Overview

For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.

By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.

Configuring AppBoard for SSL

To enable HTTPS (HTTP over SSL) mode use the HTTP_SSL runtime option and set it to true. In addition you may want to also change:

• HTTP_PORT: HTTPS is typically served on port 443
• KEYSTORE_FILE: if using your own certificate
• KEYSTORE_PASS: if using your own certificate
• KEYSTORE_TYPE: if using your own certificate

See the Runtime Options page for more information on these settings and how to configure them. After making any changes then restart the AppBoard service.

Do not configure SSL by editing the AppBoard server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.

Creating a Certificate

The basic process is:

1. pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
2. create a Certificate Signing Request (CSR)
3. have the CA sign the request
4. download the signed certificate on the AppBoard server. Depending on the CA there should be instructions and options for the format of the signed certificate, ensure an appropriate format is downloaded for use with Tomcat. It's then necessary to import this certificate into a keystore file, replace the one shipped with AppBoard, and update the keystore pass and type options.

Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with AppBoard. However, to end-users they will still be presented with certificate errors and warnings.

As an example, VeriSign have documented the process for tomcat as follows:

1. creating a CSR and submitting for signing.
2. importing the signed certificate into a JKS keystore. NOTE: as mentioned previously do not edit server.xml directly, use the runtime options as documented above.

Installing the Keystore

Once a valid keystore has been created it can be installed on the AppBoard server:

1. copy to the [INSTALL_HOME]/server/conf/ssl.crt/ directory. By default files in this directory are automatically included in full archives.
2. Edit setenv-custom.sh|.bat and update the KEYSTORE_FILE, KEYSTORE_PASS, and KEYSTORE_TYPE as required. If using the instructions above then the type should not need to be changed. Please note the keystore file path is relative to [INSTALL_HOME]/server/
3. As noted previously also make sure the HTTP_SSL option is set to true.
4. Restart the AppBoard server.

Redirecting HTTP traffic

There are two recommended approaches for redirecting standard HTTP traffic to HTTPS:

1. Use an external tool to redirect the traffic such as a load balancer or a full featured HTTP server like Apache. For many this will be the preferred option as since no configuration changes to enPortal/AppBoard are necessary.

1. Modify server/conf/server.xml and server/webapps/enportal/WEB-INF/web.xml to define an extra non-SSL connector that will redirect to the HTTPS port. This approach is well documented by the Tomcat user community.

Additional Topics

• Untrusted Certificates on iOS mobile devices
• Client Certificates / Client Authentication