Usage in SSL Enabled Environments

Enabling SSL for Panopticon Real Time

The steps shown in this guide use the keytool command for managing keyStores and certificates. The keytool command is part of the Java distribution and can be found in the JAVA_HOME\bin. Make sure you have the JAVA_HOME\bin folder in your PATH environment variable, in order to run the command.

• Details on the keytool command can be found here:

  https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

• Details on the OpenSSL command can be found here:

  https://www.openssl.org/docs/manmaster/man1/openssl.html

Follow the steps below to configure SSL for Panopticon Real Time using JKS/PKCS12 formats. For using the PEM formats directly inside Connector, please refer to the Apache Tomcat SSL document link at the end of this section.

Follow the steps below to configure SSL for Panopticon Real Time:

1. Change directory to the CATALINA_HOME\conf folder, which is where we want to generate the Tomcat keystore.

   Do one from the following options:

   Option 1. If you don’t have a certificate and private key file

   NOTE: Java is strict when validating the certificate of a host.
   If the domain name store in the certificate does not match the domain of the server, the connection will be rejected. Enter the target domain name (www.mydomain.com) when keytool asks for “your first and last name”, when running this command.

    

   Create a keystore file to store the private key and self-signed certificate used to identify the server:

   keytool -genkey -alias myalias -keyalg RSA -keystore keystore.jks

    

   Option 2. If you already have a certificate and private key

   NOTE: You may need to have Administrator rights to run this command.

    

   openssl pkcs12 -export -name cast -in [certname].cer -inkey [certname].key -out keystore.jks

   If the above OpenSSL command gives an “Unable to load certificate” error, the certificate may be in binary format. Then use the below two commands, to generate the JKS file.

   openssl x509 -inform DER -in [certname].cer -out [certname].crt

   openssl pkcs12 -export -name cast -in [certname].crt -inkey [certname].key -out keystore.jks

2. Add an SSL HTTP/1.1 Connector entry in $CATALINA_BASE/conf/server.xml.

   NOTE: The keystorepass should be the password you used while creating the keystore in Step 1.

   <Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443"
       maxThreads="150"
       SSLEnabled="true">
   <SSLHostConfig>
   <Certificate
           certificateKeystoreFile="conf/keystore.jks"
           certificateKeystorePassword="keystorepassword"
           type="RSA"
           />
   </SSLHostConfig>
   </Connector>

3. Disable HTTP ports.
   1. If you don’t want to allow plain HTTP protocol, disable unencrypted server access by commenting out the default HTTP connector for port 8080.

      <!--
          <Connector port="8080" protocol="HTTP/1.1"
                     connectionTimeout="20000"
                     redirectPort="8443" />
      -->

   2. If you want to redirect all HTTP traffic to HTTPS.

      <security-constraint>
          <web-resource-collection>
              <web-resource-name>All</web-resource-name>
              <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
      </security-constraint>

      Then add a security constraint entry in $CATALINA_BASE/conf/web.xml

      <security-constraint>

            <web-resource-collection>

                  <web-resource-name>All</web-resource-name>

                  <url-pattern>/*</url-pattern>

                  </web-resource-collection>

                  <user-data-constraint>

                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                  </user-data-constraint>

      </security-constraint>

      NOTE:

      Make sure you assign the server.host.internal property when disabling the HTTP port. If not, PDF generation may stop working. For example:

      server.host.internal=https://localhost:8443/panopticon

4.  After completing the configuration changes, you must restart Tomcat. When the process is back up you should be able to connect over SSL using the URL below:

   https://localhost:8443/panopticon

Details on how to configure Apache Tomcat SSL can be found at: https://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html

(c) 2013-2024 Altair Engineering Inc. All Rights Reserved.

Intellectual Property Rights Notice | Technical Support