Configuring for HTTPS

Note: The task described here should be undertaken by advanced users only. Before proceeding, consider your options for alternative solutions until you are certain you wish to proceed. For additional resources, consult the FME Community or FME Support.

  • Skill Level: Advanced
  • Estimated Time Required: 45-60 minutes
  • Prerequisites:
    • Test jobs and services to ensure FME Server is fully functional. For more information, see:

    • Familiarity with the Certificate Authority (CA) instructions from your certificate provider, particularly for generating the Certificate Signing Request (CSR).

    • (Recommended) Familiarity with your web application server's SSL configuration and certificates. (Apache Tomcat is the servlet for an Express or Fault-Tolerant installation of FME Server, and as an option with certain Distributed installations.)
    • (Recommended) Access to the person who generates your certificates.

Note: If using Microsoft IIS Application Request Routing (ARR), refer to this FME Community article.

Tip: If using a wildcard certificate, we recommend following the instructions in this FME Community article instead.

Configuring for HTTPS

HTTPS ensures that communication between the client and server is encrypted, so that if it is intercepted, a third party cannot easily view or use the information. You can use HTTPS with FME Server to ensure that sensitive login information is not exposed.

To enable SSL support:

  1. Enable SSL on the Web Application Server

    2. Depending on the method, instructions to set up SSL on different web application servers vary. The following example provides steps for setting up SSL for Apache Tomcat, which is the application server included with an Express or Fault-Tolerant installation of FME Server, and as an option with certain Distributed installations.

    Note: For more information about configuring Apache Tomcat for HTTPS, or if you are using a different version of Apache Tomcat, see the documention for your version on http://tomcat.apache.org/.

    For any HTTPS (SSL) page, a certificate is required. For development and testing purposes, self-signed certificates are supported. For production use, we recommend that you use SSL certificates from a verified SSL certificate authority (CA). Both conventional and wildcard certificates are supported.

    Create a Keystore File

    First, you must generate a keystore that contains a certificate chain using the Java Keytool from the Java Developer Kit (JDK).

    1. Open a command prompt as administrator and navigate to the Java bin directory (<FMEServerDir>\Utilities\jre\bin\)
    2. Run the following command to create a new keystore file:

      keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

    3. After running the previous command, you are prompted to set a password for the new keystore and specify the server domain name (for example, fmeserver.example.org) as your first and last name.
    4. When prompted for the password for the alias <tomcat>, press RETURN.
    5. A new keystore is created in <FMEServerDir>\Utilities\jre\bin\.
    6. Copy the new keystore file to the tomcat directory in the FME Server installation: <FMEServerDir>\Utilities\tomcat\.

    Working with the Certificate

    If no CA-issued certificate is used, the new keystore must be imported into the FME Server keystore for trusted certificates with the following command:

    keytool -importkeystore -srckeystore tomcat.keystore -destkeystore <FMEServerDir>\Utilities\jre\lib\security\cacerts

    You will be prompted to enter two passwords. One for the destination keystore. The password for the destination keystore is changeit. The password for the source keystore is the password that was specified in step 3, above.

    When finished, proceed to "Configure Tomcat" (below).

    1. Generate a certificate signing request (CSR):

      2. keytool -certreq -keyalg RSA -alias tomcat -file

      certreq.csr -keystore tomcat.keystore

    2. Submit the CSR (certreq.scr) to your CA to obtain a certificate, according to your CA's instructions.
    3. Import the certificate into the keystore. Depending on the web application server, you may also need to import a root certificate (consult your web application or CA's instructions).

      4. Import root certificate:

      keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <certificate_filename>

      Import certificate:

      keytool -import -alias tomcat -keystore tomcat.keystore -file <certificate_filename>

    4. Proceed to "Configure Tomcat" (below).

    Note: You must know the password for the certificate.

    1. Open a command prompt as administrator and navigate to the Java bin directory (<FMEServerDir>\Utilities\jre\bin).
    2. Run the following command to create a new keystore file:

      3. keytool -deststoretype jks

    3. When prompted, enter the same password for the destination and source keystores.
    4. Proceed to "Configure Tomcat" (below).

    In the next steps, we modify three configuration files of Apache Tomcat. All three files are located in the FME Server installation directory: <FMEServerDir>\Utilities\tomcat\conf\.

