Security

The PureWeb server can be configured to communicate using SSL/TLS, but this is optional.

If you do decide to implement SSL, you must have a valid certificate.


Installing an SSL certificate

SSL certificates are required for the server to support HTTPS connections from client applications. A certificate may be acquired from a recognized certificate authority, or generated. Regardless, the certificate must be configured in the Apache Tomcat container, before HTTPS connections are enabled.

SSL certificates may be requested from many different internet providers, all of which will follow a process similar to the one described in this section.

In this example, we use keytool, a key and certificate management utility. Keytool is included in the Java Development Kit (JDK). For more information, see:
http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html

Prerequisites

The procedure to generate a keystore requires the server's fully qualified domain name (FQDN). If you do not know this name, follow the procedure below to find out this information.

On Windows

  1. Launch the command prompt (go to Start | All Programs | Accessories | Command Prompt).
  2. Execute the following command:
    ipconfig /all

The Host Name and Primary DNS Suffix together combine to give you the FQDN for the server.

On Linux

  1. Launch an instance of the command line utility.
  2. Type the following command:
    hostname -f

Procedure

  1. Open a command prompt (in Windows) or log in as root using Putty or similar SSH tool (in Linux) and navigate to the following directory:
    [installed_directory]\Server\tomcat\conf\
  2. Generate a certificate:
    keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

    The common name must be the fully qualified domain name of the host to which the certificate is applied.

  3. Generate a certificate signing request (CSR):
    keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr -keystore tomcat.keystore
  4. Submit the (CSR) to the certificate authority (CA). Generally, this will involve copying and pasting the CSR generated above into an online enrollment form and possibly indicating that the server software is Apache Tomcat.
  5. Review the signed certificate that you receive from the certificate authority. This may be in the form of a zip file containing the signed certificate along with other certificates to form the certificate chain.
  6. Import the signed certificate into a keystore, using the keytool commands. For example:

    keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

    keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt

    keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file tomcat

    Depending on which certificate provider you used, the files that you receive may be slightly different from those above. Regardless, you will need to import all of the files that you receive.

  7. Configure the Apache Tomcat container to use the signed certificate from the keystore.

Configuring an HTTP connection

Before completing the procedure in this section, if you are enabling an HTTPS connection, ensure that you have an SSL certificate.

The procedure in this section involves editing the following lines of code.

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<!-- When enabling SSL, uncomment the 8443 connector below.  Make sure this 8080 connector
     is still valid as it may still be needed by the apps. -->
<Connector port="8080" address="0.0.0.0"
    maxHttpHeaderSize="8192"
    maxKeepAliveRequests="-1"
    maxThreads="150" minSpareThreads="25" 
    enableLookups="false" redirectPort="8443" acceptCount="100"
    connectionTimeout="600000" disableUploadTimeout="true"
    useBodyEncodingForURI="true" URIEncoding="UTF-8" />

<!-- Note : To disable connection timeouts, set connectionTimeout value to 0 -->

<!-- Note : To use gzip compression you could set the following properties :
            compression="on"
            compressionMinSize="2048"
            noCompressionUserAgents="gozilla, traviata"
            compressableMimeType="text/html,text/xml"
-->

<!-- Define a SSL HTTP/1.1 Connector on port 8443
see http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
-->
<!-- SSL <Connector port="8443" address="0.0.0.0" SSLEnabled="true"
      maxHttpHeaderSize="8192" emptySessionPath="false"
      maxKeepAliveRequests="-1"
      maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
      enableLookups="false" disableUploadTimeout="true"
      acceptCount="100" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="conf/tomcat.keystore" keystorePass="password" keystoreType="PKCS12"
      useBodyEncodingForURI="true" URIEncoding="UTF-8"
      ciphers=""TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
      TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
      TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, 
      TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>
-->
<!-- enable specific (non-weak) ciphers -->
<!-- ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" 
-->
  1. Navigate to the following file and open it in a text editor:
    [installed_directory]\tomcat\conf\server.xml
  2. To disable an HTTP connector: comment out lines 4-10 in the code shown above.
  3. To enable an HTTPS connector:
    1. Remove the comments on lines 24 and 38.
    2. Ensure that the keystoreFile, keystorePass values on line 31 are set appropriately. If you created your certificate using keytool, you must modify the keystoreType value on this line as well.
    3. Optionally, restrict the set of available ciphers to those that are cryptographically strong by including the ciphers configuration on lines 40-44.
  4. Save the file before closing.
  5. Restart the server for the changes to take effect.

The default port used by the PureWeb server when configured to use SSL is 8443. If port 8443 is blocked, configure a port of your choice instead by replacing line 24 as follows:

<Connector port="[chosen_port]" address="0.0.0.0"

Use the chosen port when accessing the server’s administrative pages. For example: https://localhost:443/pureweb/server/login.jsp