Consultor Eletrônico

Status: Verified

GOAL:

How to configure an instance of the Web Services Adapter with a secure Tomcat configuration

GOAL:

How to configure the Web Services Adapter with an SSL-enabled Tomcat configuration

GOAL:

How to secure the Web Services Adapter via Tomcat

FACT(s) (Environment):

OpenEdge 10.x
Tomcat
Windows

FIX:

The following steps have been tested using OpenEdge 10.0B and Tomcat 4.1.34. These steps include setting up an additional instance of a WSA which will be running within a secure Tomcat environment. So please use this Solution merely as a guideline:
- if you want to use only one WSA instance instead of adding an additional WSA instance.
- if you want to use a different version of OpenEdge and Tomcat.

In order to configure an additional instance of the WSA which runs within Tomcat via HTTPS / SSL, please follow these steps:
- Follow steps 1 through 3 of Solution P90739.

- Leave the Proenv window open in the <OpenSSL install-dir>\bin directory.

- Edit the Tomcat's server.xml file located in the <Tomcat install-dir>\conf directory and
1) uncomment the SSL connector to enable HTTPS access,
2) optionally comment the non-SSL connector if you want to disable HTTP access.

- Add the keystoreFile and keystorePass attributes, example for Tomcat 4.1.34:


<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" enableLookups="true" scheme="https" secure="true"
acceptCount="100"
useURIValidationHack="false" disableUploadTimeout="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="E:\ApacheGroup\Tomcat4.1.34\conf\.keystore" keystorePass="progress"/>

(Please refer to http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html for further details on all the valid connector attributes.)

- Add the %JDKHOME%\bin directory (the one used by Tomcat) to the beginning of your PATH, e.g: set PATH=E:\Java\j2sdk1.4.2_13\bin;%PATH%

- Run 'keytool' to create the keystore and initial certificate:
keytool -genkey -alias tomcat -keysize 1024 -keyalg RSA -validity 1825 -keystore E:\ApacheGroup\Tomcat4.1.34\conf\.keystore

- Generate the certificate request using the keytool:
keytool -certreq -alias tomcat -file tomcat.csr -keystore E:\ApacheGroup\Tomcat4.1.34\conf\.keystore

- Sign the Tomcat certificate request:
openssl ca -config openssl.cnf -in tomcat.csr -out tomcat.pem -days 1825

- Convert the certificates to the DER format:
openssl x509 -in demoCA\cacert.pem -out cacert.der -out form DER
openssl x509 -in tomcat.pem -out tomcat.der -outform DER

- Import the CA into the Java keystore (the Java installation used by Tomcat) :
keytool -v -import -alias root -file CAcert.der -keystore %JDKHOME%\jre\lib\security\cacerts

- Import the certificates to the Tomcat keystore:
keytool -v -import -alias root -file CAcert.der -keystore E:\ApacheGroup\Tomcat4.1.34\conf\.keystore
keytool -v -import -alias tomcat -file tomcat.der -keystore E:\ApacheGroup\Tomcat4.1.34\conf\.keystore

- Check the certificate store by using the -list option and verify that all your certificates are listed properly:
keytool -v -list -keystore E:\ApacheGroup\Tomcat4.1.34\conf\.keystore

- Make your (internal-use) Cert Server a trusted signing authority (issuer):
mkhashfile demoCA\cacert.pem

- Rename cacert.der to cacert.cer.

- Import the CA certificate to the %DLC%\certs\p.sccerts.jar:
procertm -i cacert.cer %DLC%\certs\psccerts.jar

- Restart your AdminServer.
- Restart Tomcat and verify that you can connect to the HTTPS URL, e.g. https://myserver:8443 .
- Follow the steps from P91699. At step 6, make sure you specify the correct HTTPS URL for the WSA, e.g. https://myserver:8443/wsa-ssl/wsa1 .
- Restart Tomcat again and verify that you can connect to the WSA HTTPS URL, e.g. https://myserver:8443/wsa-ssl/wsa1 .
- Check the status of the SSL-enabled WSA from the Progress Explorer.
- Regenerate your Web Service proxy through the ProxyGen and make sure you specify the correct HTTPS URL for the WSA, e.g. https://myserver:8443/wsa-ssl/wsa1 .
- Deploy your Web Service and verify that it works.
.