Configuring TLS/SSL involves three generic steps

• Generate a key pair (a public key and private key) and store it in a keystore
• Generate an SSL certificate so the public key can be confirmed as genuine
• Export the SSL certificate to the trusted certificate file: cacerts

Once cacerts has the self-signed certificate, and the key pair is stored in the keystore, the EASA Server can be configured to run HTTPS.

Two self-signing methods are detailed:

• keytool - a command-line tool which comes with the Java Runtime Environment.
• Keystore Explorer - a gui-oriented Windows utility

Using a third party cert:

• Keystore Explorer - Configure EASA with TLS using a Certificate Authority

After a key pair has been created and stored in easastore.jks and an SSL certificate has been created and installed in cacerts.

Follow the steps below to configure EASA to use TLS/SSL mode.

The two methods above produce cacerts and easastore.jks files in two possible locations, use the one that corresponds to your case.

• For the keytool case: <EASAROOT>\jre\bin\
• For the Keystore Explorer case: New Folder\

Copy the updated cacerts and easastore.jks files to the following locations, creating the necessary folders.

1. For each EASA Server, EASAP Server and Excel Server, copy the new cacerts file to its original location: <EASAROOT>\jre\lib\security\cacerts
2. Copy the cacerts file to the following client folder: <EASAROOT>\webapps\easa\client\security
3. Copy the cacerts file to the following folders on any machines where the EASA Client (including the EASAP Builder) is installed: C:\Program Files (x86)\<EASA_Client_x.x>\jre\lib\security
4. For the EASA Server copy the easastore.jks file to: <EASAROOT>\tomcat\conf\

Once the SSL key pair and certificate are in the expected locations, the last task is to configure the EASA Server to use HTTPS.

1. Edit the file: <EASAROOT>\tomcat\conf\server.xml

• Remove the <!-- and --> tags to uncomment the following Connector tag (edit the port number and other attributes as required)

<!--
<Connector port="443" maxThreads="150"
  minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
  disableUploadTimeout="true" scheme="https" secure="true"
  SSLEnabled="true" keystoreFile="./conf/easastore.jks"
  keystorePass="123123" acceptCount="100" debug="0"
  clientauth="false" sslProtocol="TLS" 
  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" URIEncoding="UTF-8" 
  useServerCipherSuitesOrder="true"
  ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  ...
-->

2. Edit the original Connector tag in the same server.xml file by modifying 'redirectPort' if different than 443.

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" 
  redirectPort="443" URIEncoding="UTF-8" enableLookups="false" secure="false"/>

3. In the <SERVERDATA>\jsf-easa\admin\config\context.properties file set,

# url for connection from web browser to easa server, 
# if easa server is a remote machine
easa.server.public=%%https://domain_name:443/easa%%

4. Optionally set a 'private' url for connection to the EASA Server when a User connects to the address above,

easa.server.private=**%%https://domain_name:443/easa%% 

5. Finally, tell the EASA Server where to find the EASAP Server.

jsf.public.url=%%https://domain_name:443/jsf-easa%%

If these are set properly, EASAP's will open.

6. Stop and then Start the EASA Server software.

Prior to installation, the EASAP Builder and Compute Server Config Tool (together historically known as the EASA Client) will look for a cacerts file in a folder called security\

To install the EASA Client with a custom cacerts file:

1. Contact us for link to download the EASA Client installer for Windows: support@easasoftware.com, then download it.
2. In the same folder create a folder with the name 'security'
3. Copy the custom cacerts to 'security\cacerts'
4. Run the installer .exe file
5. The EASA Client and the custom cacerts file will be installed

Once the installation is complete the EASAP Builder and Compute Server Config Tool will use the custom SSL encryption settings.

By default EASA will not encrypt a connection to a remote database.

For added security we recommend using a self-signed or third-party certificate to encrypt these connections.

After the remote database has been configured to require TLS/SSL for incoming connections modify each database configuration *.xml file on the EASA Server (changes to this folder will propagate to other machines such as an EASAP Server or an Excel Server).

• Modify the following files in: <SERVERDATA>\easa-share\admin\config\
  • easa.cfg.xml
  • excel.cfg.xml
  • excelTesting.cfg.xml
  • signer.cfg.xml

Decide if self-signed or third party certification will be used, then add a property to each *.xml file.

If using a self-signed certificate add:

     <property name="hibernate.connection.verifyServerCertificate">false</property>

If using a third-party certificate add:

     <property name="hibernate.connection.verifyServerCertificate">true</property>

Add the following property to each *.xml file

<property name="hibernate.connection.useSSL">true</property> 

Run: <SERVERDATA>\tomcat\bin\tomcat8w.exe:

• Click the Java tab
• Under 'Java Options' append a line: -Djsse.enableCBCProtection=false

If using a third-party certificate install it in: <SERVERDATA>\jre\lib\security\cacerts (the steps can be found at Enable TLS using a Certificate Authority and Keystore Explorer)

After TLS/SSL has been configured and activated a customer may wish all plain http requests be redirected to encrypted https URLs.

To insure that a browser that requests an http URL is redirected to an https URL:

1. Open this file with a text editor: <EASAROOT>\webapps\easa\WEB-INF\web.xml
2. Uncomment the block below (ie. remove <!-- and --> tags)

<security-constraint>
<web-resource-collection>
	<web-resource-name>Protected Context</web-resource-name>
	<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
	<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>