Appboard/2.4/admin/ssl configuration: Difference between revisions
imported>Jason.nicholls |
imported>Jason.nicholls |
||
(14 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{DISPLAYTITLE:SSL Configuration}} | {{DISPLAYTITLE:SSL Configuration}} | ||
[[Category:AppBoard 2.4]] | |||
For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted. | For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted. | ||
By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known | By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization. | ||
== Configuring AppBoard for SSL == | == Configuring AppBoard for SSL == | ||
Line 13: | Line 14: | ||
* <tt>KEYSTORE_TYPE</tt>: if using your own certificate | * <tt>KEYSTORE_TYPE</tt>: if using your own certificate | ||
See the [[ | See the [[appboard/2.4/admin/runtime_options|Runtime Options]] page for more information on these settings and how to configure them. After making any changes then restart the AppBoard service. | ||
{{Warning|Do not configure SSL by editing the AppBoard server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.}} | {{Warning|Do not configure SSL by editing the AppBoard server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.}} | ||
== Creating a Certificate == | |||
The basic process is: | |||
# pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy. | |||
# create a Certificate Signing Request (CSR) | |||
# have the CA sign the request | |||
# download the signed certificate on the AppBoard server. Depending on the CA there should be instructions and options for the format of the signed certificate, ensure an appropriate format is downloaded for use with Tomcat. It's then necessary to import this certificate into a keystore file, replace the one shipped with AppBoard, and update the keystore pass and type options. | |||
Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with AppBoard. However, to end-users they will still be presented with certificate errors and warnings. | |||
As an example, VeriSign have documented the process for tomcat as follows: | |||
# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227 creating a CSR and submitting for signing]. | |||
# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR153 importing the signed certificate into a JKS keystore]. NOTE: as mentioned previously do not edit server.xml directly, use the runtime options as documented above. | |||
== Redirecting HTTP traffic == | |||
There are two recommended approaches for redirecting standard HTTP traffic to HTTPS: | |||
# Use an external tool to redirect the traffic such as a load balancer or a full featured HTTP server like [http://httpd.apache.org/ Apache]. For many this will be the preferred option as since no configuration changes to enPortal/AppBoard are necessary. | |||
# Modify <tt>server/conf/server.xml</tt> and <tt>server/webapps/enportal/WEB-INF/web.xml</tt> to define an extra non-SSL connector that will redirect to the HTTPS port. This approach is [https://www.google.com/search?q=tomcat+web.xml+http+connector+forward+https&oq=tomcat+web.xml+http+connector+forward+https&aqs=chrome..69i57.12323j0j7&sourceid=chrome&es_sm=91&ie=UTF-8#q=tomcat+redirect+http+to+https&safe=active well documented by the Tomcat user community]. | |||
== Additional Topics == | |||
* [[appboard/2.4/admin/untrusted_ssl_ios|Untrusted Certificates on iOS mobile devices]] | |||
* [[appboard/2.4/admin/client_certificates|Client Certificates / Client Authentication]] |
Latest revision as of 13:02, 5 September 2014
For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.
By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.
Configuring AppBoard for SSL
To enable HTTPS (HTTP over SSL) mode use the HTTP_SSL runtime option and set it to true. In addition you may want to also change:
- HTTP_PORT: HTTPS is typically served on port 443
- KEYSTORE_FILE: if using your own certificate
- KEYSTORE_PASS: if using your own certificate
- KEYSTORE_TYPE: if using your own certificate
See the Runtime Options page for more information on these settings and how to configure them. After making any changes then restart the AppBoard service.
Creating a Certificate
The basic process is:
- pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
- create a Certificate Signing Request (CSR)
- have the CA sign the request
- download the signed certificate on the AppBoard server. Depending on the CA there should be instructions and options for the format of the signed certificate, ensure an appropriate format is downloaded for use with Tomcat. It's then necessary to import this certificate into a keystore file, replace the one shipped with AppBoard, and update the keystore pass and type options.
Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with AppBoard. However, to end-users they will still be presented with certificate errors and warnings.
As an example, VeriSign have documented the process for tomcat as follows:
- creating a CSR and submitting for signing.
- importing the signed certificate into a JKS keystore. NOTE: as mentioned previously do not edit server.xml directly, use the runtime options as documented above.
Redirecting HTTP traffic
There are two recommended approaches for redirecting standard HTTP traffic to HTTPS:
- Use an external tool to redirect the traffic such as a load balancer or a full featured HTTP server like Apache. For many this will be the preferred option as since no configuration changes to enPortal/AppBoard are necessary.
- Modify server/conf/server.xml and server/webapps/enportal/WEB-INF/web.xml to define an extra non-SSL connector that will redirect to the HTTPS port. This approach is well documented by the Tomcat user community.