Difference between revisions of "Setting up SSL/HTTPS"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
m (9 revisions imported)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
== Aquiring an SSL certificate ==
Sites such as [ssl.com] can provide single domain easy and inexpensively.
# Buy domain
# Enter domain name
# Generate CSR
# Download private key (.txt)
# Upload validation file
# Download certificate (.cer)
# Copy certificate and private key to server
# Generate pfx file
    openssl pkcs12 -export -out domainname.pfx -inkey domainname_key.key -in domainname.crt 
== Configuring SSL ==
== Configuring SSL ==
As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc).
As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc).

Latest revision as of 11:55, 10 December 2021

Aquiring an SSL certificate

Sites such as [ssl.com] can provide single domain easy and inexpensively.

  1. Buy domain
  2. Enter domain name
  3. Generate CSR
  4. Download private key (.txt)
  5. Upload validation file
  6. Download certificate (.cer)
  7. Copy certificate and private key to server
  8. Generate pfx file
   openssl pkcs12 -export -out domainname.pfx -inkey domainname_key.key -in domainname.crt   

Configuring SSL

As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc).

Optionally TempusServa SSL policies can be tweaked to enforce certain behaviours.

Configuring SSL i web application

Checklist for Tomcat 6 or 7

  1. Import certifcates to keystore or copy from another server
  2. Uncomment connector code in conf/server.xml
  3. Set keystore reference and password
  4. Reboot server

In order to ensure high level encryption, consider enabling the following options

ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Configuring SSL i Tempus Serva

Two configurations options exist

  • Require SSL for login actions: securitySslPages
  • Require SSL for all othe pages: securitySslLogin

Note that SSL can not be actively prevented. If such behavior is required, the only option is to disable this at the web application level.

Finally the SSL connector port can be changed if set to nondefault values: applicationlPortSSL

Problems with wrappers

The usage of wrappers can result in SSL warnings.

If your solution is depending on the use of Wrappers, please tjeck the following

  • All style, script and image references are made with HTTPS
  • No referenced stylesheets depends on images using HTTP

If the wrapper cannot be transformed from HTTP to HTTPS, referenced ressources should be copied to the server

  • Stylesheets copied to TS stylesheet
  • Images downloaded and copied to the media library

After changes are made remmeber to flush caches: Both Chrome and IE sometimes caches longer than expected.