Creating a Secure AppBoard/enPortal Server

AppBoard/enPortal is distributed with an invalid dummy SSL certificate for its Tomcat web server. This allows the system to function, but the client web browser will warn the user if one or more issues are identified with regard to the web server certificate:

• The certificate has expired.
• The certificate is not applicable to the server.
• The certificate is not signed by an authorized Certificate Authority.

Selecting a Certificate Authority

A certificate for your web server must be signed by a Certificate Authority that is trusted by your web browser. There are many such authorities and most provide detailed assistance for obtaining a signed server certificate. When selecting an authority, be aware of the following points:

• You need to obtain a signed Apache mod_ssl server certificate.
• You may need to provide physical documentation to the Authority to establish proof of identity.
• You need to renew certificates periodically (at least every 2 years). Renewal activities are typically less involved than origination activities.

Generating a Certificate Signing Request (CSR)

If you are running Tomcat behind another web server, such as Apache or Microsoft IIS, you need to configure the primary web server to handle the SSL connections from users. This primary server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests.

In order to configure Tomcat standalone for SSL support, you need to create (or import) an SSL certificate. An OpenSSL utility is used to generate Certificate Signing Requests (CSRs) and certificates. Download the OpenSSL utility and generate a CSR. You must then submit the CSR to your Certificate Authority.

Installing the Certificate Files on the AppBoard/enPortal Server

Install the private key generated by the openssl tool. Copy the server.key file to the following location on your AppBoard/enPortal server:

/server/conf/ssl.key/

When your Certificate Authority provides you with a signed certificate, copy the file to the following location on your AppBoard/enPortal server:

/server/conf/ssl.crt/

You must re-start the enPortal web server after installing these files.

Creating Intermediate CA Certs

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

For instructions on the process of creating Intermediate CA Certs, please see the Intermediate CA Certs page.

Configuring AppBoard/enPortal for HTTPS

Perform the following steps to configure AppBoard/enPortal to use your SSL certificate and run under HTTPS:

AppBoard/enPortal ships with a sample certificate that you can use for testing purposes. If you run the following steps, without completing the steps outlined above under "Installing the Certificate Files on the AppBoard/enPortal Server", the sample certificate will be used.

1. Open the file /server/bin/setenv-custom.bat
2. Uncomment the following lines:
   • set HTTP_PORT=443
   • set HTTP_SSL=true

Some applications, such as Skype, run on port 443. If you see the error message "Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error" in your browser, check to make sure you do not have any other applications running on port 443 prior to starting Tomcat with the startup command