Difference between revisions of "Setting up SSL/HTTPS"
old>Admin |
m (9 revisions imported) |
||
(3 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
=== Configuring SSL | == Aquiring an SSL certificate == | ||
Sites such as [ssl.com] can provide single domain easy and inexpensively. | |||
# Buy domain | |||
# Enter domain name | |||
# Generate CSR | |||
# Download private key (.txt) | |||
# Upload validation file | |||
# Download certificate (.cer) | |||
# Copy certificate and private key to server | |||
# Generate pfx file | |||
openssl pkcs12 -export -out domainname.pfx -inkey domainname_key.key -in domainname.crt | |||
== Configuring SSL == | |||
As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc). | As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc). | ||
Optionally TempusServa SSL policies can be tweaked to enforce certain behaviours. | Optionally TempusServa SSL policies can be tweaked to enforce certain behaviours. | ||
=== Configuring SSL i web application === | === Configuring SSL i web application === |
Latest revision as of 11:55, 10 December 2021
Aquiring an SSL certificate
Sites such as [ssl.com] can provide single domain easy and inexpensively.
- Buy domain
- Enter domain name
- Generate CSR
- Download private key (.txt)
- Upload validation file
- Download certificate (.cer)
- Copy certificate and private key to server
- Generate pfx file
openssl pkcs12 -export -out domainname.pfx -inkey domainname_key.key -in domainname.crt
Configuring SSL
As a minimum SSL has to be enabled in the application server (JBoss,Tomcat etc).
Optionally TempusServa SSL policies can be tweaked to enforce certain behaviours.
Configuring SSL i web application
Checklist for Tomcat 6 or 7
- Import certifcates to keystore or copy from another server
- Uncomment connector code in conf/server.xml
- Set keystore reference and password
- Reboot server
In order to ensure high level encryption, consider enabling the following options
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Configuring SSL i Tempus Serva
Two configurations options exist
- Require SSL for login actions: securitySslPages
- Require SSL for all othe pages: securitySslLogin
Note that SSL can not be actively prevented. If such behavior is required, the only option is to disable this at the web application level.
Finally the SSL connector port can be changed if set to nondefault values: applicationlPortSSL
Problems with wrappers
The usage of wrappers can result in SSL warnings.
If your solution is depending on the use of Wrappers, please tjeck the following
- All style, script and image references are made with HTTPS
- No referenced stylesheets depends on images using HTTP
If the wrapper cannot be transformed from HTTP to HTTPS, referenced ressources should be copied to the server
- Stylesheets copied to TS stylesheet
- Images downloaded and copied to the media library
After changes are made remmeber to flush caches: Both Chrome and IE sometimes caches longer than expected.