Articles in this section

See more

Enabling SSL/TLS in Rosette Server

Avatar
Jason Stevens
  • Updated
Follow

Secure Socket Layer (SSL) is a standard security technology for establishing an encrypted link between a web server and a web browser. The protocol allows for the authentication, encryption, and decryption of data sent over the Internet.

HTTPS requires an SSL certificate. SSL certificates have a key pair, made up of a public and a private key. These keys work together to establish an encrypted connection. You can use a self-signed (private) certificate or use a trusted certificate authority to sign a certificate for you. The certificate must be imported into the Java Keystore file serviceKeystore.jks. The keystore is used for secure storage of and access to keys and certificates.

Note

The Root Certificate Authority can also be added to the truststore used system-wide by Java. If this option is used, then the trust store does not need to be explicitly set in the steps below.  Typically, the global certificate authority certificate truststore is in <JAVA_INSTALL>/lib/security/cacerts with the default password of changeit.

SSL over inbound Rosette Server connections

  1. Edit launcher/config/org.apache.cxf.http.jetty-main.cfg. Add the following.

    For a keystore:

    tlsServerParameters.keyManagers.keyPassword=<key store password>
tlsServerParameters.keyManagers.keyStore.file=<path to the keystore file>
tlsServerParameters.keyManagers.keyStore.type=either JKS or PKCS12 depending on the type of store created
tlsServerParameters.keyManagers.keyStore.password=<key store password>

    For a truststore:

    tlsServerParameters.trustManagers.keyStore.file=<path to the truststore file>
tlsServerParameters.trustManagers.keyStore.type=either JKS or PKCS12 depending on the type of store created
tlsServerParameters.trustManagers.keyStore.password=<trust store password>
tlsServerParameters.clientAuthentication.required=true

  2. Change http to https in /launcher/config/com.basistech.ws.cxf.cfg.

    urlBase=https://0.0.0.0:${rosapi.port}/rest

SSL over outbound Rosette Server connections

  1. Create a file named ssl-conf.conf. Edit the file, adding the following contents:

    #encoding=UTF-8
#Uncomment the line below to enable SSL debugging
#-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStore=<full path to the Java keystore file (jks|pkcs12)>
-Djavax.net.ssl.keyStorePassword=<KEY_STORE_PASSWORD>
-Djavax.net.ssl.trustStore=<full path to the Java truststore file (jks|pkcs12)>
-Djavax.net.ssl.trustStorePassword=<TRUST_STORE_PASSWORD>

  2. Edit <ROSETTE_SERVER_INSTALL>/server/conf/wrapper.conf. Add the following to the end of the file:

    wrapper.java.additional_file=<path to the ssl-conf.conf file>

    for example:

    wrapper.java.additional_file=/rosette/server/launcher/config/ssl-conf.conf

Example

Note

These instructions assume all workers are on a single machine. If Rosette Server is installed in an environment with distributed workers, contact Rosette support.

Note

keyPassword and keyStore.password must have the same value.

Example:

{noformat}lsServerParameters.keyManagers.keyPassword=sspass
tlsServerParameters.keyManagers.keyStore.password=sspass{noformat}

  1. Generate an RSA key pair for the server.

    This example is for evaluation purposes only.  The generated key is good for seven days.  Please work with your appropriate internal group to acquire your keys for production usage.

    $JAVA_HOME/bin/keytool -genkeypair \
        -validity 7 \
        -alias myservicekey \
        -keystore serviceKeystore.jks \
        -dname "cn=exampleName, ou=exampleGroup, o=exampleCompany, c=us" \
        -keypass skpass \
        -storepass sspass \
        -keyalg RSA \
        -sigalg SHA256withRSA

  2. Set the permissions for the keystore file to read only

    chmod 400 serviceKeystore.jks

  3. Rename the file launcher/config/rosapi/transport-rules.tsv. Removing this file forces local transports for all endpoints. We recommend renaming the file, to have the original file as a backup.

    mv launcher/config/rosapi/transport-rules.tsv launcher/config/rosapi/transport-rules.tsv.original

  4. Change http to https in launcher/config/com.basistech.ws.cxf.cfg.

    urlBase=https://0.0.0.0:${rosapi.port}/rest

  5. Edit the file launcher/config/org.apache.cxf.http.jetty-main.cfg and add the following lines to use the generated keystore:

    tlsServerParameters.keyManagers.keyPassword=sspass
tlsServerParameters.keyManagers.keyStore.file=<path_to_keystore>/serviceKeystore.jks
tlsServerParameters.keyManagers.keyStore.password=sspass
tlsServerParameters.keyManagers.keyStore.type=JKS

Optional: SSL with remote workers

To use remote workers, the certificate needs to be trusted.

For testing, import the certificate to the truststore file, cacerts.jks, as trusted.

This example is for evaluation purposes only, continuing using the previously generated key.  Please work with your appropriate internal group to acquire your keys for production usage.  If your key is acquired from a trusted certificate authority, no further configuration may be required.  As this example uses self-signed certificates, the following steps are necessary.

  1. Export the certificate from the Java KeyStore.

    keytool -exportcert \
        -alias myservicekey \
        -keystore serviceKeystore.jks \
        -file server.cer \
        -storepass sspass

  2. Import the certificate into a trust store.

    keytool -import \
        -v \
        -trustcacerts \
        -alias localhost \
        -file server.cer \
        -keystore cacerts.jks \
        -storepass capass

  3. Instruct the JRE to trust the self-signed certificate by updating conf/wrapper.conf.

    wrapper.java.additional.201=-Djavax.net.ssl.trustStore=/path-to-cacerts/cacerts.jks
wrapper.java.additional.202=-Djavax.net.ssl.trustStorePassword=capass

Related articles

Comments

0 comments

Article is closed for comments.





Powered by Zendesk