Enportal/5.5/admin/ssl configuration: Difference between revisions

imported>Jason.nicholls
m (1 revision)
imported>Jason.nicholls
No edit summary
Line 1: Line 1:
[[Category:enPortal 5.5]]
[[Category:enPortal 5.5]]
{{DISPLAYTITLE:SSL Configuration}}
{{DISPLAYTITLE:SSL Configuration}}
For security reasons it's recommended to run enPortal over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the enPortal server are encrypted.
 
== Overview ==
 
For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.


By default enPortal is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.
By default enPortal is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.
Line 18: Line 21:
{{Warning|Do not configure SSL by editing the enPortal server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.}}
{{Warning|Do not configure SSL by editing the enPortal server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.}}


== Creating a Certificate ==
=== Process Overview ===


The basic process is:
The basic process is:


# Pick a Certificate Authority. This may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
# pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
# Create a Certificate Signing Request (CSR)
# create a Certificate Signing Request (CSR)
# Have the CA sign the request
# have the CA sign the request
# Download the signed certificate on the enPortal server. Depending on the CA there should be instructions and options for the format of the signed certificate; ensure an appropriate format is downloaded for use with Tomcat. It's then necessary to import this certificate into a keystore file, replace the one shipped with enPortal, and update the keystore pass and type options.
# download the signed certificate from the CA. Depending on the CA a variety of formats may be on offer. Choose an appropriate format for Tomcat - which the CA may explicitly list as an option, otherwise choose PKCS#7 format. Other formats may require additional conversion steps before Tomcat can make use of it.
# create a Java KeyStore (JKS) file for Tomcat and install on the enPortal server.
 
Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with enPortal. However, end-users will still be presented with certificate errors and warnings.
 
=== Creating Certificate & Keystore ===
 
For SSL Tomcat requires a Java KeyStore (JKS). The keystore needs to contain the private key, the signed certificate, and any intermediate certificates from the CA. To create and work with a keystore it is necessary to have Java installed and be able to run the <tt>keytool</tt> command.
 
The recommended approach is to use <tt>keytool</tt> to create the private key and CSR and keystore all in one go, then have the CA sign, and then import the signed certificate using PKCS#7 format directly into the keystore. This process is well outlined in the VeriSign documentation below:
 
# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227 creating a CSR and submitting for signing] (using keytool and creating a keystore in the process).
# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR153 importing the signed certificate into a JKS keystore] (in PKCS#7 / .p7b format)
# Then follow the instructions below on Installing the Keystore.
 
However, if you already have an existing private key, signed certificate, and intermediate certificates in X.509 format then some conversion is required before importing into a JKS. This process will require <tt>openssl</tt>.
 
# Convert the private key (''private.key''), signed certificate (''server_signed.crt''), and intermediate certificates (''ca.crt'') into PKCS#12 format:
#: <tt>openssl pkcs12 -export -in ''server_signed.crt'' -inkey ''private.key'' -CAfile ''ca.crt'' -caname root -chain -out combined.p12 -name ''your-alias''</tt>
#: You will be prompted to enter a password, make sure you set a password (do not leave blank). If you do not have any intermediate certificates then leave out the <tt>-CAfile</tt>, <tt>-caname</tt>, and <tt>-chain</tt> options.
# Create a JKS from the <tt>combined.p12</tt> file generated above:
#: <tt>keytool -importkeystore -srckeystore combined.p12 -srcstoretype PCKS12 -alias ''your-alias'' -destkeystore ''your-keystore.jks''</tt>
#: You will be prompted for the password set above and a new password, you '''must''' use the same password. ''your-alias'' must match the alias set in step (1).
# Take the resulting JKS file (<tt>''your-keystore.jks''</tt>) and follow the instructions below on Installing the Keystore.
 
=== Installing the Keystore ===
 
Once a valid keystore has been created it can be installed on the enPortal server:
 
# copy to the <tt>[INSTALL_HOME]/server/conf/ssl.crt/</tt> directory. By default files in this directory are automatically included in full archives.
# Edit <tt>setenv-custom.sh|.bat</tt> and update the <tt>KEYSTORE_FILE</tt>, <tt>KEYSTORE_PASS</tt>, and <tt>KEYSTORE_TYPE</tt> as required. If using the instructions above then the type should not need to be changed. Please note the keystore file path is relative to <tt>[INSTALL_HOME]/server/</tt>
# As noted previously also make sure the <tt>HTTP_SSL</tt> option is set to <tt>true</tt>.
# Restart the enPortal server.


Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with enPortal. However, to end-users they will still be presented with certificate errors and warnings.


As an example, VeriSign have documented the process for Tomcat as follows:
== Redirecting HTTP traffic ==


# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227 creating a CSR and submitting for signing].
There are two recommended approaches for redirecting standard HTTP traffic to HTTPS:
# [https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR153 importing the signed certificate into a JKS keystore]. NOTE: as mentioned previously do not edit server.xml directly. Use the runtime options as documented above.


