The EASA Server (or more specifically Tomcat) can be run in Secure Mode which will run HTTP over SSL which is referred to as HTTPS. Some general background is required before we describe the EASA-specific configuration details.
SSL stands for Secure Socket Layer and it uses a technology known as Public Key Cryptography: a sender encrypts an HTTP packet using the receiver's public key.
A public key is the result of passing a private key into a known 'one-way' mathematical function—generally the RSA algorithm—that has no inverse, thus the private key cannot be discovered even though the 'one-way' function and the output public key are both known. Once a sender obtains a receiver's public key, a message is encrypted by the sender, sent, and then decrypted by the receiver using the private key which—by definition—is known only to the entity that generated the public key, the receiver.
However the above encryption system can be compromised if the sender initially asks the receiver for a public key but that request is intercepted by a man-in-the-middle who sends his own public key instead. Now the sender uses the counterfeited receiver's public key to encrypt a message, sends it, the man-in-the-middle decodes it, reads it, encodes it with the receiver's actual public key, and sends it along to the receiver who has no way to know that the message has been read and its 'confidentiality' compromised.
To prevent a man-in-the-middle attack an SSL Certificate in essence is created, stored by a 'trusted third party' and shared with the receiver's initial message containing his public key (in actuality the details are more complicated). Alternately, the receiver may 'self certify' his public key without using a Certificate Authority. This involves a security warning from the sender's browser which has to be acknowledged and dismissed by the sender before the 'self-certified' certificate can be added to the file containing certificates from a trusted third-party. Once the certificate is accepted by the user's browser the first time, no more security warnings will be shown for the life of the certificate.
Thus configuring SSL involves three essential steps:
Once cacerts has the self-signed certificate, and the key pair is stored in the keystore, the EASA Server can be configured to run HTTPS.
Two methods are detailed below:
Open the command line console and navigate to the directory where keytool.exe is located. For a standard installation its:
Type the following command:
keytool –genkey –keyalg RSA –alias tomcat –keystore easastore.jks –storepass 123123 –validity 360 –keysize 2048
Blue text are values that can be customized
-keyalg: is the encryption algorithm to be used (choose from:
RSA DSA EC DES DESede)
-alias the name of the self-signed certificate
-keystore the name of the keystore file which will be created with the self-signed certificate (.jks extension required)
-storepass the password for the keystore file (and by default for the certificate)
-validity the number of days before the certificate will expire
-keysize the key size in bits depending on the type of encryption that is used
(2048 for RSA, 1024 for DSA, 256 for EC, 56 for DES and 168 for DESede)
Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server or in our case we will use the name of the machine where EASA Server is installed.
Now we export the newly created certificate inside easastore.jks so we may import it to cacerts file later.
To export the certificate run:
keytool –export –alias tomcat –file tomcat.crt –keystore easastore.jks
is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can be .cer or .crt
easastore.jks is the keystore we created before in the previous command
It will ask for password and will export the certificate on a file:
Copy the file:
to the same location than the keystore and the certificate.
In this case:
Run the following command to import the certificate to the tomcat file:
keytool –import –trustcacerts –alias tomcat –file tomcat.crt –keystore cacerts
is the alias we set before in the previous command
tomcat.crt is the name of the certificate file. It can .cer or .crt
cacertsis the EASA tomcat keystore
It will ask for cacerts keystore password, which by default is: changeit
Once we have
easastore.jks with our key pair and cacerts contains our self-signed certificate, skip to Configuring EASA Server to use SSL
Download and Open Keystore Explorer. (http://keystore-explorer.sourceforge.net/)
If asked to upgrade Java Cryptography then:
Click on create a new Keystore:
Select JKS and click OK:
Click on Tools→Generate key pair:
Select RSA with key size 2048, then OK:
Click Edit name:
Fill in each field on the form with the relevant data. Common Name must be the name of the EASA Server. Click OK twice:
Enter tomcat as Key Pair Entry Alias. Click OK:
Enter 123123 as Key Pair Entry Password. Click OK:
Key Pair and Certificate will be created:
Enter 123123 as Password for Keystore file:
Select a folder in which to save the Keystore file. Select filename easastore.jks and file type Keystore Files:
Right-click tomcat and select Export Certificate Chain:
Select: Entire Chain, PKCS #7, tick PEM, and browse to an export folder:
Navigate to the export folder. Double-click easastore.jks to open the keystore with Windows Certificates Manager:
Select our certificate, right-click on it, select All Tasks→Export:
Keep all defaults, except save File Name as tomcat.cer in the export folder. Click Finish:
Close Keystore Explorer and Windows Certificates Manager.
Copy the file
<EASA Root>/jre/lib/security/cacerts to the same location
as the previously created keystore and certificates.
Open Keystore Explorer. Select File→Open, browse to
cacerts. The password is changeit:
Click on Tools→Import Trusted Certificate:
Select tomcat.cer and click Import:
The certificate is 'self-signed' which does not involve a trusted third-party
Certificate Authority so click OK to examine the certificate.
Click OK to accept the certificate:
Set the Alias to tomcat and click OK, twice:
Save cacerts file and close Keystore Explorer.
These instructions assume that a certificate is already available within a Personal Information Exchange (.pfx) file.
<EASA Root>/jre/lib/security/cacertsto another location where the current Windows user has write access.
After a key pair has been created and stored in
easastore.jks and an SSL Certificate
has been created and installed in cacerts, EASA
can be configured to use Secure SSL mode following the steps below.
Copy the file
<EASA Root>/jre/lib/security/cacerts to another location where the current Windows user has write access.
For each EASA and Excel server, copy the
cacerts file to its original location,
Copy the cacerts file to the following folder
Create any folders required.
Copy the cacerts file to the following folders on all machines where the EASA Client is installed
Program Files (x86)\<EASA_ClientX.X>\jre\lib\security
For the EASA Server copy the file
Once the SSL key pair and certificate are in the expected locations, the last task is to configure the EASA Server to use HTTPS.
Edit the file
and delete the following section if it exists:
<servlet-mapping> <servlet-name>UserData</servlet-name> <url-pattern>/client/security/*</url-pattern> </servlet-mapping>
Edit the file
<EASA Root>/tomcat/conf/server.xml file as follows: Add the following Connector tag (Edit the port number and other attributes as required):
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" scheme="https" secure="true" SSLEnabled="true" keystoreFile="./conf/easastore.jks" keystorePass="123123" acceptCount="100" debug="0" clientauth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
Edit the original Connector tag (often identified by port=80 or port=8080) by adding the attribute redirectPort=“8443” (The port number should be the same as the one defined in the SSL Connector tag above).
jsf-easa/admin/config/context.properties file, set:
# url for connection from web browser to easa server, if easa server is a remote machine\\ easa.server.public=https://<domain_Name>:8443/easa
Optionally set a 'private' or invisible url for connection to easa server, when the user connects to the public address above:
Finally, tell the EASA Server where to find the JSF Server:
These need to be set properly for EASAPs to open properly.
Stop and then Start the EASA Server software.