Salesforce

How to configure a secure Tomcat instance for use with an OpenEdge REST application

Printable View
« Go Back

Information

 
TitleHow to configure a secure Tomcat instance for use with an OpenEdge REST application
URL NameHow-to-configure-a-secure-Tomcat-instance-for-use-with-an-OpenEdge-REST-application
Article Number000192480
EnvironmentProduct: OpenEdge
Version: 11.x
OS: All supported platforms
Other: Apache Tomcat
Question/Problem Description
How to configure a secure Tomcat instance for use with an OpenEdge REST application within a test environment.
How to configure a Tomcat instance with HTTPS for use with an OpenEdge REST application within a test environment.
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
Please use a signed certificate from an official Certificate Authority (CA) for production environments. In such cases you would simply generate a certificate request which needs to be sent to the CA who will sign it for you. So the steps involving OpenSSL are not required in this case.

OpenEdge REST applications have been certified to run on Tomcat 7. So the following steps will be based on a standalone Tomcat 7 installation on Windows. Please use this article as a guideline for other platforms. The following steps are only recommended for test environments. Furthermore basic knowledge of HTTPS / SSL is required.
  1. Download and install OpenSSL for Windows at: http://www.slproweb.com/products/Win32OpenSSL.html
  2. Open <OpenSSL install-dir>\bin\openssl.cfg file and change the line string_mask = utf8only to string_mask = pkix
  3. Create the following directories in the <OpenSSL install-dir>\bin:
demoCA
demoCA\private
demoCA\newcerts
  1. In the demoCA directory create an empty file called 'index.txt' and also a file called 'serial' containing the number '01'.
  2. Setup the proper environment by opening a Proenv window and executing:
cd <OpenSSL install-dir>\bin

Note: From here you can execute the 'openssl' command in the steps below.
  1. Use OpenSSL to create a CA root certificate:
    1. Create a private key:
openssl genrsa -des3 -out cakey.pem 1024
  1. The process will prompt you to supply a PEM pass phrase to help secure the key.
  2. Create a CA certificate:
openssl req -config openssl.cfg -new -x509 -key cakey.pem -out cacert.pem -days 1825
  1. ​You will be prompted to supply information for the certificate.
  2. Move your private key cakey.pem to the demoCA/private directory and cacert.pem to the demoCA directory.
  1. In the Proenv window, add the %JREHOME%\bin directory (the one used by Tomcat) to the beginning of your PATH environment variable, for example:
set JREHOME=C:\Java\jre7
set PATH=%JREHOME%\bin;%PATH% 
  1. Run 'keytool' to create the keystore and initial certificate:
keytool -genkey -alias tomcat -keysize 1024 -keyalg RSA -validity 1825 -keystore "<Tomcat install-dir>\conf\.keystore"

Note: Make sure you provide your machine's DNS hostname when asked for your First and Last Name.
  1. Generate the certificate request:
keytool -certreq -alias tomcat -file tomcat.csr -keystore "<Tomcat install-dir>\conf\.keystore"
  1. Sign the Tomcat certificate request:
openssl ca -config openssl.cfg -in tomcat.csr -out tomcat.pem -days 1825
  1. Edit the Tomcat's server.xml file located in the <Tomcat install-dir>\conf directory and
    1. Uncomment the SSL Connector to enable HTTPS access.
    2. Optionally comment the non-SSL connector if you want to disable HTTP access.
    3. Add the keystoreFile and keystorePass attributes to the SSL Connector.
    4. The following is an example of a Connector where SSLv3 has been disabled while still allowing SSLv2 and SSLv3 Hello messages:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="<Tomcat install-dir>\conf\.keystore" keystorePass="<keystore password>"
           clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />
 
Note: Please refer to http://tomcat.apache.org/tomcat-7.0-doc/config/http.html for further details on all the valid connector attributes.
 
  1. Convert the certificates to the DER format:
openssl x509 -in demoCA\cacert.pem -out cacert.der -outform DER
openssl x509 -in tomcat.pem -out tomcat.der -outform DER
  1. Import the certificates to the Tomcat keystore:
keytool -v -import -alias root -file cacert.der -keystore "<Tomcat install-dir>\conf\.keystore"
keytool -v -import -alias tomcat -file tomcat.der -keystore "<Tomcat install-dir>\conf\.keystore"
  1. Check the certificate store by using the -list option and verify that all your certificates are listed properly:
keytool -v -list -keystore "<Tomcat install-dir>\conf\.keystore"
  1. If you manage your REST applications via a REST Management Agent (OERM), then rename cacert.der to cacert.cer and make the AdminServer trust the root certificate by importing the CA certificate to the %DLC%\certs\psccerts.jar:
procertm -i cacert.cer %DLC%\certs\psccerts.jar
  1. Restart your AdminServer (if you followed the previous step).
  2. Restart Tomcat and verify that you can connect to the HTTPS URL, e.g. https://myserver:8443 .
  3. Deploy your REST application as detailed in article  How to deploy an OpenEdge Mobile Service or OpenEdge REST Service to Tomcat.
  4. Verify that you can access your REST applications, e.g. https://myserver:8443/RESTTestService/rest/RESTTest/Roundtrip/param1/param2
Workaround
Notes
Keyword Phrase
Last Modified Date11/20/2020 7:26 AM
Powered by