Additionally, a legacy enPortal's SSL certificate will need to be converted into Tomcat's certificate format to be used in enPortal 5. See the link below:
# Use an external tool to redirect the traffic such as a load balancer or a full featured HTTP server like [http://httpd.apache.org/ Apache]. For many this will be the preferred option as since no configuration changes to enPortal are necessary.
# [http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)]


# Modify <tt>server/conf/server.xml</tt> and <tt>server/webapps/enportal/WEB-INF/web.xml</tt> to define an extra non-SSL connector that will redirect to the HTTPS port. This approach is [https://www.google.com/search?q=tomcat+web.xml+http+connector+forward+https&oq=tomcat+web.xml+http+connector+forward+https&aqs=chrome..69i57.12323j0j7&sourceid=chrome&es_sm=91&ie=UTF-8#q=tomcat+redirect+http+to+https&safe=active well documented by the Tomcat user community].


<!-- == Additional Topics ==
== Additional Topics ==


* [[appboard/2.5/admin/client_certificates|Client Certificates / Client Authentication]] -->
* [[appboard/2.5/admin/untrusted_ssl_ios|Untrusted Certificates on iOS mobile devices]]
* [[appboard/2.5/admin/client_certificates|Client Certificates / Client Authentication]]

Revision as of 07:45, 20 March 2015


Overview

For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.

By default enPortal is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.

Configuring enPortal for SSL

To enable HTTPS (HTTP over SSL) mode use the HTTP_SSL runtime option and set it to true. In addition you may want to also change:

  • HTTP_PORT: HTTPS is typically served on port 443
  • KEYSTORE_FILE: if using your own certificate
  • KEYSTORE_PASS: if using your own certificate
  • KEYSTORE_TYPE: if using your own certificate

See the Runtime Options page for more information on these settings and how to configure them. After making any changes then restart the enPortal service.

Template-warning.png
Do not configure SSL by editing the enPortal server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.

Process Overview

The basic process is:

  1. pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
  2. create a Certificate Signing Request (CSR)
  3. have the CA sign the request
  4. download the signed certificate from the CA. Depending on the CA a variety of formats may be on offer. Choose an appropriate format for Tomcat - which the CA may explicitly list as an option, otherwise choose PKCS#7 format. Other formats may require additional conversion steps before Tomcat can make use of it.
  5. create a Java KeyStore (JKS) file for Tomcat and install on the enPortal server.

Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with enPortal. However, end-users will still be presented with certificate errors and warnings.

Creating Certificate & Keystore

For SSL Tomcat requires a Java KeyStore (JKS). The keystore needs to contain the private key, the signed certificate, and any intermediate certificates from the CA. To create and work with a keystore it is necessary to have Java installed and be able to run the keytool command.

The recommended approach is to use keytool to create the private key and CSR and keystore all in one go, then have the CA sign, and then import the signed certificate using PKCS#7 format directly into the keystore. This process is well outlined in the VeriSign documentation below:

  1. creating a CSR and submitting for signing (using keytool and creating a keystore in the process).
  2. importing the signed certificate into a JKS keystore (in PKCS#7 / .p7b format)
  3. Then follow the instructions below on Installing the Keystore.

However, if you already have an existing private key, signed certificate, and intermediate certificates in X.509 format then some conversion is required before importing into a JKS. This process will require openssl.

  1. Convert the private key (private.key), signed certificate (server_signed.crt), and intermediate certificates (ca.crt) into PKCS#12 format:
    openssl pkcs12 -export -in server_signed.crt -inkey private.key -CAfile ca.crt -caname root -chain -out combined.p12 -name your-alias
    You will be prompted to enter a password, make sure you set a password (do not leave blank). If you do not have any intermediate certificates then leave out the -CAfile, -caname, and -chain options.
  2. Create a JKS from the combined.p12 file generated above:
    keytool -importkeystore -srckeystore combined.p12 -srcstoretype PCKS12 -alias your-alias -destkeystore your-keystore.jks
    You will be prompted for the password set above and a new password, you must use the same password. your-alias must match the alias set in step (1).
  3. Take the resulting JKS file (your-keystore.jks) and follow the instructions below on Installing the Keystore.

Installing the Keystore

Once a valid keystore has been created it can be installed on the enPortal server:

  1. copy to the [INSTALL_HOME]/server/conf/ssl.crt/ directory. By default files in this directory are automatically included in full archives.
  2. Edit setenv-custom.sh|.bat and update the KEYSTORE_FILE, KEYSTORE_PASS, and KEYSTORE_TYPE as required. If using the instructions above then the type should not need to be changed. Please note the keystore file path is relative to [INSTALL_HOME]/server/
  3. As noted previously also make sure the HTTP_SSL option is set to true.
  4. Restart the enPortal server.


Redirecting HTTP traffic

There are two recommended approaches for redirecting standard HTTP traffic to HTTPS:

  1. Use an external tool to redirect the traffic such as a load balancer or a full featured HTTP server like Apache. For many this will be the preferred option as since no configuration changes to enPortal are necessary.
  1. Modify server/conf/server.xml and server/webapps/enportal/WEB-INF/web.xml to define an extra non-SSL connector that will redirect to the HTTPS port. This approach is well documented by the Tomcat user community.

Additional Topics