Supporting HTTPS/SSL Deployment

The ENOVIA V6 architecture implies HTTP (HTTPS) communications between the Live Collaboration Server and any FCS, as well as between two FCSes.

This task shows you how to:


Before you begin:
  1. Java 1.5 or higher must be installed.
  2. JAVA has been added to the PATH variable.
  3. The path JAVA_HOME/jre/lib/security/ has been added to the CLASSPATH variable.
  4. The application server used is Apache Tomcat or WebLogic.
  5. Apache Tomcat 6.0.16/6.0.18/6.0.20 or WebLogic must be installed.
  6. If Apache Tomcat is used, the environment variable CATALINA_HOME has been set to the appropriate Catalina Home directory.
Related Topics
Setting the HttpOnly Cookie Flag
Building the J2EE Archive File
Deploying the J2EE Archive File

Configure SSL with a Tomcat Server on Windows

To configure SSL with a Tomcat Server on Windows:

  1. Open a command prompt.

    Note: On certain operating systems, because of OS security, you must run the command prompt as an Administrator. To do this, change to the OS_INSTALL_DRIVE:/Windows/system32/ directory, locate and right-click on cmd.exe, and then select Run as Administrator.

  2. Issue the following command to generate a certificate:

    > keytool -genkey -alias tomcat -keyalg RSA -validity 360 -dname "CN=SERVERNAME,o=3DPLM,ou=Platform,1=Pune,s=MH,c=IN" 
    -keystore CATALINA_HOME\.keystore

    Note: The keytool executable is located in the JAVA_HOME\bin\ directory. If you experience any issues, ensure that:

    • JAVA_HOME is correctly set.
    • JAVA has been added to the PATH variable as mentioned in the prerequisites, above.
    • Correct values are specified for the following:
      • SERVERNAME--Full computer name of the machine on which the application server is running.
      • CATALINA_HOME--Path to the application server (Apache Tomcat) home directory.

  3. When prompted, specify a password (for example, v6r2012), and note it.

    Tip: Keep the store password and the key password the same.

  4. On successful execution of the keytool command, a file named .keystore is created in the CATALINA_HOME directory.

    Note: Verify that the .keystore file has been created in the CATALINA_HOME directory.

  5. Change to the CATALINA_HOME\conf\ directory. Open the server.xml file in a text editor, and then search for the string scheme="https". Uncomment the definition of the SSL connect on port 8443 that has "scheme=https" as an attribute and update the definition as follows:

    <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" minSpareThreads="5" 
    maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200 
    scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="CATALINA_HOME\.keystore" 
    keystorePass="v6r2012" clientAuth="false"/> 

    Note: The value of keystorePass in the above descriptor should be the value for the password specified in Step 3, above.

  6. Run the Tomcat server.

  7. Access the link https://SERVERNAME:8443/, where SERVERNAME is the full computer name of the machine on which the application server is running. If the setup is fine, then you should be able to view the Tomcat home page.

Configure settings on the FCS server

If the FCS URL is the same as the MCS URL, then the following settings should be done on the MCS server.

  1. Start the instance of the application server in which the MCS application is deployed.

  2. Note the path of JAVA_HOME to which the application server in which the FCS application is deployed is referring.

  3. Copy the following InstallCert.java program to the JAVA_HOME\jre\lib\security\ directory:

    /*  
     * Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
     * 
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions 
     * are met: 
     * 
     * - Redistributions of source code must retain the above copyright 
     * notice, this list of conditions and the following disclaimer. 
     * 
     * - Redistributions in binary form must reproduce the above copyright
     * notice, this list of conditions and the following disclaimer in the 
     * documentation and/or other materials provided with the distribution. 
     *
     * - Neither the name of Sun Microsystems nor the names of its 
     * contributors may be used to endorse or promote products derived 
     * from this software without specific prior written permission. 
     * 
     * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
     * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
     * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
     * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
     * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
     * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
     * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
     * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
     * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
     * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
     * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
     */
    
     import java.io.*;
     import java.net.URL; 
    
     import java.security.*;
     import java.security.cert.*; 
    
     import javax.net.ssl.*; 
    
     public class InstallCert { 
    
     public static void main(String[] args)
     throws Exception { 
      String host; 
      int port; 
      char[] passphrase; 
      if ((args.length == 1) || (args.length == 2)) { 
       String[] c = args[0].split(":"); 
       host = c[0];
       port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
       String p = (args.length == 1) ? "changeit" : args[1];
       passphrase = p.toCharArray(); 
      }
      else { 
      System.out.println("Usage: java InstallCert<host>[:port] [passphrase]"); 
      return;
      } 
    
      File file = new File("jssecacerts"); 
    
      if (file.isFile() == false) { 
       char SEP = File.separatorChar;
       File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
       file = new File(dir, "jssecacerts");
       if (file.isFile() == false) { 
        file = new File(dir, "cacerts"); 
       }
      } 
      System.out.println("Loading KeyStore " + file + "..."); 
      InputStream in = new FileInputStream(file); 
      KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); 
      ks.load(in, passphrase); 
      in.close(); 
    
      SSLContext context = SSLContext.getInstance("TLS"); 
      TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init(ks); 
      X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
      SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); 
      context.init(null, new TrustManager[] {tm}, null); 
      SSLSocketFactory factory = context.getSocketFactory();
    
      System.out.println("Opening connection to "+ host + ":" + port + "..."); 
      SSLSocket socket = (SSLSocket)factory.createSocket(host, port); 
      socket.setSoTimeout(10000); 
      try {
       System.out.println("Starting SSL handshake...");
       socket.startHandshake();  
       socket.close(); 
       System.out.println();
       System.out.println("No errors, certificate is already trusted"); 
      } catch (SSLException e) {
       System.out.println(); 
       e.printStackTrace(System.out); 
      } 
    
      X509Certificate[] chain = tm.chain;
      if (chain == null) { 
       System.out.println("Could not obtain server certificate chain");
       return; 
      } 
    
      BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
    
      System.out.println();
      System.out.println("Server sent " + chain.length + "certificate(s):"); 
      System.out.println();
      MessageDigest sha1 = MessageDigest.getInstance("SHA1");
      MessageDigest md5 = MessageDigest.getInstance("MD5");
      for (int i = 0; i < chain.length; i++) {
       X509Certificate cert = chain[i];
       System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN()); 
       System.out.println(" Issuer " + cert.getIssuerDN()); 
       sha1.update(cert.getEncoded()); 
       System.out.println("sha1 " + toHexString(sha1.digest())); 
       md5.update(cert.getEncoded()); 
       System.out.println(" md5" + toHexString(md5.digest())); 
       System.out.println();
      } 
    
      System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]"); 
      String line = reader.readLine().trim();
      int k; 
      try {
       k = (line.length() == 0) ? 0 : Integer.parseInt(line) -1; 
      } catch (NumberFormatException e) {
       System.out.println("KeyStore not changed");
       return; 
      } 
    
      X509Certificate cert = chain[k];
      String alias = host + "-" + (k + 1);
      ks.setCertificateEntry(alias, cert); 
    
      OutputStream out = new FileOutputStream("jssecacerts"); 
      ks.store(out, passphrase); 
      out.close(); 
    
      System.out.println();
      System.out.println(cert); 
      System.out.println(); 
      System.out.println("Added certificate to keystore 'jssecacerts' using alias '" + 
       alias + "'"); 
     }
    
     private static final char[]HEXDIGITS = "0123456789abcdef".toCharArray(); 
    
     private static String toHexString(byte[]bytes) { 
      StringBuilder sb = new StringBuilder(bytes.length * 3); 
      for (int b : bytes) {
       b &= 0xff; 
       sb.append(HEXDIGITS[b >> 4]); 
       sb.append(HEXDIGITS[b & 15]); 
       sb.append(' ');
      } 
      return sb.toString();
     }
    
     private static class SavingTrustManager implements X509TrustManager {
      private final X509TrustManager tm; 
      private X509Certificate[] chain; 
     
      SavingTrustManager(X509TrustManager tm) {
       this.tm = tm; 
      } 
    
      public X509Certificate[]getAcceptedIssuers() { 
       throw new UnsupportedOperationException();  
      } 
    
      public void checkClientTrusted(X509Certificate[] chain, String authType)
      throws CertificateException { 
       throw new UnsupportedOperationException(); 
      }
    
      public void checkServerTrusted(X509Certificate[] chain, String authType)
      throws CertificateException { 
       this.chain = chain; 
       tm.checkServerTrusted(chain, authType); 
      } 
     }
    } 

  4. Open a command prompt.

    Note: On certain operating systems, because of OS security, you must run the command prompt as an Administrator. To do this, change to the OS_INSTALL_DRIVE:/Windows/ system32/ directory, locate cmd.exe, right-click on it, and then select Run as Administrator.

  5. Change to the JAVA_HOME\jre\lib\security\ directory.

  6. Run the following command:

    > javac InstallCert.java

    Note: The javac executable is located in the JAVA_HOME\bin\ directory. If you experience any issues, ensure that:

    • JAVA_HOME is correctly set.
    • JAVA has been added to the PATH variable as mentioned in the Prerequisites section.
    • Go to the JAVA_HOME\bin\ directory and execute the above command, specifying the complete path of InstallCert.java (i.e., JAVA_HOME\jre\lib\security\InstallCert.java).

    After successful execution of the above command, two files are created: InstallCert.class and InstallCert$SavingTrustManager.class.

  7. Ensure that the current directory is JAVA_HOME\jre\lib\security\, and then run the following command:

    > java InstallCert SERVERNAME:HTTPS_PORT

    Note: The java executable is located in the JAVA_HOME\bin\ directory. If you experience any issues, ensure that:

    • JAVA_HOME is correctly set.
    • JAVA has been added to the PATH variable as mentioned in the Prerequisites section.
    • Go to the JAVA_HOME\bin\ directory and execute the above command, specifying the complete path of InstallCert.java (i.e., JAVA_HOME\jre\lib\security\InstallCert.java).

  8. When prompted, add the certificate to the trusted keystore by pressing the Enter key. The following message should be displayed:

    "Added certificate to keystore 'jssecacerts' using alias SERVERNAME-1"

  9. Run the command in Step 7 again:

    > java InstallCert SERVERNAME:HTTPS_PORT

    The following message should be displayed: No errors, certificate is already trusted.

Import certificates served by the Live Collaboration Server as trusted

To fully support HTTPS/SSL deployment, the certificates served by the Live Collaboration Server must be imported as trusted certificates in each J2EE-deployed ENOVIA V6 server (ENOVIA Live Collaboration Server/File Collaboration Server/SyncServer). This should be done using the keytool program found in the JRE of your J2EE server. The syntax is as follows:

> keytool -importcert -trustcacerts -keystore JREE_SERVER_JRE_PATH\lib\security\cacerts