User Tools

Site Tools


EASA Security: HTTPS and SSL

The EASA Server (or more specifically Tomcat) can be run in Secure Mode which will run HTTP over SSL which is referred to as HTTPS. Some general background is required before we describe the EASA-specific configuration details.

SSL stands for Secure Socket Layer and it uses a technology known as Public Key Cryptography: a sender encrypts an HTTP packet using the receiver's public key.

A public key is the result of passing a private key into a known 'one-way' mathematical function—generally the RSA algorithm—that has no inverse, thus the private key cannot be discovered even though the 'one-way' function and the output public key are both known. Once a sender obtains a receiver's public key, a message is encrypted by the sender, sent, and then decrypted by the receiver using the private key which—by definition—is known only to the entity that generated the public key, the receiver.

However the above encryption system can be compromised if the sender initially asks the receiver for a public key but that request is intercepted by a man-in-the-middle who sends his own public key instead. Now the sender uses the counterfeited receiver's public key to encrypt a message, sends it, the man-in-the-middle decodes it, reads it, encodes it with the receiver's actual public key, and sends it along to the receiver who has no way to know that the message has been read and its 'confidentiality' compromised.

To prevent a man-in-the-middle attack an SSL Certificate is created, stored by a proprietary 'trusted third party' and shared with the receiver's initial message containing his public key (this is the general idea, in actuality the details are more involved).

Alternately, the receiver may 'self certify' his public key without using a Certificate Authority site. This method necessarily involves a security warning ('man-in-the-middle attack') from the sender's browser which has to be acknowledged and dismissed by the sender before the 'self-certified' certificate can be added to the file containing certificates from trusted third-parties. Once the certificate is accepted by the user's browser the first time, no more security warnings will be shown for the life of the certificate.

Thus configuring SSL involves three essential steps:

  • Generate a key pair (a public key and private key) and store it in a keystore
  • Generate an SSL Certificate so the public key can be confirmed as genuine
  • Export the SSL Certificate to the trusted certificate file, cacerts

Once cacerts has the self-signed certificate, and the key pair is stored in the keystore, the EASA Server can be configured to run HTTPS.

Two methods are detailed below:

  • keytool → a command-line tool which comes with the Java Runtime Environment.
  • Keystore Explorer → a gui-oriented Windows utility

Generate a key pair and a self-signed SSL certificate using Java's command line: keytool

Open the command line console and navigate to the directory where keytool.exe is located. For a standard installation its:

  • C:\EASA\EASA5.4\jre\bin

Type the following command:
keytool –genkey –keyalg RSA –alias tomcat –keystore easastore.jks –storepass 123123 –validity 360 –keysize 2048

Blue text are values that can be customized

-keyalg: is the encryption algorithm to be used (choose from: RSA DSA EC DES DESede)
-alias the name of the self-signed certificate
-keystore the name of the keystore file which will be created with the self-signed certificate (.jks extension required)
-storepass the password for the keystore file (and by default for the certificate)
-validity the number of days before the certificate will expire
-keysize the key size in bits depending on the type of encryption that is used
(2048 for RSA, 1024 for DSA, 256 for EC, 56 for DES and 168 for DESede)

Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server or in our case we will use the name of the machine where EASA Server is installed.

Now we export the newly created certificate inside easastore.jks so we may import it to cacerts file later.

To export the certificate run:

keytool –export –alias tomcat –file tomcat.crt –keystore easastore.jks

tomcat is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can be .cer or .crt
easastore.jks is the keystore we created before in the previous command

It will ask for password and will export the certificate on a file:

Copy the file:

  • <EASA Root>/jre/lib/security/cacerts

to the same location than the keystore and the certificate. In this case:

  • C:\EASA\EASA5.4\jre\bin

Run the following command to import the certificate to the tomcat file:

keytool –import –trustcacerts –alias tomcat –file tomcat.crt –keystore cacerts

tomcat is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can .cer or .crt
cacertsis the EASA tomcat keystore

It will ask for cacerts keystore password, which by default is: changeit

Once we have easastore.jks with our key pair and cacerts contains our self-signed certificate, skip to Configuring EASA Server to use SSL


Generate a key pair and a self-signed SSL certificate using Keystore Explorer

Download and Open Keystore Explorer. (http://keystore-explorer.sourceforge.net/)


If asked to upgrade Java Cryptography then:


Click on create a new Keystore:


Select JKS and click OK:


Click on Tools→Generate key pair:


Select RSA with key size 2048, then OK:


Click Edit name:


Fill in each field on the form with the relevant data. Common Name must be the name of the EASA Server. Click OK twice:


Enter tomcat as Key Pair Entry Alias. Click OK:


