cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Changing communication between CCOM and CCO to https

Go to solution
Arne_Timmermann
Contributor

on ‎03-04-2020 9:44 AM

Hi there,

I am running into problems when trying to change the communication between CCOm and CCO to https.

I applied a certificate to the tomcat of the CCOM and therefore changed the server.xml like this:

<Connector port="9090" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" maxHttpHeaderSize="8192" URIEncoding="UTF-8" SSLEnabled="true" keystoreFile="xxx.p12" keystorePass="xxx" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" > </Connector>

After that, I can access the CCOM via https://xxx/ccos (with a certificate warning). But CCO shows the error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Which should be solved, according to KBA 2694514, section "Error Message when connecting to the SAP Business One system How to connect one B1i system with a self-signed certificate via https" by adding

  • -Djavax.net.ssl.keyStoreProvider=SunMSCAPI
  • -Djavax.net.ssl.keyStoreType=WINDOWS-MY
  • -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
  • -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

to the java properties of the tomcat.

Unfortunately this leads to a timeout, in the browser as well as in CCO when trying to access CCOm.

In the official documentation only the https connection between cco backend and frontend is documented.

Can anyone help me? Has anyone experience with setting this up?

Show replies
Show replies
Arne_Timmermann
Contributor
‎03-04-2020 9:50 AM
0 Kudos

Just discovered why ccom is offline in the tomcat logs:

04-Mar-2020 10:46:46.312 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-9090"] java.lang.IllegalArgumentException: java.io.IOException: Failed to load keystore type [PKCS12] with path [certificates/xxx.p12] due to [PKCS12 not found]

Answer

Accepted Solutions (1)

Accepted Solutions (1)

Arne_Timmermann
Contributor
‎03-05-2020 3:50 PM

I figured it out, the certificates had to be imported into the POS Java keystore, then it works like a charm!
You also don't need the JAVA properties from KBA 2694514.

More information here: https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-ja...

Show replies
Show replies

Answers (2)

Answers (2)

Klaus_Frick
Active Participant
‎12-01-2020 1:29 PM

Hello marcoschoenmann

Within your server.xml of the tomcat where CCOM is running you have to add a Connector like the following within the Service Tag. Just change the port, keystoreFile, keyAlias and keystore Password like you have choosen when creating the keystore. In my example I used a Keystore of type jks. With this CCOM should run encrypted on port 9443.
On CCO side you have to check the cacerts (JRE Installationparth\lib\security\cacerts) keystore, if the CA certificate is already listed. If not you have to add it.

Best Regards

Klaus

Please vote: IR257988, IR257530, IR257531, IR254835

<Connector 
	port="9443" 
	protocol="org.apache.coyote.http11.Http11NioProtocol"
	SSLEnabled="true" 
	maxThreads="200" 
	scheme="https" 
	secure="true" 
	clientAuth="false" 
	sslProtocol="TLS" 
	sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
	ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA"
	keystoreFile="Path and Name of keystore.jks" 
	keyAlias="tomcat" 
	keystorePass="yourKeyStorePassword" 
	server=" "
/>
Show replies
Show replies
marcoschoenmann
Explorer
‎12-04-2020 9:35 AM
0 Kudos

Hi Klaus

Just created "mykeystore.jks" on my side with following command:

keytool -import -trustcacerts -alias <myalias> -file "C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat8_CCO\etc\ssl\certificate.crt" -keystore "C:\Program Files\Apache Software Foundation\Tomcat 8.5_Tomcat8_CCO\conf\mykeystore.jks"

So, keystore is available and certificate is in it.

On server.xml i added following connector:

<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/mykeystore.jks" keyAlias="myalias" keystorePass="mypw" server="myadress" />

After restaring Tomcat Service i'm still not able to connect to https://myadress:9443/ccos
It shows a timeout(Site is not reachable)

Connecting to http://myadress:9090/ccos is still possible...

Can't see where the problem is...

any ideas?

Best regards
Marco

Klaus_Frick
Active Participant
‎12-04-2020 10:52 AM

Hello marcoschoenmann

The server tag should be server=" ". Further, to be sure that the keystore reference is correct, I would set the keystoreFile Tag with the full path to the keystore file. If that does not help, then what error messages do you find in tomcat logs?

And at the end I'm sure you checked necessary firewall settings?

Best Regards

Klaus

marcoschoenmann
Explorer
‎12-10-2020 10:27 AM
0 Kudos

Hello Klaus

Thank you very much for your help in this case. I was able to assign the certificate and CCO Manager runs on a secure connection now.
Also i was able to connect POS to CCO Manager over https.

Best regards
Marco

Klaus_Frick
Active Participant
‎12-10-2020 10:36 AM
0 Kudos

Hello Marco Schönmann

Thank's for feedback. Maybe you wanna have a look at my Improvement Requests (IR257988, IR257530, IR257531, IR254835) and vote for some of them,..

Best Regards

Klaus

marcoschoenmann
Explorer
‎12-01-2020 12:15 PM
0 Kudos

Hi Arne

Thank you very much for this explanations. Unfortunately i'm still struggling with this...
Tried it different ways, but never had a keystore file(.p12) like you mention in your server.xml config.

Do i need to create a new keystore and upload my certificate? Where do i need to store the certificate?

I have my certificate in following formats:
certificate.crt(plus ca_bundle.crt and private.key)
certificate.pfx
certificate.p7b

After creating keystore and import .crt file into it with keytool and changing server.xml like you explain, CCOM is still available on http port, but not with https...

Maybe you can give me some more hints regarding this keystoreFile?

Best regards
Marco

Show replies
Show replies
Ask a Question