SSL/TLS configuration
This topic describes how to configure Connect to be accessible over SSL/TLS.
Basic SSL/TLS
Connect is installed as a web application within an Apache Tomcat web server. You can add basic SSL/TLS authentication.
To set up basic SSL/TLS configuration:
- Follow the steps as per the Apache Tomcat 9 documentation for SSL/TLS.
-
Restart Tomcat. The server now supports SSL using HTTPS.
The following is an example of a connector specification when you specify the keystorePass and keyPass parameters in clear text:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="tomcat"
keystoreFile="conf/.ssl/keystore.jks"
keystorePass="password"
keyPass="certpass"/>
For information on how to decrypt the keystorePass and keyPass parameters, see below.
Encrypt keystorePass and keyPass
The Tomcat configuration for SSL/TLS includes a configuration file with a visible password. This section describes how to encrypt the password.
Note: You can use the mfcTomcatExt.jar script to decrypt the SSL keystore information in the Tomcat configuration file, and a mfcFullRestClient.jar file to encrypt the information.
To encrypt keystorePass and keyPass:
-
Run the mfcEncryptPassword utility to encrypt passwords. For details, see Encrypt passwords with mfcEncryptPassword.
-
Copy mfcTomcatExt.jar from Connect\Utilities to Connect\WebServer\lib.
-
Modify the SSL connector definition to include the following:
protocol="com.connect.tomcatext.Http11Nio2Protocol"
-
Replace the plain-text passwords with the encrypted ones. The result should be as follows (using your own encrypted values):
<Connector port="443" protocol="com.connect.tomcatext.Http11Nio2Protocol"
maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="tomcat"
keystoreFile="conf/.ssl/keystore.jks"
keystorePass="saWw9W3BvsBriGp11RYHE09yDMZt97XR/ml+CJg53jaS8ReDtYcVYg5+81xv542Of4ZyAA6dWyPtLWpL5ZFxwLb9x+k3x1DcP+G1CYsTLXLhabOu2KYyhedhiKT/rqjnDncfSfttzj+Hh3kJQyHcsmHIDAlZ6Q/rLhHloGyU1I4s83M/yds5DG10aTaE1S6J0YmmgoSCLEqOBzucJfPQQoC636KMeQJA2PkeIAJulNF1WSY3PAS/QHsnAXAEHiZ4D5J43kYaGW8/rTcLcKTQZeCfdjIcm3rc78FbsDPuUj7HrE3hdZzad1uxWnjw5aU7kpll/0qWOWnjNUfXizKMUA=="
keyPass="uuIo4XpdJEvTDgYsOOVeIipuJTi0mTmRByNZqJkxgTGBJZ1k2y7WqfLsjF7Jute09OdVuQ9SvyXd1xEofHtnASPsg/W36uIW3ShWaz7p2V5nmO26xol2x9/QAKB3gahD9nA/5nPiVYmhZskVnm0mzPzHlV4nyNLfpH0FN/0PY7tB8XG8GTlpRgvGd7GyMux+rY12kqEWdvYTESaqi6kvyboF4ZgEbjMpG6NYsuWbHbX++GTRGVYp+qch4gfiN3aq1OhKkag+OaRjrkRBoqgN9sfIy3TS7IZSCD3r2dDby822I5gx+f5dfk4qTZmK0JsOekTPkoAbozVitQuhbrl3MQ=="/>
-
Restart Tomcat.
The passwords are now encrypted in the server.xml file.
Next steps: