FME Flow: 2025.1 BETA

Configuring for HTTPS

HTTPS ensures that communication between the client and server is encrypted, so that if it is intercepted, a third party cannot easily view or use the information.

If your Windows installation of FME Flow uses the Apache Tomcat web application server included with the FME Flow installer, you can configure it for HTTPS if not already done so during installation. On Linux, HTTPS is configured on the NGINX reverse proxy rather than the Apache Tomcat web application server.

Note  The task described here should be undertaken by intermediate to advanced users only. Before proceeding, consider your options for alternative solutions until you are certain you wish to proceed. For additional resources, consult the FME Community or FME Support.
  • Skill Level: Intermediate to advanced, depending on certificate type and platform.
  • Estimated Time Required: 5-10 minutes (automated), 45-60 minutes (manual).
  • Prerequisites:
    • Test jobs and services to ensure FME Flow is fully functional. For more information, see Verify the Installation

    • Familiarity with the Certificate Authority (CA) instructions from your certificate provider, particularly for generating the Certificate Signing Request (CSR).

    • (Recommended) Familiarity with your Apache Tomcat web application server's SSL configuration and certificates.
    • (Recommended) Access to the person who generates your certificates.
Note  If using Microsoft IIS Application Request Routing (ARR), refer to this FME Community article.

On Windows, there are two supported methods for securing FME Flow with HTTPS. For alternative methods, such as using a self-signed certificate, see Configuring FME Flow for HTTPS in the FME Community.

If you are using a PFX or P12 certificate, a script is provided to handle the configuration. If you are using a CA-issued certificate, the configuration must be performed manually.

Note  The following instructions provide steps for setting up SSL for the version of Apache Tomcat that is included with an Express or Fault-Tolerant installation of FME Flow, and as an option with certain Distributed installations. For information about configuring other versions of Apache Tomcat for HTTPS, see the documention for your version on https://tomcat.apache.org/.

Using a PFX or P12 Certificate (Automated)

To configure the FME Flow web application server for HTTPS with a PFX or P12 certificate, run the configureSSL.ps1 scripting utility, located in <FMEFlowDir>\Utilities. When finished, restart the FME Flow services.

When running configureSSL.ps1, keep in mind the following:

  • You are prompted for the path to your certificate file and the certificate password.
  • You must have write access to the FME Flow installation directory.
  • The script overwrites all FME Flow Configuration Files with the same values provided during installation. You will lose any changes you made manually to any configuration files since FME Flow was installed. To reference those changes so you can re-apply them, if necessary, back up any configuration files to which you made manual changes prior to running configureSSL.ps1.
  • If your PFX or P12 certificate was issued internally to your organization, rather than from a third-party (external) CA, you must import the certificate keystore into FME Flow's trusted certificates after running the script.

    • To import the keystore:

    Open a command prompt, navigate to <FMEFlowDir>\Utilities\jre\bin\, and run the following command, specifying the srckeystore argument with the path to your keystore file, the srcstorepass argument with your keystore password, and <FMEFlowDir> as the location of the FME Flow installation folder:

    keytool -importkeystore -noprompt -srckeystore "<FMEFlowDir>\Utilities\tomcat\conf\certs\server.pfx" -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>

    Note  Ignore the warning that the destination type must default to jks.
  • After running configureSSL.ps1, you must restart the FME Flow services.
  • For more information about running configureSSL.ps1, run configureSSL.ps1 -Help.

Using a CA-issued Certificate (Manual)

This method requires you to generate a certificate signing request from FME Flow, which your IT team can use to create a CA certificate with the .cer or .crt extensions. If the certificate uses the .pfx extension, follow Using a PFX or P12 Certificate (Automated) (below) instead.

  1. Create a Keystore Generation Script

    2. Open a text editor and copy the example script below, replacing the argument values with your own.

    Note  The storepass and keypass arguments must be the same and at least 6 characters.

    keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias <alias> -dname "<dname>" -storepass <storepass> -keypass <keypass> -ext san="<san>" -deststoretype pkcs12

    Argument

    Description
    genkey The keytool program command to generate a new keystore.
    noprompt

    Using this argument in the command removes any interaction with the user.
    keyalg The algorithm to generate a private/public key pair.

    keystore

    		 The keystore file name.
    deststoretype Keystore type, pkcs12 or jks.
    dname The CN name, Organization Unit, Organization, Location (city), State, and two-letter country code. The distinguished name is a set of values used to create the certificate and should be entered as you would like them to be presented to FME Flow users and visitors.
    storepass, keypass The password of the key and keystore. The value must be a minimum of six characters and must be the same for both arguments.
    ext san The subject alternative name is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate.
    alias The name of the key inside the keystore being created.

    Example:

    keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12

  2. Run the Keystore Generation Script
    1. Open a command prompt as administrator and navigate to the FME Flow installation Java bin directory:

      2. cd <FMEFlowDir>\Utilities\jre\bin\

      Where <FMEFlowDir> is the location of the FME Flow installation folder.

