Configuring TLS/SSL involves three generic steps
Once cacerts has the self-signed certificate, and the key pair is stored in the keystore, the EASA Server can be configured to run HTTPS.
Two self-signing methods are detailed:
Using a third party cert:
After a key pair has been created and stored in easastore.jks and an SSL certificate has been created and installed in cacerts.
Follow the steps below to configure EASA to use TLS/SSL mode.
The two methods above produce cacerts and easastore.jks files in two possible locations, use the one that corresponds to your case.
Copy the updated cacerts and easastore.jks files to the following locations, creating the necessary folders.
Once the SSL key pair and certificate are in the expected locations, the last task is to configure the EASA Server to use HTTPS.
1. Edit the file: <EASAROOT>\tomcat\conf\server.xml
<!-- <Connector port="443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" scheme="https" secure="true" SSLEnabled="true" keystoreFile="./conf/easastore.jks" keystorePass="123123" acceptCount="100" debug="0" clientauth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" URIEncoding="UTF-8" useServerCipherSuitesOrder="true" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ... -->
2. Edit the original Connector tag in the same server.xml file by modifying 'redirectPort' if different than 443.
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" URIEncoding="UTF-8" enableLookups="false" secure="false"/>
3. In the <SERVERDATA>\jsf-easa\admin\config\context.properties file set,
# url for connection from web browser to easa server, # if easa server is a remote machine easa.server.public=%%https://domain_name:443/easa%%
4. Optionally set a 'private' url for connection to the EASA Server when a User connects to the address above,
5. Finally, tell the EASA Server where to find the EASAP Server.
If these are set properly, EASAP's will open.
6. Stop and then Start the EASA Server software.
Prior to installation, the EASAP Builder and Compute Server Config Tool (together historically known as the EASA Client) will look for a cacerts file in a folder called security\
To install the EASA Client with a custom cacerts file:
Once the installation is complete the EASAP Builder and Compute Server Config Tool will use the custom SSL encryption settings.
By default EASA will not encrypt a connection to a remote database.
For added security we recommend using a self-signed or third-party certificate to encrypt these connections.
After the remote database has been configured to require TLS/SSL for incoming connections modify each database configuration *.xml file on the EASA Server (changes to this folder will propagate to other machines such as an EASAP Server or an Excel Server).
Decide if self-signed or third party certification will be used, then add a property to each *.xml file.
If using a self-signed certificate add:
If using a third-party certificate add:
Add the following property to each *.xml file
If using a third-party certificate install it in: <SERVERDATA>\jre\lib\security\cacerts (the steps can be found at Enable TLS using a Certificate Authority and Keystore Explorer)
After TLS/SSL has been configured and activated a customer may wish all plain http requests be redirected to encrypted https URLs.
To insure that a browser that requests an http URL is redirected to an https URL:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you require authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>