    Note: As a best practice, we recommend creating backup copies of any configuration files before modifying them.

    1. Open the server.xml file in a text editor:
    2. Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".
    3. Locate the <Connector> element that contains the following:

      4. protocol="org.apache.coyote.http11.Http11NioProtocol"

      and replace it with the following:

      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"

      port="443" minSpareThreads="5"

      enableLookups="true" disableUploadTimeout="true"

      acceptCount="100" maxThreads="200"

      maxHttpHeaderSize="16384"

      scheme="https" secure="true" SSLEnabled="true"

      keystoreFile="<FMEServerDir>\Utilities\tomcat\tomcat.keystore"

      keystorePass="<your_password>"

      clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2"

      sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"

      ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

      TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,

      TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,

      TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,

      SSL_RSA_WITH_3DES_EDE_CBC_SHA"

      URIEncoding="UTF8" />

       

      <Connector port="80" protocol="HTTP/1.1"

      redirectPort="443"/>

      Note: Complete this step only for the incidence of protocol="org.apache.coyote.http11.Http11NioProtocol" that is not enclosed in <!-- --> comment syntax.

    4. Make sure to exchange <FMEServerDir> and <your_password> with the install directory of FME Server and the password of the keystore that was specified in step 3 under Create a Keystore File.
    5. (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.
    6. Save and close the server.xml file.
    1. Open the web.xml file in a text editor.
    2. Add the following code block to the end of the file, just before the closing </web-app> element:

      3. <security-constraint>

      <web-resource-collection>

      <web-resource-name>HTTPSOnly</web-resource-name>

      <url-pattern>/*</url-pattern>

      </web-resource-collection>

      <user-data-constraint>

      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

      </security-constraint>

    3. Save and close the web.xml file.
    1. Open the context.xml file in a text editor.
    2. Add the following to the end of the file, just before the closing </context> element:

      <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"

      disableProxyCaching="false" />

    3. Save and close the context.xml file.
  2. Verify the Configuration

    3. Verify that HTTPS was configured correctly for FME Server.

    1. Restart the FME Server Application Server service.
    2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
    3. You should see the FME Server login page in a secured format.

    Note: If a self-signed certificate is used for testing, your browser may report the page as not secure.

  3. Modify Service URLs to Use HTTPS

    4. To enable SSL for a service, open the Services page of the FME Server Web User Interface. On the Services page, click the desired service.

    The Editing Service page opens.

    In the URL Pattern field, change HTTP to HTTPS, and modify the port number, if required. Typically SSL is configured on either port 8443 or 443.

  4. Modify the FME Server Web URL to Use HTTPS
    1. Open fmeServerConfig.txt, located at <FMEServerDir>\Server\.
    2. Update the value of the FME_SERVER_WEB_URL directive as follows:
      • Change http to https.
      • Update the port to the same one specified in the previous step (Modify Service URLs to Use HTTPS).
    3. Save and close the file.
  5. Enable SSL on the WebSocket Server (Optional)

    6. The FME Server WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if the WebSocket capabilities of FME Server will be used.

    1. Open the fmeWebSocketConfig.txt file in your FME Server installation directory (<FMEServerDir>\Server).
    2. Set WEBSOCKET_ENABLE_SSL=true.
    3. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you generated under Enable SSL on the Web Application Server. For example:

      4. WEBSOCKET_KEYSTORE_FILE_PATH=<FMEServerDir>/Utilities/tomcat/<your_keystore_filename>

    4. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password you generated under Enable SSL on the Web Application Server.

      5. Note: Do not enclose the password in quotes.

    5. Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
      • <FMEServerDir>\Server\config\subscribers\websocket.properties
      • <FMEServerDir>\Server\config\publishers\websocket.properties
    6. In the following files, update the protocol in the value property of the PROPERTY directive from "ws:" to "wss:"
      • <FMESharedResourceDir>\localization\publishers\websocket\publisherProperties.xml
      • <FMESharedResourceDir>\localization\subscribers\websocket\subscriberProperties.xml

        • Note: <FMESharedResourceDir> refers to the location of the FME Server System Share, specified during installation.

    7. Run the following .bat files, located in <FMEServerDir>\Clients\utilities:
      • addPublishers.bat
      • addSubscribers.bat

See Also