For increased security, you can enable HTTPS for Data360 Analyze after installation. You can enable HTTPS by using a self-signed .cer certificate file or by using a .pfx certificate file.
Use a self-signed .cer certificate file
This example describes how to create a self-signed .cer certificate file and use it to configure HTTPS for Data360 Analyze. In this example, the keystore name is keystore.jks
, with a password of changeit
, and the SSL port is 8443
. Replace these details as required.
- Stop all Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.
- Create a keystore using keytool, for example:
<Data360Analyze installation directory>jre\bin\keytool
-genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -storetype JKS -keystore keystore.jks -dname "CN=example.com,OU=Dev,O=MyCorp,L=Windermere,S=Cumbria,C=GB" -ext san=dns:example.com,ip:127.0.0.1
- Extract the certificate:
<installation-dir>\jre\bin\keytool
-export -alias tomcat -storepass changeit -file selfsignedcert.cer -keystore keystore.jks
- Add the certificate to the cacerts keystore of the bundled jre:
<installation-dir>\jre\bin\keytool -import -v -trustcacerts -alias tomcat -file selfsignedcert.cer -keystore "<Data360 Analyzesite directory>/cust-keystores/cacerts" -keypass changeit
Note: If you need to repeat these steps, you first need to make a copy of thecacerts
file, then remove the previously createdkeystore.jks
andselfsignedcert.cer
files.Note: If you want to alter the alias, you can change the imported alias by using this command:keytool -changealias -alias "1" -destalias "analyze" -keystore keystore.jks
- Copy the
keystore.jks
created in step 2 to:<Data360 Analyze site directory>/cust-keystores
- Open the Tomcat
server-cust-connectors.xml
file located at:<Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml
Add this text:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<Data360 Analyze site directory>/cust-keystores/keystore.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"/>
Note: ThekeyStoreFile
value must be replaced with the location of thekeystore.jks
file.If you are using a port number other than 8443, change the
redirectPort
number on this line:<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
Note: In Linux, any port below 1024 will be restricted and not available by default. Using port 443 will require root access and an additional step on the operating system. - Open this file for editing:
<Data360 Analyze site directory>/conf/tomcat/web-cust.xml
- Add this text:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tip: You can find additional information regarding Tomcat changes at https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Configuration - Open this file for editing:
<Data360 Analyze site directory>/conf/cust.prop
- Add this text, updating the
localhost
to the actual Data360 Analyze server name, and the port number to the value specified within<Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml
:ls.brain.webapp.contextUrl=https://localhost:8443/
- Start the Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.
Use a .pfx certificate file
- Stop all Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.
- Open a command prompt, or a terminal session and go to:
<Data360Analyze installation directory>/jre/bin
- Import the certificate into Data360 Analyze's embedded Java cacerts. For example:
keytool -importkeystore -deststorepass changeit -destkeystore "<Data360 Analyze site directory>/cust-keystores/cacerts" -srckeystore "certwithkey.pfx" -srcstoretype PKCS12
Note: The above sample command needs to be updated with your destination store password (changeit
) and the destination keystore location, within your actual Data360 Analyze installation (-destkeystore
). The source keystore (-srckeystore
) should be updated with your PKCS12 key location. - Import the certificate into a new keystore. The command will create the keystore if it does not already exist.
keytool -importkeystore -deststorepass changeit -deststoretype PKCS12 -destkeystore keystore.jks -srckeystore "certwithkey.pfx" -srcstoretype PKCS12
Note: The above sample command needs to be updated with your destination store password (changeit
) and the destination keystore location, within your actual Data360 Analyze installation (-destkeystore keystore.jks
). The source keystore (-srckeystore
) should be updated with your PKCS12 key location. - Run this command:
keytool -list -keypass changeit -storepass changeit -keystore keystore.jks
Make note of the newly imported key's alias. Your key may have an auto-generated alias, similar to a UUID, or a name. The bold value below is the location of the alias:
te-004ac672-f945-60e1-9529-ac97fc3c96a3, Dec 30, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 44:95:FF:C6:AA:DD:D5:53:97:11:22:33:44:55:66:77:88:99:00:AA
Note: If you want to alter the alias, you can change the imported alias by using this command:keytool -changealias -alias "1" -destalias "analyze" -keystore keystore.jks
- Copy the
keystore.jks
created in step 4 to:<Data360 Analyze site directory>/cust-keystores
- Open the Tomcat
server-cust-connectors.xml
located at:<Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml
- Add this text:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200" keyAlias="myKeyAlias" keyPass="myKeyPass"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<Data360 Analyze site directory>/cust-keystores/keystore.jks" keystorePass="changeit"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"/>
-
Update the
keyAlias
andkeyPass
parameters with your actual values. Note that thekeyStoreFile
value must be replaced with the location of thekeystore.jks
file. Optionally, you can also update the port value to 443 or to another appropriate port.Note: Thealias
in theserver.xml
, refers to the certificate's alias name, rather than the name of the server(s) within the certificate. The certificate may contain 10 aliases for a Data360 Analyze server, but the certificate itself will always refer to itself by just one alias. For a self-signed certificate, users can control this alias, while for a CA-signed certificate, it is an automatically generatedstring+UUID
. - Open this file for editing:
<Data360 Analyze site directory>/conf/tomcat/web-cust.xml
- Add this text:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Open the
cust.prop
file for editing:<Data360 Analyze site directory>/conf/cust.prop
- Add this text, updating
localhost
to the actual Data360 Analyze server name, and changing the port number to the value specified within<Data360 Analyze site directory>/conf/tomcat/server-cust-connectors.xml
:ls.brain.webapp.contextUrl=https://localhost:8443/
- Start the Data360 Analyze services. See Starting and stopping the Data360 Analyze Server.