Security

The PureWeb server can be configured to communicate using SSL/TLS, but this is optional.

Installing an SSL Certificate

SSL certificates are required for the server to support HTTPS connections from client applications. A certificate may be acquired from a recognized certificate authority, or generated. Regardless, the certificate must be configured in the Apache Tomcat container, before HTTPS connections are enabled.

SSL certificates may be requested from many different internet providers, all of which will follow a process similar to the one described in this section.

In this example, we use keytool, a key and certificate management utility. Keytool is included in the Java Development Kit (JDK). For more information, see:
http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

Prerequisites

The procedure to generate a keystore requires the server's fully qualified domain name (FQDN). If you do not know this name, follow the procedure below to find out this information.

Procedure

  1. Open a command prompt (in Windows) or log in as root using Putty or similar SSH tool (in Linux) and navigate to the following directory:
    [installed_directory]\Server\tomcat\conf\
  2. Generate a certificate:
    keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

    The common name must be the fully qualified domain name of the host to which the certificate is applied.

  3. Generate a certificate signing request (CSR):
    keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr -keystore tomcat.keystore
  4. Submit the (CSR) to the certificate authority (CA). Generally, this will involve copying and pasting the CSR generated above into an online enrollment form and possibly indicating that the server software is Apache Tomcat.
  5. Review the signed certificate that you receive from the certificate authority. This may be in the form of a zip file containing the signed certificate along with other certificates to form the certificate chain.
  6. Import the signed certificate into a keystore, using the keytool commands. For example:

    keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

    keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt

    keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file tomcat

    Depending on which certificate provider you used, the files that you receive may be slightly different from those above. Regardless, you will need to import all of the files that you receive.

  7. Configure the Apache Tomcat container to use the signed certificate from the keystore.

Configuring an HTTP Connection

Before completing the procedure in this section, if you are enabling an HTTPS connection, ensure that you have an SSL certificate.

The procedure in this section involves editing the following lines of code.

  1. Navigate to the following file and open it in a text editor:
    [installed_directory]\tomcat\conf\server.xml
  2. To disable an HTTP connector: comment out lines 4-10 in the code shown above.
  3. To enable an HTTPS connector:
    1. Remove the comments on lines 24 and 38.
    2. Ensure that the keystoreFile, keystorePass values on line 31 are set appropriately. If you created your certificate using keytool, you must modify the keystoreType value on this line as well.
    3. Optionally, restrict the set of available ciphers to those that are cryptographically strong by including the ciphers configuration on lines 40-44.
  4. Save the file before closing.
  5. Restart the server for the changes to take effect.

The default port used by the PureWeb server when configured to use SSL is 8443. If port 8443 is blocked, configure a port of your choice instead by replacing line 24 as follows:

<Connector port="[chosen_port]" address="0.0.0.0"

Use the chosen port when accessing the server’s administrative pages. For example: https://localhost:443/pureweb/server/login.jsp