Overview

For security reasons it's recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.

By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.

Configuring AppBoard for SSL

To enable HTTPS (HTTP over SSL) mode use the HTTP_SSL runtime option and set it to true. In addition you may want to also change:

• HTTP_PORT: HTTPS is typically served on port 443
• KEYSTORE_FILE: if using your own certificate
• KEYSTORE_PASS: if using your own certificate
• KEYSTORE_TYPE: if using your own certificate

See the Runtime Options page for more information on these settings and how to configure them. After making any changes then restart the AppBoard service.

Do not configure SSL by editing the AppBoard server.xml file as this is a system file and replaced on upgrade. The correct way is to edit the runtime options.

Process Overview

The basic process is:

1. pick a Certificate Authority, this may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
2. create a Certificate Signing Request (CSR)
3. have the CA sign the request
4. download the signed certificate from the CA. Depending on the CA a variety of formats may be on offer. Choose an appropriate format for Tomcat - which the CA may explicitly list as an option, otherwise choose PKCS#7 format. Other formats may require additional conversion steps before Tomcat can make use of it.

Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with AppBoard. However, end-users will still be presented with certificate errors and warnings.

Creating Certificate & Keystore

For SSL Tomcat requires a Java KeyStore (JKS). The keystore needs to contain the private key, the signed certificate, and any intermediate certificates from the CA. To create and work with a keystore it is necessary to have Java installed and be able to run the keytool command.

The recommended approach is to use keytool to create the private key and CSR and keystore all in one go, then have the CA sign, and then import the signed certificate using PKCS#7 format directly into the keystore. This process is well outlined in the VeriSign documentation below:

1. creating a CSR and submitting for signing.
2. importing the signed certificate into a JKS keystore. NOTE: as mentioned previously do not edit server.xml directly, use the runtime options as documented above.

However, if you already have an existing private key, signed certificate, and intermediate certificates in X.509 format then some conversion is required before importing into a JKS. This process will require openssl.

1. Convert the private key (private.key), signed certificate (server_signed.crt), and intermediate certificates (ca.crt) into PKCS#12 format:

   openssl pkcs12 -export -in server_signed.crt -inkey private.key -CAfile ca.crt -out combined.p12 -name your-alias

   You will

2. Convert and import the Intermediate certificates (if any) assuming file is called intermediate.cer: