver output to Excel spreadsheets with connections to the JSCOM3 Java-based listener. To implement this change, you must assign the value Reporting Server JCOM to the Excel Server URL (EXCELSERVURL) and Graph Server URL (GRAPHSERVURL) settings within the WebFOCUS client.
Note: Administrators can configure IIS to use SSL outside of their WebFOCUS configuration. For more information, see documentation provided by IIS, Tomcat, or your application server provider.
To create a Self-Signed Certificate with Java:
keytool -genkeypair -alias mykey -ext san=dns:dnsName1,dns:dnsName2… -keyalg RSA -validity 720 -keystore /path_to_keystore/keystore -keysize 2048 –storepass MyPassword
where:
Is the name, or alias, of the entity (the subject) that will present this certificate for authentication. You can include multiple names to ensure that all versions of the subject names are recognized. For multiple alternative names, use the syntax, dns:first_dnsName,dns:second_dnsName,...
For example, dns:wfsvr,dns:wfsvr.ibi.com.
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
Note: The name mykey is important if you need to issue a -certreq (certificate request) for a certificate signed by a Certificate Authority.
The command prompt displays the first in a series of questions.
If they are not correct, Type n and retype the keytool command from step 2.
If they are correct, the new Self-Signed Certificate is ready for use.
Until you identify the new self-signed certificate to the browser as a Trusted Certificate, the browser will display errors when you use it. During the initial testing period, you can add the new self-signed certificate directly to the Trusted Certificate Authority of those browsers included in the test. However, to fully establish the new certificate as a trusted certificate, you typically request certification for it from a Certificate Authority using the following request:
keytool -certreq -alias mykey -storepass MyPassword –file ./mykey.csr –keystore /path_to_keystore/keystore
where:
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
You can then send the certificate request file (mykey.csr) to a Certificate Authority to sign, and when the authority returns the signed certificate, import it into the keystore.
To import your certificate from an external Certificate Authority (CA), type the following command:
keytool –import –alias mykey –file ./mykey.crt –keystore /path_to_keystore/keystore
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
If your CA is an internal CA, then type the following command to import the certificate from your Certificate Authority.
keytool –import –alias CA –trustcacerts –file ./ca.crt –keystore /path_to_keystore/keystore
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
If you included Tomcat in your product installation, the server.xml file for Tomcat is located in the following directory:
C:\ibi\tomcat\conf
The keytool utility disables the http connection assigned to port 26000. Therefore you must comment out the Connector tag in the server.xml file that defines this http-based connection by typing an exclamation point (!) after the open tag symbol (<).
<Connector connectionTimeout="20000" maxPostSize="-1" port="26000" protocol="HTTP/1.1" redirectPort="26001" useBodyEncodingForURI="true"/>
The keytool utility also establishes an SSL connector on port 443. This connection replaces the old http based connection. Therefore, if it does not appear in the file, you must type this updated version of the connector tag, with its attributes and values, as shown in the following example:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="443" SSLEnabled="true" keystoreFile="C:/users/path_to_keystore/keystore" keystorePass="MyPassword" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"/>
where:
Is the location information that specifies where the key file will be placed. This value is optional. If you do not specify a location for the key file, the Keytool utility places it in the default location.
Is the password for this keystore. You can accept MyPassword, the default value, or you can replace it with a unique password by typing it in this field.
Before you begin, ensure the JSCOM service is configured and operational on the WebFOCUS Server. For more information, see How to Configure Java Services for a JSCOM3 Listener in the TIBCO WebFOCUS® Reporting Server Administration Manual.