Configuring for HTTPS

HTTPS ensures that communication between the client and server is encrypted, so that if it is intercepted, a third party cannot easily view or use the information. For FME Server, you can use HTTPS to ensure that sensitive login information is not exposed.

To enable SSL support:

1. Enable SSL on the Web Application Server
Expand for instructions
Depending on the method, instructions to set up SSL on different web application servers vary. The following example provides steps for setting up SSL for Apache Tomcat, which is the application server included with an Express or Fault-Tolerant installation of FME Server, and as an option with certain Distributed installations.
Note: For more information about configuring Apache Tomcat for HTTPS, or if you are using a different version of Apache Tomcat, see the documention for your version on http://tomcat.apache.org/.
For any HTTPS (SSL) page, a certificate is required. For development and testing purposes, self-signed certificates are supported. For production use, we recommend that you use SSL certificates from a verified SSL certificate authority (CA). Both conventional and wildcard certificates are supported.
Conventional Certificates
Create a Keystore File
First, you must generate a keystore that contains a certificate chain using the Java Keytool from the Java Developer Kit (JDK).
1. Open a command prompt as administrator and navigate to the Java bin directory (<FMEServerDir>\Utitilies\jre\bin\)
2. Run the following command to create a new keystore file:

   keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

3. After running the previous command, you are prompted to set a password for the new keystore and specify the server domain name (for example, fmeserver.example.org) as your first and last name.
4. When prompted for the password for the alias <tomcat>, press RETURN.
5. A new keystore is created in <FMEServerDir>\Utilities\jre\bin\.
6. Copy the new keystore file to the tomcat directory in the FME Server installation: <FMEServerDir>\Utilities\tomcat\.
Working with the Certificate
To use a self-signed certificate:
If no CA-issued certificate is used, the new keystore must be imported into the FME Server keystore for trusted certificates with the following command:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore <FMEServerDir>\Utilities\jre\lib\security\cacerts
You will be prompted to enter two passwords. One for the destination keystore. The password for the destination keystore is changeit. The password for the source keystore is the password that was specified in step 3, above.
When finished, proceed to "Configure Tomcat" (below).
To use a CA-issued certificate:
1. Generate a certificate signing request (CSR):

keytool -certreq -keyalg RSA -alias tomcat -file

certreq.csr -keystore tomcat.keystore

2. Submit the CSR (certreq.scr) to your CA to obtain a certificate, according to your CA's instructions.
3. Import the certificate into the keystore. Depending on the web application server, you may also need to import a root certificate (consult your web application or CA's instructions).

Import root certificate:

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <certificate_filename>

Import certificate:

keytool -import -alias tomcat -keystore tomcat.keystore -file <certificate_filename>

4. Proceed to "Configure Tomcat" (below).
Wildcard Certificates
Note: You must know the password for the certificate.
1. Open a command prompt as administrator and navigate to the Java bin directory (<FMEServerDir>\Utitilies\jre\bin).
2. Run the following command to create a new keystore file:

keytool -deststoretype jks

3. When prompted, enter the same password for the destination and source keystores.
4. Proceed to "Configure Tomcat" (below).
Configure Tomcat
In the next steps, we modify three configuration files of Apache Tomcat. All three files are located in the FME Server installation directory: <FMEServerDir>\Utilities\tomcat\conf\.
Note: As a best practice, we recommend creating backup copies of any configuration files before modifying them.
Configure server.xml
1. Open the server.xml file in a text editor:
2. Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".
3. Locate the <Connector> element that contains the following:

protocol="org.apache.coyote.http11.Http11NioProtocol"

and replace it with the following:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

port="443" minSpareThreads="5"

enableLookups="true" disableUploadTimeout="true"

acceptCount="100" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="<FMEServerDir>\Utilities\tomcat\tomcat.keystore"

keystorePass="<your_password>"

clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,

SSL_RSA_WITH_3DES_EDE_CBC_SHA"

URIEncoding="UTF8" />

 

<Connector port="80" protocol="HTTP/1.1"

redirectPort="443"/>

Note: Complete this step only for the incidence of protocol="org.apache.coyote.http11.Http11NioProtocol" that is not enclosed in <!-- --> comment syntax.

4. Make sure to exchange <FMEServerDir> and <your_password> with the install directory of FME Server and the password of the keystore that was specified in step 3 under Create a Keystore File.
5. (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.
6. Save and close the server.xml file.
Configure web.xml
1. Open the web.xml file in a text editor.
2. Add the following code block to the end of the file, just before the closing </web-app> element:

<security-constraint>

<web-resource-collection>

<web-resource-name>HTTPSOnly</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

3. Save and close the web.xml file.
Configure context.xml
1. Open the context.xml file in a text editor.
2. Add the following to the end of the file, just before the closing </context> element:

   <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"

   disableProxyCaching="false" />

3. Save and close the context.xml file.
2. Verify the Configuration
Expand for instructions

Verify that HTTPS was configured correctly for FME Server.

1. Restart the FME Server Application Server service.
2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
3. You should see the FME Server login page in a secured format.

Note: If a self-signed certificate is used for testing, your browser may report the page as not secure.

3. Modify Service URLs to Use HTTPS
Expand for instructions

To enable SSL for a service, open the Services page of the FME Server Web User Interface. On the Services page, click the desired service.

The Editing Service page opens.

In the URL Pattern field, change HTTP to HTTPS, and modify the port number, if required. Typically SSL is configured on either port 8443 or 443.

4. Modify the FME Server Web URL to Use HTTPS
Expand for instructions
1. Open fmeServerConfig.txt, located at <FMEServerDir>\Server\.
2. Update the value of the FME_SERVER_WEB_URL directive as follows:
   • Change http to https.
   • Update the port to the same one specified in the previous step (Modify Service URLs to Use HTTPS).
3. Save and close the file.
5. Enable SSL on the WebSocket Server (Optional)
Expand for instructions
The FME Server WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if the WebSocket capabilities of FME Server will be used.
1. Open the fmeWebSocketConfig.txt file in your FME Server installation directory (<FMEServerDir>\Server).
2. Set WEBSOCKET_ENABLE_SSL=true.
3. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you generated under Enable SSL on the Web Application Server. For example:

WEBSOCKET_KEYSTORE_FILE_PATH=<FMEServerDir>/Utilities/tomcat/<your_keystore_filename>

4. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password you generated under Enable SSL on the Web Application Server.

Note: Do not enclose the password in quotes.

5. Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
• <FMEServerDir>\Server\config\subscribers\websocket.properties
• <FMEServerDir>\Server\config\publishers\websocket.properties
6. In the following files, update the protocol in the value property of the PROPERTY directive from "ws:" to "wss:"
• %ALLUSERSPROFILE%\Safe Software\FME Server\localization\publishers\websocket\publisherProperties.xml
• %ALLUSERSPROFILE%\Safe Software\FME Server\localization\subscribers\websocket\subscriberProperties.xml

Note: Unless modified, C:\ProgramData is the default value of the %ALLUSERSPROFILE% environment variable.

7. Run the following .bat files, located in <FMEServerDir>\Clients\utilities:
   • addPublishers.bat
   • addSubscribers.bat

See Also

• Unable to Run Workspaces Registered to Notification Service When SSL is Configured
• Topic Monitoring is not working after configuring FME Server for SSL