Configuring SSL in Adeptia Connect UI

If you want to access Adeptia Connect on HTTPS protocol then you need to configure SSL certificate in Adeptia Connect. You need to generate SSL certificate using Java Keytool only.

Generating SSL Certificate

To generate SSL certificate:

Open Command Prompt (press Win + R and type cmd).
Go to the directory where JRE is installed (for example, C:/Program Files/Java/jre8/bin).
Run the following Keytool command to create a Keystore for Jetty with a self signed certificate or CA signed certificate.
For self signed certificate
```
keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize> -ext SAN=ip:<IP_Address_of_Tomcat_machine>,dns:<domain_name>
```
where,
<keyalg> specifies the algorithm to be used to generate a key pair.
<alias_name> is a unique string to identify the Keystore.
<keystore_name> is the location and filename where you want to store the generated key.
<password> is the password to protect the private key of the generated key pair, default is changeit.
<days> are the number of days certificate will expire.
<keysize> specifies the size of each key to be generated.
<IP_Address_of_Tomcat_machine> is the IP address hosting Tomcat.
<domain_name> is the name of the domain you are using. It is not necessary to use the domain name in the command above. However, for easy identification, it is recommended to use the domain name.
For example,
keytool.exe -genkey -keyalg RSA -alias selfsigncert -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048 -ext SAN=ip:10.44.2.59
keytool.exe -genkey -keyalg RSA -alias selfsigncert -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048 -ext dns:localhost
For CA signed certificate
To generate SSL certificate for Jetty with a CA signed certificate:
1. Generate Keystore
```
keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>
```
  where,
  <keyalg> specifies the algorithm to be used to generate key pair.
  <alias_name> is a unique string to identify the Keystore.
  <keystore_name> is the location and filename where you want to store the generated key.
  <password> is the password to protect the private key of the generated key pair, default is changeit.
  <days> are the number of days certificate will expire.
  <keysize> specifies the size of each key to be generated.
  For example,
  keytool.exe -genkey -keyalg RSA -alias server -keystore C:/certs.jks -storepass changeit -validity 365 -keysize 2048
  If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating Keystore.
```
keytool.exe -genkey -keyalg <keyalg> -alias <alias_name> -keystore <keystore_name> -storepass <password> -validity <days> -keysize <keysize>
```
```
-ext SAN=ip:<IP_Address_of_Tomcat_machine>
```
  where <IP_Address_of_Tomcat_machine> is the IP address hosting Tomcat.
2. Generate CSR from the generated Keystore
  1. Run the following Keytool command to create a Certificate Signing Request (CSR).
    keytool.exe -certreq -alias server -file <domainname>.csr -keystore <keystore_name>.jks -storepass changeit
    This command will generate a <domainname>.csr file to sign from CA.
  If you are using multiple domain names for the same certificate then you need to use SAN (Subject Alternative Name) while generating CSR for the Keystore.
  
  keytool.exe -certreq -alias server -file <domainname>.csr -keystore <keystore_name>.jks -storepass changeit SAN=ip:<IP_Address_of_Tomcat_machine>
  
  Send this CSR to your CA to generate SSL certificate. After your SSL certificate is generated, you need to import the certficate in the Java Keystore.
3. Import CA Signed SSL Certificate into Java Keystore
  You might get multiple SSL certificates from your CA. You need to import all these SSL certificates into your Keystore. Ensure that you use the same Keystore that is used in generating CSR while importing SSL certificates.
  1.   Import Trusted Root certificate into Java Keystore
  keytool.exe -import -trustcacerts -alias root -file <certificate_name>.crt -keystore <domain_name>.jks
  2.   Import Intermediate certificate into Java Keystore
  
  keytool.exe -import -trustcacerts -alias intermediate -file <certificate_name>.crt -keystore <domain_name>.jks
  3.   Import domain certificate into Java Keystore
  keytool.exe -import -trustcacerts -alias server -file <certificate_name>.crt -keystore <domain_name>.jks
        where,
       <certificate_name> is the name of the CA certificate.
       <domain_name> is the name of the domain you are using.
While executing the command, you will be prompted to provide other details. The default password is changeit. You can change the password. Note the Keystore password for future references.
Go to the location where Tomcat is installed (C:/Program Files/Apache Software Foundation/Tomcat 9.0). Create certs folder and copy the Keystore (certs.jks) in this folder.
Go to …/<TomcatInstallFolder>/conf and open server.xml in the Text Editor.

Add the following code after the SSL/TLS HTTP 1.1 Connector section.

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"                
clientAuth="false" sslProtocol="TLS"               
keystoreFile="D:/Program Files/Apache Software Foundation/Tomcat 9.0/certs/certs.jks"               
keystoreType="JKS" keystorePass="xxxxxxx" compression="on"                       
noCompressionUserAgents="gozilla, traviata"                       
compressableMimeType="text/html,text/xml,text/css,application/javascript,application/json"                       
useSendfile="false"                   
server="Adeptia" xpoweredby="false"/>

If the keystore password contains any of following characters then it needs to be escaped with the value mentioned next to it.

Character	Value
"	"
'	'
<	<
>	>
&	&

For example, if the keystore password is p@ssw0rd&123! then it has to be defined as p@ssw0rd&123!

For better performance of Tomcat, refer to Performance Tuning for tuning other parameters.

Restart Tomcat.

Automatic HTTP to HTTPS Redirection

If you want to access Adeptia Connect on HTTPS only then you need to redirect HTTP to HTTPS automatically. To enable automatic redirect:

Go to …/<ApacheInstallFolder>/Tomcat<version_no>/.conf.
Open server.xml.
Change non-SSL/TLS HTTP/1.1 Connector to port number 80 and redirect to 443.
Modify the SSL connector for the port 443.
Save the file.

SSL Configuration

Go to …/<ApacheInstallFolder>/Tomcat<version_no>/conf.
Open web.xml file.

Add the below security constraint within </web-app> and save the file.

<security-constraint>
          <web-resource-collection>
          <web-resource-name>Protected Context</web-resource-name>
          <url-pattern>/*</url-pattern>
          </web-resource-collection>
          <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
</security-constraint>
</web-app>

Verifying Configuration

To verify whether you have configured SSL certificate in Adeptia Connect:

Open the browser and hit the URL to access Adeptia Connect using HTTPS protocol.
Adeptia Connect login page appears. Verify your certificate by checking your https protocol color in the address bar. If you have used CA signed certificate then https protocol will be green in color () . However, if you have used self signed certificate then https protocol will be red in color ().

See Also

Configuring External Load Balancer

Configuring SSL Handshake between Adeptia Suite and Adeptia Connect UI

Performance Tuning of Adeptia Suite

Performance Tuning of Adeptia Connect