Installing SSL into the Interface Engine

Owned by AlexI (Unlicensed)
Last updated: Jul 14, 2014

Overview

It is possible to encrypt all communications between Infinit.e and its clients using SSLv3 (TLSv1).

It is not currently possible for some operations (eg authentication) to be encrypted and others (eg document access) to be cleartext (and faster) - everything or nothing must be encrypted.

The following steps are necessary:

  • Create a certificate
  • Get the certificates signed by a Trusted 3rd Party (in theory this is optional, though most browser/Java-based clients will not connect to a self-signed certificate)
  • Either
    • Configure the tomcat server (via the "infinite.configuration.properties" file) to support SSL
    • Drop the required certificates (for your domain and various authorities) into the tomcat home directory ("/usr/tomcat6/share", see below)
  • Or: For EC2 installs using a load-balancer, upload the certificate to EC2.

Creating a certificate

There is nothing Infinit.e-specific about certificate creation. The systems administrator should consult other help sources for certificate creation.

This web-page provides a good overview of certificate creation in practice (for getting it signed by a 3rd party, see the next section).

Getting a certificate signed

Again, there is nothing Infinit.e-specific about SSL certificate creation. A systems administrator will have to chose a Trusted Authority in order to get their certificate signed once the certificate has been generated.

The chosen Trusted Authority will likely have instructions on their website, as an example, here is GoDaddy's (which we successfully followed for *.ikanow.com).

Integration with Infinit.e

The official tomcat6 documentation is here.

The infinite.configuration.properties file has the following parameter:

# (1.9)
ssl.passphrase=

The following settings should also be updated to use the new "https://" addresses.

# (1.4)
url.root=
# (1.14)
ui.end.point.url=

The keystore generated under "Creating a certificate" should be named "tomcat.keystore" and moved into "/usr/tomcat/share" on each machine running an Interface Engine. The file should be owned by the tomcat user. The Interface Engine can then be restarted ("service tomcat6-interface-engine restart").

Finally, if the deployment is in the Amazon AWS Cloud, and a load balancer is used for resilience/performance, then the load balancer needs to be reconfigured to use HTTPS (including uploading a certificate). This process is described here.

Copyright © 2012 IKANOW, All Rights Reserved | Licensed under Creative Commons