How to configure SSL between an OpenEdge REST application and the AppServer within a development environment.
What are the steps to configure SSL between an OpenEdge REST Service and the AppServer within a development environment ?

Please use a signed certificate from an official Certificate Authority for production environments. The following steps are only recommended for development / test environments. Furthermore basic knowledge of HTTPS / SSL is required.

Using the sample Progress certificate

1) Configure your AppServer to use SSL.
Within Developer Studio, double-click on your AppServer in the "Servers" view. Click on "Open launch configuration", go to the Security tab and select "Enable SSL client connections". Select the "default_server" for the "Private key/Digital certificate alias name". Alternatively, perform the same tasks within the OpenEdge Explorer or OpenEdge Management Console within the SSL tab of your AppServer configuration.

Note: The "default_server" certificate is included just for test purposes. In a production environment you would need to use your own certificate.


2) Configure the runtime.props of the REST application.
Add the correct AppServer protocol for SSL communication. For example:
<bpm:appServiceProtocol>AppserverS</bpm:appServiceProtocol>

In a deployment environment, the runtime.props file is normally located here:
<Tomcat InstallDir>\webapps\<application name>\WEB-INF\adapters\runtime.props

In a Progress Development Studio environment, the runtime.props file is normally located here:
<OpenEdge InstallDir>\servers\tomcat\webapps\<application name>\WEB-INF\adapters\runtime.props (OpenEdge 11.2)
<OpenEdge InstallDir>\servers\tomcat\webapps\<application name>\WEB-INF\adapters\runtime.props (OpenEdge 11.3 or later if starting restmgr1 through the tcman command-line utility)
<OpenEdge InstallDir>\servers\tomcat\pdsoe\<application name>\WEB-INF\adapters\runtime.props (OpenEdge 11.3 or later if starting restmgr1 through the Progress Developer Studio)


3) Configure the WEB-INF/web.xml of the REST application.
Specify the complete or relative path to the certificate store for the REST application. This is used by the REST application when calling the AppServer business logic (classes / procedures) to check if the server certificate of the AppServer is trusted. For example:

<!-- Certificate jar location -->
<context-param>
<param-name>certlocation</param-name>
<param-value>WEB-INF/adapters/psccerts.jar</param-value>
</context-param>


4) If you are using one of the appSecurity-*-oerealm.xml security templates for your web application, then configure the OERealmUserDetails bean within the security template.
Add the correct AppServer protocol for SSL communication. For example:
<b:property name="realmURL" value="AppServerS://localhost:5162/restbroker1" />

Provide the full path to the certificate store. This is used by the REST application when calling the OpenEdge Realm class to check if the server certificate of the AppServer is trusted. For example:
<b:property name="certLocation" value="C:\Progress\114\WRK\Workspace\RESTTest\RESTContent\WEB-INF\adapters\psccerts.jar" />

Note: If you need to use a relative path for the certLocation property, then please be aware that the relative path from the Tomcat's working directory is used as opposed to the web application's context. In the case of the built-in Tomcat instance that comes with Progress Developer Studio, this is the default OpenEdge working directory.


5) (Re)Start your Tomcat instance for the changes to take effect.

 

Using your own certificate

2) Generate a certificate request for your AppServer:
pkiutil -newreq sslappsrvr

NOTE: Make sure you specify the DNS hostname of your machine for the Common Name. So for example hostname.domain.com . The SSL connection from the REST web application to the AppServer will fail if the Common Name of the certificate does not match the DNS hostname of the AppServer machine.


3) (OPTIONAL) Modify the demoCA\index.txt.attr file and change the unique_subject property to "no".
This will allow you to sign multiple certificates with the same Common Name (your machine's hostname).


4) Sign the certificate request using the CA that you created with OpenSSL:
openssl ca -config openssl.cfg -in %DLC%\keys\requests\sslappsrvr.pk10 -out sslappsrvr.pem -days 1825

Note: If using an external CA, then send your certificate request to the CA for them to sign it.


5) Import the signed certificate back into the OpenEdge keystore used by the AppServer (%DLC%\keys):
pkiutil -import sslappsrvr sslappsrvr.pem


6) (OPTIONAL) Import the root certificate of your CA into the OpenEdge client keystore (%DLC%\certs):
certutil -import demoCA\cacert.pem

This will allow an OpenEdge (ABL) client to trust this CA and to make calls to the AppServer. If you do not intend to use ABL clients, then you can skip this step.


7) Go into your AppServer configuration and select the sslappsrvr alias when configuring SSL for your AppServer.
Don't forget to provide the password you have chosen in step 2.


8) Update the psccerts.jar client certificate store by importing the root certificate of your CA:
openssl x509 -in demoCA\cacert.pem -out cacert.cer -outform DER
procertm -i cacert.cer %DLC%\certs\psccerts.jar

This will allow the AdminServer to manage the ssl enabled AppServer

9) Copy this psccerts.jar to the required locations depending on the path used in web.xml and (if applicable) the appSecurity-*-oerealm.xml security templates.

Also see steps 3 and 4 of the previous section "Using the sample Progress certificate".


10) (Re)start your AppServer and Tomcat instance for the changes to take effect.

Progress Article(s):
 How to enable SSL for Webspeed and/or AppServer ?