on 03-07-2018 1:09 PM
I've been asked to incorporate our company's "Internal SSL" certificate on the BOE servers. I'm not familiar with the appropriate steps for this configuration and would appreciate any input. Basically our web intelligence users login in at http:<server>:8080/BOE/BI and I need to configure it to use https:<server>:8080/BOE/BI
It is only accessed on our network not externally.
Is this a server configuration? Tomcat? BOE? All? What other issues could this create with other applications such as Information Design Tool, Web Intelligence Rich Client, etc?
I'm assuming you only need to protect the connection from the user's browser to the web server (Tomcat, in your case).
(If you were using a load balancer or front-end web server (Apache or IIS), then the SSL configuration would be done there.)
There is information here on configuring Tomcat for SSL. The basic steps are:
Tomcat, by default, runs HTTP on port 8080 and HTTPS on 8443. Unless you're running another web server (like IIS) on 80/443, I would recommend changing tomcat to 80 and 443. Then you don't need to specify the port in the URL.
The certificate should be created for the server's FQDN, as well as any alternate URLs that would be used to access it -- such as the host name without domain and any DNS aliases. For example, "bo.mycompany.com:8443" and "bo:8443".
It's not required, but you'll probably want to redirect non-SSL requests to SSL once it's enabled. If you don't do this, then calls to http://server:8080/BOE/BI will still work (SSL is only active if the user explicitly accesses https://...). You will just need to add a few lines to webapps/BOE/WEB-INF/web.xml. Instructions are here.
If you're using WACS, then you may need to enable SSL for it, too. Instructions for this are in the Administrator's Guide.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Still struggling with this.
1. I've been able to export the certificate from the windows keystore as a pfx file. Based on everything I've researched Tomcat 8.0 can use this type of keystore.
2. I've opened ports 8443 and 443 on the firewall.
3. I've modified the server.xml file as below.
When I restart Tomcat and attempt to go through the https://<server>:8443/BOE/BI address I get
a message stating the connection is not secure that
<Connector port="8443"
protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="/conf/<pfxname>.pfx" the file location and name are correct
keystorePass="<pw>" the password is correct
keystoreType"PKCS12"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
/>
This "The certificate is not valid for the name lsepboetst01." - means that your certificate is not using same name as the one you have in your URL.
On the cer error :
https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER
Thanks. This certificate was provided to me. Should the CN in the certificate be the url: https://<server>:8443/BOE/BI? its currently the fully qualified server name (<server>.domain.org). Could it include a wild card https://<server>:8443* to cover /BOE/CMC? any input would be great. thanks again.
The Admin guide has detailed information on what you need to do as do KBA's and tomcat vendor web site.
To do https:<server>:8080/BOE/BI you need to enable SSL connector on your tomcat.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.