SSL/TLS configuration

This topic describes how to configure Connect to be accessible over SSL/TLS.

Basic SSL/TLS

Connect is installed as a web application within an Apache Tomcat web server. You can add basic SSL/TLS authentication.

To set up basic SSL/TLS configuration:

  1. Follow the steps as per the Apache Tomcat 9 documentation for SSL/TLS.

  2. Restart Tomcat. The server now supports SSL using HTTPS.

The following is an example of a connector specification when you specify the keystorePass and keyPass parameters in clear text:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"

minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

SSLEnabled="true" clientAuth="false"

sslProtocol="TLS" keyAlias="tomcat"

keystoreFile="conf/.ssl/keystore.jks"

keystorePass="password"

keyPass="certpass"/>

For information on how to decrypt the keystorePass and keyPass parameters, see below.

Back to top

Encrypt keystorePass and keyPass

The Tomcat configuration for SSL/TLS includes a configuration file with a visible password. This section describes how to encrypt the password.

Note: You can use the mfcTomcatExt.jar script to decrypt the SSL keystore information in the Tomcat configuration file, and a mfcFullRestClient.jar file to encrypt the information.

To encrypt keystorePass and keyPass:

  1. Run the mfcEncryptPassword utility to encrypt passwords. For details, see Encrypt passwords with mfcEncryptPassword.

  2. Copy mfcTomcatExt.jar from Connect\Utilities to Connect\WebServer\lib.

  3. Modify the SSL connector definition to include the following:

    protocol="com.connect.tomcatext.Http11Nio2Protocol"

  4. Replace the plain-text passwords with the encrypted ones. The result should be as follows (using your own encrypted values):

    <Connector port="443" protocol="com.connect.tomcatext.Http11Nio2Protocol"

    maxHttpHeaderSize="8192" maxThreads="100"

    minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

    disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"

    SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="tomcat"

    keystoreFile="conf/.ssl/keystore.jks"

    keystorePass="saWw9W3BvsBriGp11RYHE09yDMZt97XR/ml+CJg53jaS8ReDtYcVYg5+81xv542Of4ZyAA6dWyPtLWpL5ZFxwLb9x+k3x1DcP+G1CYsTLXLhabOu2KYyhedhiKT/rqjnDncfSfttzj+Hh3kJQyHcsmHIDAlZ6Q/rLhHloGyU1I4s83M/yds5DG10aTaE1S6J0YmmgoSCLEqOBzucJfPQQoC636KMeQJA2PkeIAJulNF1WSY3PAS/QHsnAXAEHiZ4D5J43kYaGW8/rTcLcKTQZeCfdjIcm3rc78FbsDPuUj7HrE3hdZzad1uxWnjw5aU7kpll/0qWOWnjNUfXizKMUA=="

    keyPass="uuIo4XpdJEvTDgYsOOVeIipuJTi0mTmRByNZqJkxgTGBJZ1k2y7WqfLsjF7Jute09OdVuQ9SvyXd1xEofHtnASPsg/W36uIW3ShWaz7p2V5nmO26xol2x9/QAKB3gahD9nA/5nPiVYmhZskVnm0mzPzHlV4nyNLfpH0FN/0PY7tB8XG8GTlpRgvGd7GyMux+rY12kqEWdvYTESaqi6kvyboF4ZgEbjMpG6NYsuWbHbX++GTRGVYp+qch4gfiN3aq1OhKkag+OaRjrkRBoqgN9sfIy3TS7IZSCD3r2dDby822I5gx+f5dfk4qTZmK0JsOekTPkoAbozVitQuhbrl3MQ=="/>

  5. Restart Tomcat.

    The passwords are now encrypted in the server.xml file.

Back to top

Next steps: