Configuring HTTPS by APR

Feedback

Configuring HTTPS encryption using the APR method has the following steps:

  1. Download and install OpenSSL

Download OpenSSL from the OpenSSL Web site (http://www.openssl.org/), OpenSSL for Windows can be used on the Windows platform.

  1. Adding System Environment Variables

Add the bin directory for OpenSSL to your system's PATH environment variable, such as D:\openssl-win64\bin.

  1. Obtain a certificate. In the development test environment, please execute according to step 3.1; in the actual production environment, please execute according to step 3.2.

3.1 In the development test environment, you need to use OpenSSL to generate a private key, and then create a certificate that uses the private key.

Go to OpenSSL/bin, open a command line window, and enter the following command to create a private key for Tomcat:

openssl genrsa -des3 -out D:\tomcatkey.pem 2048

When prompted for a passphrase, such as "123456", OpenSSL will prompt you to repeat the confirmation. Then a private key named tomcatkey.pem will be generated, with D:\tomcatkey.pem being the path to the private key.

After creating the private key, you also need to create a certificate. Also in the command line window of OpenSSL/bin, execute the following command:

openssl req -new -x509 -key D:\tomcatkey.pem -out D:\tomcatcert.pem -days 1095

When prompted to enter the passphrase for the tomcatkey.pem, in this case "123456" (specified when creating the private key), and enter the relevant information, a self-signed certificate is generated for a period of 3 years (1095 days), that is tomcatcert.pem. tomcatcert.pem uses the private key tomcatkey.pem. D:\tomcatcert.pem is the path of the certificate.

3.2 In the formal production environment, you need to generate the certificate signature request CSR file, and then obtain the official CA signed SSL certificate.

Enter OpenSSL/bin, open the command line, and execute the following command to generate the certificate signing request CSR file:

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout [$Key_File] -out [$OpenSSL_CSR]

For example:

openssl req -new -nodes -sha256 -newkey rsa:2048 -keyout D:\key.key -out D:\key.csr

Enter the information required to generate the CSR file according to the prompt returned by the system to obtain the CSR file. And then provide to the official CA according to the demand CSR and other relevant information to obtain the SSL certificate signed by the CA. The obtain certificate file compression package is decompressed to obtain a corresponding certificate file (for example, D:/certifile.pfx) and a password file (for example, D:/certifile.txt).

  1. Convert the certificate format. The APR configuration mode only supports the certificate in PEM encoding format, so the certificate in .pfx format issued by the official CA needs to be converted to .crt format certificate as follows:

Enter OpenSSL/bin, open the command line, and execute the following commands in turn:

openssl pkcs12 -in D:/certifile.pfx -nodes -out D:/certifile.pem

At this time, OpenSSL will prompt to enter the password of the certificate, which needs to be filled in the password file provided by the official CA (for example: D:/certifile.txt).

openssl rsa -in D:/certifile.pem -out certifile.key

openssl x509 -in D:/certifile.pem -out certifile.crt

  1. Modify the SuperMap iServer installation directory/conf/server.xml config file to enable SSL.

a) The following content is found. It is suggested that you comment out the following content and close HTTP:

<Connector port="8090" protocol="HTTP/1.1"
         relaxedQueryChars="[]|{}"
         relaxedPathChars="[]|{}"
         connectionTimeout="8000"
         redirectPort="8453"
         executor="tomcatThreadPool" 
         enableLookups="false"
         URIEncoding="utf-8"
         compression="on"
         compressionMinSize="2048"
         compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/javascript,application/xml,application/json,application/rjson"
/>

b) Add the following code after it:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                   SSLEnabled="true"
                   maxThreads="150"
                   scheme="https"
                   secure="true"
                   URIEncoding="utf-8"
                   clientAuth="false"
                   SSLCertificateFile="${user.home}/${SSLCertificateFile}"
                   SSLCertificateKeyFile="${user.home}/${SSLCertificateKeyFile}"
                   SSLPassword="123456"
                   sslProtocol="TLS"
                   sslEnabledProtocols="TLSv1.2"/>

Please note that for 'SSLCancedFile', please fill in the actual absolute path of the certificate file. For example, in the development and testing environment, fill in the generated server certificate information 'D:/tomcatcertificate.pem'; Fill in the real certificate information 'D:/certification.ct' in the actual production environment. Please fill in the actual absolute path of the certificate private key file for 'SSLCaseKeyFile', for example, in the development and testing environment, fill in the generated private key file 'D:/tomcatkey.pem'; Fill in the real private key file in the actual production environment 'D:/Certifiefile.key'. 'SSLPassword' fill in the password for the private key file. If the private key file is not encrypted, this line can be omitted.

  1. Modify the iserver-system.xml (located in the SuperMap iServer installation directory/webapps/iserver/WEB-INF directory) config file, and find the following in the config file < hosts > node:
<hosts>
        <host cacheEnabled="true" port="8090" type="webapp" uriBase="/services">
          <interface-type>com.supermap.services.wms.WMSServlet</interface-type>
          <interface-type>com.supermap.services.rest.RestServlet</interface-type>
          <interface-type>com.supermap.services.handler.HandlerServlet</interface-type>
          <interface-type>com.supermap.services.wfs.WFSServlet</interface-type>
          <interface-type>com.supermap.services.wmts.WMTSServlet</interface-type>
          <interface-type>com.supermap.services.wcs.WCSServlet</interface-type>
          <interface-type>com.supermap.services.wps.WPSServlet</interface-type>
        </host>
      </hosts>

Modify the value of the port parameter in the < host > node to "8443" and add protocolScheme Parameter, the value is "HTTPS", modify as follows:

<hosts>
        <host cacheEnabled="true" port="8443" protocolScheme="https" type="webapp" uriBase="/services">
          <interface-type>com.supermap.services.wms.WMSServlet</interface-type>
          <interface-type>com.supermap.services.rest.RestServlet</interface-type>
          <interface-type>com.supermap.services.handler.HandlerServlet</interface-type>
          <interface-type>com.supermap.services.wfs.WFSServlet</interface-type>
          <interface-type>com.supermap.services.wmts.WMTSServlet</interface-type>
          <interface-type>com.supermap.services.wcs.WCSServlet</interface-type>
          <interface-type>com.supermap.services.wps.WPSServlet</interface-type>
        </host>
      </hosts>
  1. After configuring SSL, to avoid the security vulnerability of "missing Secure attribute in Cookie", the Secure attribute can be added through middleware. Taking Tomcat as an example, in the SuperMap iServer installation directory/conf/web.xml, find the following configuration:
<session-config>
      <session-timeout>30</session-timeout>
</session-config>

Add < cookie-config >, modify to:

<session-config>
      <session-timeout>30</session-timeout>
      <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
      </cookie-config>
</session-config>
  1. Restart Tomcat to access Web applications such as https://localhost:8443/iserver/manager over HTTPS on port 8443.