Moab Viewpoint
Home Up Previous Next
Running Viewpoint over HTTPS

Running Viewpoint over HTTPS

As Viewpoint is a web application, you will likely want to enhance security by enabling access via HTTPS (HTTP over SSL), especially for pages requiring password access.

Configure HTTPS in Tomcat

Note The following instructions for running Viewpoint over HTTPS offer general procedures to accommodate a variety of possible specifications. If you require more specific instruction, consider reviewing the Tomcat documentation.

$CATALINA_HOME represents the directory where Tomcat is installed. You may need to modify the server.xml file, which is likely in $CATALINA_HOME/conf/server.xml.

Verify the SSL HTTP/1.1 Connector entry is enabled. Open server.xml in an editor and locate the SSL HTTP/1.1 Connector entry, which likely resembles what follows:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
-->

If the entry is commented out, as it is in this example, uncomment the entry (by removing <!-- at the beginning of the entry and --> at the end of the entry). If the entry does not appear in the file, add it. Save the file and restart Tomcat.

This enables SSL access on port 8443 (the default for HTTPS is 443, but just as Tomcat uses 8080 instead of 80 to avoid conflicts, 8443 is used instead of 443 here).

Note Folder permissions must be set to be owned by the Tomcat user. If using Tomcat 6, the default user is tomcat6. 
#change ownership of tomcat directory
chown -R tomcat6:tomcat6 /opt/tomcat

Generate and Store a Self-signed Certificate

Self-signed certificates are useful in cases where you require encryption but do not need to verify the website identity. Using a self-signed certificate instead of one signed by a Certificate Authority (CA), users gaining initial access to the site may get prompted that the site is untrusted and may have to perform several steps to "accept" the certificate before they can access the site. This usually only occurs the first time they access the site.

Note You may prefer to obtain and install a certificate from a Certificate Authority; if so, refer to the Tomcat documentation for installing a certificate from a CA.

You must create a .keystore file that contains the self-signed certificate, which you can create (if it doesn't already exist) by running the keytool command. The new .keystore file appears in the home directory of the user used to run the keytool command. To specify a different location or filename, add the -keystore parameter, followed by the complete pathname to the keystore file, to the keytool. You must also include this new location in the server.xml configuration file. From a command line, run the keytool command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

After running the keytool command, you will be prompted for two passwords: (1) the keystore password and (2) the key password for Tomcat. You must use the same value for both passwords, and the value must be either:

  • "changeit" (the default Tomcat value) or
  • a unique value you decide which you must also specify in $CATALINA_HOME/conf/server.xml by adding the following attribute to the SSL HTTP/1.1 Connector entry described earlier: 
    keystorePass="<password value>"

Also after running the keytool command, you will be prompted for general information about the certificate. For the inquiry, "What is your first and last name?" you must enter the fully qualified hostname of the server running Viewpoint. When the client web browser examines the certificate it checks this field and verifies that it matches the hostname. If it doesn't, it may prevent access to the site.

You will also be prompted for other general information such as company, contact name, and so on. This information is visible to users who attempt to access a secure page in the application, so make sure that the information provided matches user expectations.

Exporting for Local Keystore Import

After creating the certificate, you must export it to make it ready for importing into the local keystore using the following command (assuming the name of your certificate is file.cer):

$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer

Now import the certificate into the keystore:

$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer -keystore $JAVA_HOME/jre/lib/security/cacerts

Modifying the Viewpoint web.xml File to Enable HTTPS

To enable HTTPS, you must modify the Viewpoint web.xml file. Add a security-constraint section to the $CATALINA_HOME/webapps/moab/WEB-INF/web.xml file. The following is a sample security-constraint section:

<web-app>

  ... 

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Viewpoint Secure URLs</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
</web-app>

The security-constraint section causes all pages to be hosted with HTTPS. You may modify the url-pattern text to select which pages you want protected and which you don't.

Home Up Previous Next