Enable HTTPS - Data360_Analyze - Latest

Data360 Analyze Server Help

Product type
Software
Portfolio
Verify
Product family
Data360
Product
Data360 Analyze
Version
Latest
Language
English
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2024
First publish date
2016
Last updated
2024-11-28
Published on
2024-11-28T15:26:57.181000

For increased security, you can enable HTTPS for Data360 Analyze after installation. You can enable HTTPS by using a self-signed .cer certificate file or by using a .pfx certificate file.

Use a self-signed .cer certificate file

This example describes how to create a self-signed .cer certificate file and use it to configure HTTPS for Data360 Analyze. In this example, the keystore name is keystore.jks, with a password of changeit, and the SSL port is 8443. Replace these details as required.

  1. Stop all Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.
  2. Create a keystore using keytool, for example:

    <Data360Analyze installation directory>jre\bin\keytool

    -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -storetype JKS -keystore keystore.jks -dname "CN=example.com,OU=Dev,O=MyCorp,L=Windermere,S=Cumbria,C=GB" -ext san=dns:example.com,ip:127.0.0.1

  3. Extract the certificate:

    <installation-dir>\jre\bin\keytool

    -export -alias tomcat -storepass changeit -file selfsignedcert.cer -keystore keystore.jks

  4. Add the certificate to the cacerts keystore of the bundled jre:

    <installation-dir>\jre\bin\keytool -import -v -trustcacerts -alias tomcat -file selfsignedcert.cer -keystore "<Data360 Analyzesite directory>/cust-keystores/cacerts" -keypass changeit

    Note: If you need to repeat these steps, you first need to make a copy of the cacerts file, then remove the previously created keystore.jks and selfsignedcert.cer files.
    Note: If you want to alter the alias, you can change the imported alias by using this command: keytool -changealias -alias "1" -destalias "analyze" -keystore keystore.jks
  5. Copy the keystore.jks created in step 2 to: <Data360 Analyze site directory>/cust-keystores
  6. Open the Tomcat server-cust-connectors.xml file located at: <Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml

    Add this text:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

    port="8443" maxThreads="200"

    scheme="https" secure="true" SSLEnabled="true"

    keystoreFile="<Data360 Analyze site directory>/cust-keystores/keystore.jks" keystorePass="changeit"

    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" compression="on"

    compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"/>

    Note: The keyStoreFile value must be replaced with the location of the keystore.jks file.

    If you are using a port number other than 8443, change the redirectPort number on this line:

    <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

    Note: In Linux, any port below 1024 will be restricted and not available by default. Using port 443 will require root access and an additional step on the operating system.
  7. Open this file for editing: <Data360 Analyze site directory>/conf/tomcat/web-cust.xml
  8. Add this text:

    <security-constraint>

    <web-resource-collection>

    <web-resource-name>Entire Application</web-resource-name>

    <url-pattern>/*</url-pattern>

    </web-resource-collection>

    <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

    </security-constraint>

    Tip: You can find additional information regarding Tomcat changes at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuration
  9. Open this file for editing: <Data360 Analyze site directory>/conf/cust.prop
  10. Add this text, updating the localhost to the actual Data360 Analyze server name, and the port number to the value specified within <Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml:

    ls.brain.webapp.contextUrl=https://localhost:8443/

  11. Start the Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.

Use a .pfx certificate file

  1. Stop all Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.
  2. Open a command prompt, or a terminal session and go to: <Data360Analyze installation directory>/jre/bin
  3. Import the certificate into Data360 Analyze's embedded Java cacerts. For example:

    keytool -importkeystore -deststorepass changeit -destkeystore "<Data360 Analyze site directory>/cust-keystores/cacerts" -srckeystore "certwithkey.pfx" -srcstoretype PKCS12

    Note: The above sample command needs to be updated with your destination store password (changeit) and the destination keystore location, within your actual Data360 Analyze installation (-destkeystore). The source keystore (-srckeystore) should be updated with your PKCS12 key location.
  4. Import the certificate into a new keystore. The command will create the keystore if it does not already exist.

    keytool -importkeystore -deststorepass changeit -deststoretype PKCS12 -destkeystore keystore.jks -srckeystore "certwithkey.pfx" -srcstoretype PKCS12

    Note: The above sample command needs to be updated with your destination store password (changeit) and the destination keystore location, within your actual Data360 Analyze installation (-destkeystore keystore.jks). The source keystore (-srckeystore) should be updated with your PKCS12 key location.
  5. Run this command:

    keytool -list -keypass changeit -storepass changeit -keystore keystore.jks

    Make note of the newly imported key's alias. Your key may have an auto-generated alias, similar to a UUID, or a name. The bold value below is the location of the alias:

    te-004ac672-f945-60e1-9529-ac97fc3c96a3, Dec 30, 2019, PrivateKeyEntry,

    Certificate fingerprint (SHA1): 44:95:FF:C6:AA:DD:D5:53:97:11:22:33:44:55:66:77:88:99:00:AA
    Note: If you want to alter the alias, you can change the imported alias by using this command: keytool -changealias -alias "1" -destalias "analyze" -keystore keystore.jks
  6. Copy the keystore.jks created in step 4 to: <Data360 Analyze site directory>/cust-keystores
  7. Open the Tomcat server-cust-connectors.xml located at: <Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml
  8. Add this text:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

    port="8443" maxThreads="200" keyAlias="myKeyAlias" keyPass="myKeyPass"

    scheme="https" secure="true" SSLEnabled="true"

    keystoreFile="<Data360 Analyze site directory>/cust-keystores/keystore.jks" keystorePass="changeit"

    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" compression="on"

    compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"/>

  9. Update the keyAlias and keyPass parameters with your actual values. Note that the keyStoreFile value must be replaced with the location of the keystore.jks file. Optionally, you can also update the port value to 443 or to another appropriate port.

    Note: The alias in the server.xml, refers to the certificate's alias name, rather than the name of the server(s) within the certificate. The certificate may contain 10 aliases for a Data360 Analyze server, but the certificate itself will always refer to itself by just one alias. For a self-signed certificate, users can control this alias, while for a CA-signed certificate, it is an automatically generated string+UUID.
  10. Open this file for editing: <Data360 Analyze site directory>/conf/tomcat/web-cust.xml
  11. Add this text:

    <security-constraint>

    <web-resource-collection>

    <web-resource-name>Entire Application</web-resource-name>

    <url-pattern>/*</url-pattern>

    </web-resource-collection>

    <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

    </security-constraint>

  12. Open the cust.prop file for editing: <Data360 Analyze site directory>/conf/cust.prop
  13. Add this text, updating localhost to the actual Data360 Analyze server name, and changing the port number to the value specified within <Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml:

    ls.brain.webapp.contextUrl=https://localhost:8443/

  14. Start the Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.