Enter 123123 as Key Pair Entry Password. Click OK:


Key Pair and Certificate will be created:


Click File→Save:


Enter 123123 as Password for Keystore file:


Select a folder in which to save the Keystore file. Select filename easastore.jks and file type Keystore Files:


Right-click tomcat and select Export Certificate Chain:


Select: Entire Chain, PKCS #7, tick PEM, and browse to an export folder:


Navigate to the export folder. Double-click easastore.jks to open the keystore with Windows Certificates Manager:


Select our certificate, right-click on it, select All Tasks→Export:


Keep all defaults, except save File Name as tomcat.cer in the export folder. Click Finish:


Close Keystore Explorer and Windows Certificates Manager. Copy the file <EASA Root>/jre/lib/security/cacerts to the same location as the previously created keystore and certificates.

Open Keystore Explorer. Select File→Open, browse to cacerts. The password is changeit:


Click on Tools→Import Trusted Certificate:


Select tomcat.cer and click Import:

The certificate is 'self-signed' which does not involve a trusted third-party Certificate Authority so click OK to examine the certificate.


Click OK to accept the certificate:


Confirm Yes:


Set the Alias to tomcat and click OK, twice:


Save cacerts file and close Keystore Explorer.


Using an SSL Certificate from a trusted third-party

These instructions assume that a certificate is already available within a Personal Information Exchange (.pfx) file.

  • Open the .pfx file with Keystore Explorer and export both the Key pair and the certificate, using the default options.

  • Close Keystore explorer and open it again.

  • Create a new keystore of type JKS and import to it the key pair exported earlier, use the password 123123 wherever required and name the imported entry tomcat (alias).

  • Hit the Save button in Keystore Explorer and name the file easastore and save the file to <EASA Root>/tomcat/conf.

  • If the certificate is signed by a trusted signature service provider, close Keystore Explorer and jump to configuring_easa_to_use_ssl, if the certificate is signed by an intermediate certificate authority continue with the next step.

  • Close Keystore Explorer and open it again.

  • Copy the file <EASA Root>/jre/lib/security/cacerts to another location where the current Windows user has write access.

  • Open the copied cacerts file with Keystore Explorer. The password is changeit.

  • Import the certificate (leave the alias as is), if this is a self-signed certificate then this file was exported earlier, if this is a certificate from an intermediate certificate authority then this file is provided to you by the authority in the form of a .cer or a .crt file.

  • Hit the save button in Keystore Explorer and then close it.

Configuring EASA to use SSL

After a key pair has been created and stored in easastore.jks and an SSL Certificate has been created and installed in cacerts, EASA can be configured to use Secure SSL mode following the steps below.


Copy the file <EASA Root>/jre/lib/security/cacerts to another location where the current Windows user has write access.

For each EASA and Excel server, copy the cacerts file to its original location, <EASA Root>/jre/lib/security/cacerts

Copy the cacerts file to the following folder <EASA Root>\webapps\easa\client\security. Create any folders required.

Copy the cacerts file to the following folders on all machines where the EASA Client is installed Program Files (x86)\<EASA_ClientX.X>\jre\lib\security

For the EASA Server copy the file easastore.jks to <EASA Root>/tomcat/conf

Configuring EASA to use HTTPS

Once the SSL key pair and certificate are in the expected locations, the last task is to configure the EASA Server to use HTTPS.

Edit the file <EASA Root>\webapps\easa\WEB-INF\web.xml and delete the following section if it exists:

<servlet-mapping>
<servlet-name>UserData</servlet-name>
<url-pattern>/client/security/*</url-pattern>
</servlet-mapping>

Edit the file <EASA Root>/tomcat/conf/server.xml file as follows: Add the following Connector tag (Edit the port number and other attributes as required):

<Connector port="8443" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="./conf/easastore.jks" keystorePass="123123" acceptCount="100"
debug="0" clientauth="false" sslProtocol="TLS" URIEncoding="UTF-8" />

Edit the original Connector tag (often identified by port=80 or port=8080) by adding the attribute redirectPort=“8443” (The port number should be the same as the one defined in the SSL Connector tag above).

In the jsf-easa/admin/config/context.properties file, set:

# url for connection from web browser to easa server, if easa server is a remote machine\\
easa.server.public=​https://<domain_Name>:8443/easa

Optionally set a 'private' or invisible url for connection to easa server, when the user connects to the public address above:

easa.server.private=​https://<domain_Name>:8443/easa 

Finally, tell the EASA Server where to find the JSF Server:

jsf.public.url=https://<domain_Name>:8443/jsf-easa

These need to be set properly for EASAPs to open properly.

Stop and then Start the EASA Server software.


Page Tools