These steps include setting up an additional instance of a WSA which will be running within a secure Tomcat environment. So please use this Solution merely as a guideline:
- if the intent is to use only one WSA instance instead of adding an additional WSA instance.
- if the intent is to use a different version of OpenEdge and Tomcat.
Note: This article makes use of a self-signed certificate.
In order to configure an additional instance of the WSA which runs within Tomcat via HTTPS / SSL, please follow these steps:
1. Option A - For machines that do not have OpenEdge products installed:
A - Download and install OpenSSL for Windows at: http://www.slproweb.com/products/Win32OpenSSL.html
B - Open openssl.cfg file and change this line : string_mask = utf8only for string_mask = pkix
C - Follow steps 1 through 3 of Solution How to create one's own CA root certificate using OpenSSL to sign IIS certificate request for use with SSL
1. Option B - For machines that do have OpenEdge installed( sslc is Progress OpenSSL implementation):
A - Create the directories <dlc>/keys/private/ and <dlc>/keys/newcerts
B - Use sslc to create a private key:
sslc genrsa -des3 -out <dlc>/keys/private/cakey.pem 1024
Note: The process will prompt to supply a PEM pass phrase to help secure the key.
C - Create a CA certificate:
sslc req -new -x509 -key <dlc>/keys/private/cakey.pem -out <dlc>/keys/cacert.pem -days 1825
Note: A prompt to supply information for the certificate will come up.
D - In <dlc>/keys create an empty file called 'index.txt' and also a file called 'serial' containing the number '01'.
2. Edit the Tomcat's server.xml file located in the <Tomcat install dir>\conf directory and
A - Uncomment the SSL connector to enable HTTPS access.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Optionally comment the non-SSL connector to disable HTTP access.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
B - Add the keystoreFile and keystorePass attributes, example for Tomcat 4.1.34:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="<tomcat install dir>\conf\.keystore" keystorePass="progress"/>
(Please refer to http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html for further details on all the valid connector attributes.)
3. Add the %JDKHOME%\bin directory (the one used by Tomcat) to the beginning of PATH if it is not already set, e.g: set PATH=<Java install dir>\j2sdk1.4.2_13\bin;%PATH%
A - Run 'keytool' to create the keystore and initial certificate:
keytool -genkey -alias tomcat -keysize 1024 -keyalg RSA -validity 1825 -keystore <tomcat install dir>\conf\.keystore
B - Generate the certificate request using the keytool:
keytool -certreq -alias tomcat -file tomcat.csr -keystore <tomcat install dir>\conf\.keystore
C - Sign the Tomcat certificate request( sslc can be used instead of openssl if OpenEdge is installed on the machine):
openssl ca -config openssl.cfg -in tomcat.csr -out tomcat.pem -days 1825
- OR -
sslc ca -in tomcat.csr -out tomcat.pem -days 1825
D - Convert the certificates to the DER format:
openssl x509 -in demoCA\cacert.pem -out cacert.der -outform DER
openssl x509 -in tomcat.pem -out tomcat.der -outform DER
- OR -
sslc x509 -in <dlc>/keys/cacert.pem -out cacert.der -outform DER
sslc x509 -in tomcat.pem -out tomcat.der -outform DER
E - Import the CA into the Java keystore (the Java installation used by Tomcat) :
keytool -v -import -alias root -file cacert.der -keystore %JDKHOME%\jre\lib\security\cacerts
Note: The default password for the Java keystore is 'changeit' (without quotes)
F - Import the certificates to the Tomcat keystore:
keytool -v -import -alias root -file cacert.der -keystore <tomcat install dir>\conf\.keystore
keytool -v -import -alias tomcat -file tomcat.der -keystore <tomcat install dir>\conf\.keystore
G - Check the certificate store by using the -list option and verify that all the certificates are listed properly:
keytool -v -list -keystore <tomcat install dir>\conf\.keystore
4. Restart Tomcat and verify that it is possible to connect to the HTTPS URL, e.g. https://myserver:8443.
5. To create a second WSA adapter, follow the steps from article How to setup a second instance of the Web Services Adapter?. At step 6, make sure to specify the correct HTTPS URL for the WSA, e.g. https://myserver:8443/wsa-ssl/wsa1 .
A - Restart Tomcat again and verify that it is possible to connect to the WSA HTTPS URL, e.g. https://myserver:8443/wsa-ssl/wsa1 .
B - Check the status of the SSL-enabled WSA from OPenEdge Explorer.
6. Regenerate the Web Service proxy through the ProxyGen and make to specify the correct HTTPS URL for the WSA, e.g. https://myserver:8443/wsa-ssl/wsa1 .
- Deploy the Web Service and verify that it works.
Extras:
- For OpenEdge clients to trust the root certificate please run the following:
mkhashfile <file path>\cacert.pem
- OR -
certutil -format PEM -import <file path>\cacert.pem
- Rename cacert.der to cacert.cer.
- To make the AdminServer trust the root certificate, please import the CA certificate to the %DLC%\certs\psccerts.jar:
procertm -i cacert.cer %DLC%\certs\psccerts.jar
- Restart the AdminServer.
