Configuring for HTTPS
HTTPS ensures that communication between the client and server is encrypted, so that if it is intercepted, the third party cannot easily view or use the information. For FME Server, you can use HTTPS to ensure that sensitive log in information is not exposed.
To enable SSL support:
- Enable SSL on the Web Application Server
- Verify the Configuration
- Modify Service URLs to Use HTTPS
- Modify the FME Server Web URL to Use HTTPS
- Enable SSL on the WebSocket Server (Optional)
Depending on the method, instructions to set up SSL on different web application servers vary. The following example provides steps for setting up SSL for Apache Tomcat 8.5, which is the application server included with an express installation of FME Server, and as an option with certain custom installations.
Note: For more information about configuring Apache Tomcat for HTTPS, or if you are using a different version of Apache Tomcat, see the documention for your version on http://tomcat.apache.org/.
For any HTTPS (SSL) page, a certificate is required. For development and testing purposes, self-signed certificates are supported. For production use, we recommend that you use SSL certificates from a verified SSL certificate authority (CA).
First, you must generate a keystore that contains a certificate chain using the Java Keytool from the Java Developer Kit (JDK).
- Open a command prompt and navigate to the the Java bin directory (<FMEServerDir>\Utitilies\jre\bin\)
- Run the following command to create a new keystore file:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
- Set a password for the new keystore and specify the server domain name (for example, fmeserver.example.org) as your first and last name.
- When prompted for the password for the alias <tomcat>, press RETURN.
- A new keystore is created in <FMEServerDir>\Utilities\jre\bin\.
- Copy the new keystore file to the tomcat directory in the FME Server installation: <FMEServerDir>\Utilities\tomcat\.
If no CA-issued certificate is used, the new keystore must be imported into the FME Server keystore for trusted certificates with the following command:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore <FMEServerDir>\Utilities\jre\lib\security\cacerts
You will be prompted to enter two passwords. One for the destination keystore. The password for the destination keystore is changeit
. The password for the source keystore is the password that was specified in step 3, above.
- Generate a certificate signing request (CSR):
- Submit the CSR (certreq.scr) to your CA to obtain a certificate, according to your CA's instructions.
- Import the certificate into the keystore. Depending on the web application server, you may also need to import a root certificate (consult your web application or CA's instructions).
keytool -certreq -keyalg RSA -alias tomcat -file
certreq.csr -keystore tomcat.keystore
Import root certificate:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <certificate_filename>
Import certificate:
keytool -import -alias tomcat -keystore tomcat.keystore -file <certificate_filename>
In the next steps, we modify three configuration files of Apache Tomcat. All three files are located in the FME Server installation directory: <FMEServerDir>\Utilities\tomcat\conf\.
- Open the server.xml file in a text editor:
- Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".
- Locate the <Connector> element that contains the following:
-
Make sure to exchange <FMEServerDir> and <your_password> with the install directory of FME Server and the password of the keystore that was specified in step 3 under Create a Keystore File.
- Save and close the server.xml file.
protocol="org.apache.coyote.http11.Http11NioProtocol"
and replace it with the following:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" minSpareThreads="5"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<FMEServerDir>\Utilities\tomcat\tomcat.keystore"
keystorePass="<your_password>"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"
URIEncoding="UTF8" />
<Connector port="80" protocol="HTTP/1.1"
redirectPort="443"/>
- Open the web.xml file in a text editor.
- Add the following code block to the end of the file, just before the closing </web-app> element:
- Save and close the web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Open the context.xml file in a text editor.
-
Add the following to the end of the file, just before the closing </context> element:
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
disableProxyCaching="false" />
- Save and close the context.xml file.
Verify that HTTPS was configured correctly for FME Server.
- Restart the FME Server Web Application service.
- Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
- You should see the FME Server login page in a secured format.
Note: If a self-signed certificate is used for testing, your browser may report the page as not secure.
To enable SSL for a service, open the FME Server Web User Interface, and select Services. On the Servcies page, click the desired service.
The Editing Service page opens.
In the URL Pattern field, change HTTP to HTTPS, and modify the port number, if required. Typically SSL is configured on either port 8443 or 443.
- Open fmeServerConfig.txt, located at <FMEServerDir>\Server\.
- Update the value of the FME_SERVER_WEB_URL directive as follows:
- Change http to https.
- Update the port to the same one specified in the previous step (Modify Service URLs to Use HTTPS).
- Save and close the file.
The FME Server WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if the WebSocket capabilities of FME Server will be used.
- Open the fmeWebSocketConfig.txt file in your FME Server installation directory (<FMEServerDir>\Server).
- Set
WEBSOCKET_SSL_ENABLED=true
. - Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you generated under Enable SSL on the Web Application Server.
- Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password you generated under Enable SSL on the Web Application Server.
- Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
- <FMEServerDir>\Server\config\subscribers\websocket.properties
- <FMEServerDir>\Server\config\publishers\websocket.properties
- In the following files, update the protocol in the
value
property of the PROPERTY directive from"ws:"
to"wss:"
- %ALLUSERSPROFILE%\Safe Software\FME Server\localization\publishers\websocket\publisherProperties.xml
- %ALLUSERSPROFILE%\Safe Software\FME Server\localization\subscribers\websocket\subscriberProperties.xml
- Run the following .bat files, located in <FMEServerDir>\Clients\utilities:
- addPublishers.bat
- addSubscribers.bat
WEBSOCKET_KEYSTORE_FILE_PATH=C:/Program Files/FMEServer/Utilities/tomcat/<your_keystore_filename>
Note: Do not enclose the password in quotes.
Note: Unless modified, C:\ProgramData is the default value of the %ALLUSERSPROFILE% environment variable.
See Also