Articles in this section

Enable SSL/TLS in Rosette Server

Avatar
Jason Stevens
  • Updated
Follow

Note

These instructions assume all workers are on a single machine. If Rosette Server is installed in an environment with distributed workers, contact Rosette support.

HTTPS requires an SSL certificate. You can use a self-signed (private) certificate or use a paid service to sign a certificate for you. These instructions assume you have an SSL certificate. The certificate must be imported into the Java Keystore file serviceKeystore.jks. The keystore is used for secure storage of and access to keys and certificates.

  1. Generate an RSA key pair for the server.

    This example is for evaluation purposes only.  The generated key is good for seven days.  Please work with your appropriate internal group to acquire your keys for production usage.

    $JAVA_HOME/bin/keytool -genkeypair \
        -validity 7 \
        -alias myservicekey \
        -keystore serviceKeystore.jks \
        -dname "cn=exampleName, ou=exampleGroup, o=exampleCompany, c=us" \
        -keypass skpass \
        -storepass sspass \
        -keyalg RSA \
        -sigalg SHA256withRSA

  2. Set the permissions for the keystore file to read only

    chmod 400 serviceKeystore.jks

  3. Rename the file launcher/config/rosapi/transport-rules.tsv. Removing this file forces local transports for all endpoints. We recommend renaming the file, to have the original file as a backup.

    mv launcher/config/rosapi/transport-rules.tsv launcher/config/rosapi/transport-rules.tsv.original

  4. Change http to https in launcher/config/com.basistech.ws.cxf.cfg.

    urlBase=https://0.0.0.0:${rosapi.port}/rest

  5. Edit the file launcher/config/org.apache.cxf.http.jetty-main.cfg and add the following lines to use the generated keystore:

    tlsServerParameters.keyManagers.keyPassword=skpass
tlsServerParameters.keyManagers.keyStore.file=<path_to_keystore>/serviceKeystore.jks
tlsServerParameters.keyManagers.keyStore.password=sspass
tlsServerParameters.keyManagers.keyStore.type=JKS

Optional: SSL with Remote Workers

To use remote workers, the certificate needs to be trusted.

For testing, import the certificate to the truststore file, cacerts.jks, as trusted.

This example is for evaluation purposes only, continuing using the previously generated key.  Please work with your appropriate internal group to acquire your keys for production usage.  If your key is acquired from a trusted certificate authority, no further configuration may be required.  As this example uses self-signed certificates, the following steps are necessary.

  1. Export the certificate from the Java KeyStore.

    keytool -exportcert \
        -alias myservicekey \
        -keystore serviceKeystore.jks \
        -file server.cer \
        -storepass sspass

  2. Import the certificate into a trust store.

    keytool -import \
        -v \
        -trustcacerts \
        -alias localhost \
        -file server.cer \
        -keystore cacerts.jks \
        -storepass capass

  3. Instruct the JRE to trust the self-signed certificate by updating conf/wrapper.conf.

    wrapper.java.additional.201=-Djavax.net.ssl.trustStore=/path-to-cacerts/cacerts.jks
wrapper.java.additional.202=-Djavax.net.ssl.trustStorePassword=capass

Related articles

Comments

0 comments

Article is closed for comments.





Powered by Zendesk