Setup SSL

Owned by Daniel (Deactivated)
Oct 09, 2017
2 min read

Prerequisities

Why should you run Zephyr over SSL or HTTPS?

When web applications are being accessed across the internet, there is always the possibility of usernames and passwords being intercepted by intermediaries between your computer and the ISP/company. It is often a good idea to enable access via HTTPS (HTTP over SSL) and make this a requirement for pages where passwords are sent. Note, however, that using HTTPS may result in slower performance.

This document includes example instruction sets for SSL configurations which can be used to secure Zephyr’s traffic.

Deployment Options:

Zephyr’s underlying application server platform is Apache Tomcat. Apache Tomcat options for SSL configuration: Java (JSSE) .This requires a set of keys and certificates. JSSE generally uses a JKS (Java) keystore.

Java (JSSE): A JKS certificate can be used to cover both traffic channels.

Deployment Prerequisites:

While using Java JSSE method, then all you need a JKS (Java keystore) certificate. Use your JAVA keytool to create a certificate and have it signed by a CA (certification authority), or create a self-signed certificate.

Getting Started

In order to make Zephyr’s communication secure there are two locations to make changes inside the Zephyr installation directory. These locations define our HTTP communication, where changes can be made to switch to HTTPS . The changes are needed in the server.xml file and in the jdbc.properties file.

Make changes to the server.xml in <Zephyr_Root>/tomcat/conf

This is the main configuration file of Tomcat. You will be converting HTTP to HTTPS.

Using JSSE to change HTTP to HTTPS

Locate the following section:

<!--

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" /> -->


Once you locate the section, uncomment it. Then add the appropriate information to keyAlias, keystoreFile and keystorePass.

The connector location will look like the following once the above lines are added and additional other highlighted changes are made:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

acceptCount="100"

maxThreads="150" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" keystoreFile="C:/Program Files/Zephyr/tomcat/conf/yzstore.jks" keystorePass="changeit" />

Making changes tot he jdbc.properties file in <Zephyr_Root>/tomcat/webapps/flex/WEB-INF/classes

This is the Zephyr file responsible for defining all the communication channels used by Zephyr and its clients. You will be converting non-secure to secure. The jdbc.properties file can only work with Java JKS certificate format.

Locate the following section:

#Needed by services-config.xml
secured=false
<!-- Provide correct keystore.file, keystore.password and keystore.alias if secured property is true-->
keystore.file=
keystore.password=
keystore.alias=


Make the following edits to it:

#Needed by services-config.xml
secured=true
<!-- Provide correct keystore.file, keystore.password and keystore.alias if secured property is true-->
keystore.file=c:/progra~1/zephyr/tomcat/conf/yzstore.jks
keystore.password=changeit
keystore.alias=yz

(Optional) Making changes to the web.xml file

Limiting SSL Usage

Enabling SSL in Apache Tomcat's server.xml file causes all files to be run both as secure and insecure pages, which can cause unnecessary server load. You can choose which applications offer SSL connections on a per-application basis by adding the following <security-constraint> element to the application's WEB-INF/web.xml file.

Make changes to web.xml under:
<Zephyr Root>/tomcat/webapps/flex/WEB-INF/web.xml

Make changes to web.xml under:
<Zephyr Root>/tomcat/webapps/zephyr/WEB-INF/web.xml


<!-- Uncomment the following if jdbc.properties secured property is true--> <security-constraint>

<web-resource-collection>

<web-resource-name>Zephyr</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>


  • Check all the 4 channels should have "https" set and make sure that all the changes are implemented correctly in /zephyr/tomcat/webapps/flex/WEB-INF/flex/services-config.xml

  • Add in the c:\windows\system32\drivers\etc\hosts the domain name of the ssl with the ip address. 192.168.100.130 <Your Zephyr Url>

  • Launch <Your Zephyr Url>/flex/html5 to access Zephyr Server.