    2. Execute the command created in step 1.
  3. Generate a Certificate Signing Request (CSR)

    4. In the command prompt, remain in <FMEFlowDir>\Utilities\jre\bin\ and run:

    keytool -certreq -keyalg RSA -alias <alias> -file <filename> -keystore tomcat.keystore -ext san="<san>"

    Specify the certificate signing request path to the <filename>, and update <alias> and <san> to match that set in step 1.

    Example:

    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore -ext san="dns:fmeflow.example.org,dns:fmeflow"

  4. Obtain a Certificate

    5. Submit the CSR (for example, certreq.csr) generated in step 3 to your CA to obtain a certificate, according to your CA's instructions.

  5. Import the Certificate into the Keystore

    6. If you have multiple certificates, install them in the following order, and be sure to update the alias and certificate path for each.

    1. Import the root certificate (if you have one):

      2. keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

    2. Import the intermediate certificate (If you have one):

      3. keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

    3. Import the certificate:

      4. keytool -import -alias <alias> -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

      Note  Use the same <alias> specified in step 1.
  6. Import the Keystore into FME Flow's trusted certificates

    7. In a command prompt, from <FMEFlowDir>\Utilities\jre\bin\, run the following command, specifying the srckeystore argument with your keystore file name, srcstorepass argument with the password from step 1, and <FMEFlowDir> as the location of the FME Flow installation folder..

    keytool -importkeystore -noprompt -srckeystore <tomcat.keystore> -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>

    Note  Ignore the warning that the destination type must default to jks.
  7. Back up the Tomcat XML Configuration Files

    8. Navigate to <FMEFlowDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml. We recommend this step so that you can easily revert the configuration at any point if necessary.

  8. Configure server.xml
    1. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
    2. Locate the <Connector> element that contains protocol="org.apache.coyote.http11.Http11NioProtocol" and replace the entire element with:

      3. Copy 
      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
      port="443"
      minSpareThreads="5"
      enableLookups="true"
      disableUploadTimeout="true"
      acceptCount="100"
      maxThreads="200"
      maxHttpHeaderSize="16384"
      scheme="https"
      secure="true"
      SSLEnabled="true"
      maxParameterCount="1000"
      keystoreFile="<file>"
      keystorePass="<password>"
      clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2"
      sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
      ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA"
      URIEncoding="UTF8" />

      <Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>

      Make sure to update the keystoreFile and keystorePass parameters to the keystore location and password set in step 1. For an example, see this server.xml reference. If the password contains invalid XML characters < > “ ' &, they must be escaped.

      Note  
      • To disable TLS 1.1, remove TLSv1.1, from the sslEnabledProtocols setting.
      • The list of ciphers is not exhaustive. If your certificate was generated with a different algorithm, the applicable cipher must be added. Any algorithms not in use can be safely removed from this list. For a full list of ciphers supported by Tomcat, see the Apache Tomcat 9.0.69 API Documentation.
    3. (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.
    4. Save and close the server.xml file.
  9. Configure web.xml
    1. Open web.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
    2. Add the following code block to the end of the file, just before the closing </web-app> element:

      3. <security-constraint>

      <web-resource-collection>

      <web-resource-name>HTTPSOnly</web-resource-name>

      <url-pattern>/*</url-pattern>

      </web-resource-collection>

      <user-data-constraint>

      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

      </security-constraint>

    3. Save and close the web.xml file.
  10. Configure context.xml
    1. Open context.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
    2. Add the following to the end of the file, just before the closing </context> element:

      3. <Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />

    3. Save and close the context.xml file.
  11. Update the FME Flow Web URL to Use HTTPS
    1. Run a text editor as an administrator and open files fmeFlowConfig.txt and fmeFlowWebApplicationConfig.txt.
    2. In both files, update the FME_SERVER_WEB_URL directive by changing http to https and change the port to the same one specified in step 8.
    3. Save and close the files.
  12. Verify the HTTPS Configuration
    1. Restart FME Flow.
    2. Open a web browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
    3. You should see the FME Flow login page in a secured format.
  13. Modify Service URLs to Use HTTPS

    14. To submit jobs on FME Flow via HTTPS, you must enable SSL for the FME Flow Web Services.

    1. In the FME Flow Web User Interface, open the Services page.
    2. Click Change All Hosts and, in the URL Pattern field, change HTTP to HTTPS. (FME Flow may have already set this change.) If required, modify the port number—typically SSL is configured on either port 8443 or 443. When finished, click OK.
    3. Run a sample workspace with the data download and job submitter services to confirm your FME Flow is working with HTTPS.

    Your FME Flow is now configured to work via HTTPS. However, if you are using the WebSocket Server or Integrated Windows Authentication, some additional steps are required.

  14. (Optional) Enable SSL on the WebSocket Server

    15. The FME Flow WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if you want to use the WebSocket Server or Topic Monitoring (legacy).

    1. Run a text editor as an administrator and open the fmeWebSocketConfig.txt file in your FME Flow installation directory (<FMEFlowDir>\Server).
    2. Set WEBSOCKET_ENABLE_SSL=true.
    3. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file set in server.xml in step 8. For example:

      4. WEBSOCKET_KEYSTORE_FILE_PATH=<FMEFlowDir>/Utilities/tomcat/tomcat.keystore

      Note  Use forward slashes, which may be different from the path in server.xml.
    4. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password set in server.xml in step 8. For example:

      5. WEBSOCKET_KEYSTORE_FILE_PASSWORD=password1

      Note  Do not enclose the password in quotes.
    5. Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
      • <FMEFlowDir>\Server\config\subscribers\websocket.properties
      • <FMEFlowDir>\Server\config\publishers\websocket.properties
    6. In the following files, update the protocol in the value property of the PROPERTY directive from "ws:" to "wss:"
      • <FMESharedResourceDir>\localization\publishers\websocket\publisherProperties.xml
      • <FMESharedResourceDir>\localization\subscribers\websocket\subscriberProperties.xml
        • Note  <FMESharedResourceDir> refers to the location of the FME Flow System Share, specified during installation.
    7. Run the following .bat files, located in <FMEFlowDir>\Clients\utilities:
      • addPublishers.bat
      • addSubscribers.bat
    8. Restart FME Flow.
    9. To test that the configuration is complete, run jobs and view Topic Monitoring.
  15. (Optional) Update the SSO Authentication URL to use HTTPS
    16. Note  This step is applicable only if you want to use Integrated Windows Authentication (single sign-on) to access the FME Flow Web Interface.
    1. Run a text editor as an administrator and open the fmeserver propertiesFile.properties, located in <FMEFlowDir>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\.
    2. Locate the SINGLE_SIGN_ON_AUTH_URL parameter, and update the host name and port portion of the URL to match the host name through which the FME Flow Web User Interface is accessed.

      3. For example:

      SINGLE_SIGN_ON_AUTH_URL=https://<MyFMEFlowHost>:443/fmetoken/sso/generate

FME Flow on Linux includes an NGINX reverse proxy that allows easy SSL configuration and the ability to choose ports under 1024 without root permission. HTTPS is configured on the NGINX reverse proxy rather than the Apache Tomcat web application server.

  1. Create a directory for the certificate:

    2. sudo mkdir /etc/nginx/ssl

  2. Place a certificate and key in the new directory.
    • If you are using a certificate issued by a certificate authority (CA), you will need the certificate or certificate bundle (.crt) and certificate key (.key).

    • If you are using a .pfx or .p12 certificate, you must convert it into .crt and .key format. For more information, see Configuring FME Flow for HTTPS in the FME Community.

    • Alternatively, you can generate a self-signed SSL certificate and keystore with the following command:

      • sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/<KeyName>.key -out /etc/nginx/ssl/<CertName>.crt

      Replace <KeyName> and <CertName> with the key and certificate filenames, respectively, For example, nginx.key and nginx.crt.

  3. Enable Diffie-Hellman key exchange:

    4. sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

    sudo chmod 400 /etc/nginx/ssl/dhparam.pem

  4. Open file /etc/nginx/conf.d/fmeflow.conf.
  5. Uncomment the server block that contains instructions to listen on port 80 and redirect to port 443. This block should appear similar to the following:

    6. # Redirect from 80 to 443 when SSL is enabled

    server {

    listen 80;

    server_name <<hostname>>;

     

    location / {

    return 301 https://$host$request_uri;

    }

    }

  6. In the main server block, comment the line with instructions to listen on port 80, and uncomment the lines that instruct to listen on port 443 with SSL and include the SSL configuration. When complete, these lines should appear as follows:

    7. #listen 80;

    listen 443 ssl;

    include /etc/nginx/fmeflow/ssl.conf;

  7. In the websocket server block, comment and uncomment the applicable lines to ensure that listening occurs on port 7078 with SSL. When complete, these lines should appear as follows:

    8. #listen 7078;

    listen 7078 ssl;

    include /etc/nginx/fmeflow/ssl.conf;

  8. Save and close the file.
  9. Open file /etc/nginx/fmeflow/ssl.conf and make sure the SSL certificate and key are pointed to the correct name and directory of your certificate, as defined in steps 1 and 2.
  10. Reload the NGINX configuration:

    11. service nginx reload

  11. Open file server.xml as administrator. This file is located in <FMEFlowDir>\Utilities\tomcat\conf.
  12. Update the proxyPort directive to 443:

    13. proxyPort="443"

  13. Update the scheme directive to https:

    14. scheme="https"

  14. Save and close the file.
  15. Open the following configuration file: /opt/fmeflow/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties
  16. Update the WEB_SOCKET_SERVER_PORT directive to 443:

    17. WEB_SOCKET_SERVER_PORT=443

  17. Save and close the file.
  18. Update the FME Flow Web URL to use HTTPS:
    1. Run a text editor as an administrator and open files fmeFlowConfig.txt and fmeFlowWebApplicationConfig.txt.
    2. At the end of both files, under FME SERVER SETTINGS START > Port and Host Assignments, update the FME_SERVER_WEB_URL directive from http to https, and change the port to the same one specified in step 2.
    3. Save and close the files.
  19. Restart FME Flow.

See Also