SSL/TLS configuration

This topic describes how to configure Connect to be accessible over SSL/TLS.

Basic SSL/TLS

Connect is installed as a web application within an Apache Tomcat web server. To add a layer of security, you can add basic SSL/TLS authentication.

To set up basic SSL/TLS configuration:

  1. Follow the steps as per the Apache Tomcat 9 documentation for SSL/TLS.

  2. Restart Tomcat. The server now supports SSL using HTTPS.

The following is an example of a connector specification when you specify the keystorePass and keyPass parameters in clear text: 

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100" 
minSpareThreads="25" maxSpareThreads="75" 
enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" scheme="https" secure="true" 
SSLEnabled="true" clientAuth="false" 
sslProtocol="TLS" keyAlias="tomcat" 
keystoreFile="conf/.ssl/keystore.jks" 
keystorePass="password" 
keyPass="certpass"/>

For information on how to decrypt the keystorePass and keyPass parameters, see below.

Encrypt keystorePass and keyPass

The Tomcat configuration for SSL/TLS includes a configuration file with a visible password. This section describes how to encrypt the password.

To encrypt keystorePass and keyPass:

  1. Run the mfcEncryptPassword utility to encrypt passwords. For details, see Secret encryption.

  2. Copy mfcTomcatExt.jar from Connect\Utilities to Connect\WebServer\lib.

  3. Modify the SSL connector definition to include the following:

    protocol="com.connect.tomcatext.Http11Nio2Protocol"

  4. Replace the plain-text passwords with the encrypted ones. The result should be as follows (using your own encrypted values):

    <Connector port="443" protocol="com.connect.tomcatext.Http11Nio2Protocol" 
    maxHttpHeaderSize="8192" maxThreads="100"
    minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
     disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" 
    SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="tomcat" 
    keystoreFile="conf/.ssl/keystore.jks" 
    keystorePass="saWw9W3BvsBriGp11RYHE09yDMZt97XR/ml+CJg53jaS8ReDtYcVYg5+81xv542Of4ZyAA6dWyPtLWpL5ZFxwLb9x+k3x1DcP+G1CYsTLXLhabOu2KYyhedhiKT/rqjnDncfSfttzj+Hh3kJQyHcsmHIDAlZ6Q/rLhHloGyU1I4s83M/yds5DG10aTaE1S6J0YmmgoSCLEqOBzucJfPQQoC636KMeQJA2PkeIAJulNF1WSY3PAS/QHsnAXAEHiZ4D5J43kYaGW8/rTcLcKTQZeCfdjIcm3rc78FbsDPuUj7HrE3hdZzad1uxWnjw5aU7kpll/0qWOWnjNUfXizKMUA=="
    keyPass="uuIo4XpdJEvTDgYsOOVeIipuJTi0mTmRByNZqJkxgTGBJZ1k2y7WqfLsjF7Jute09OdVuQ9SvyXd1xEofHtnASPsg/W36uIW3ShWaz7p2V5nmO26xol2x9/QAKB3gahD9nA/5nPiVYmhZskVnm0mzPzHlV4nyNLfpH0FN/0PY7tB8XG8GTlpRgvGd7GyMux+rY12kqEWdvYTESaqi6kvyboF4ZgEbjMpG6NYsuWbHbX++GTRGVYp+qch4gfiN3aq1OhKkag+OaRjrkRBoqgN9sfIy3TS7IZSCD3r2dDby822I5gx+f5dfk4qTZmK0JsOekTPkoAbozVitQuhbrl3MQ=="/>

  5. Restart Tomcat.

    The passwords are now encrypted in the server.xml file.

Enable HSTS (HTTP Strict Transport Security)

This section describes how to enable HSTS in Tomcat.

  1. Open the <Tomcat>/conf/web.xml file in a text editor.

  2. Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, and then add the hstsMaxAgeSeconds parameter, as shown below.

    Example: <filter>
    <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>31536000</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

  3. Save the file.

  4. Restart Tomcat.

Next steps