Configuring HTTPS by JSSE

Feedback

Configuring HTTPS encryption using JSSE includes the following steps:

  1. Generate server certificate (public key)

Use the Keytool tool to generate the server certificate:

keytool -genkey -alias [$Alias] -keyalg RSA -dname "[$dname]" -keystore [$Keytool_Path]

Among,

For example:

keytool -genkey -alias tomcat -keyalg RSA -dname "cn=supermap.iserver.org,ou=localhost,o=localhost,l=china,st=sichuan,c=cn" -keystore D:\key.keystore

When prompted for a password (Tomcat defaults to "changeit" for deployment), you can enter "123456", enter the information, and confirm.

  1. Generate Certificate Signing Request CSR File

In the development test environment, skip this step and configure according to the subsequent steps.

In the formal production environment, you need to generate the certificate signing request CSR file, and then obtain the SSL certificate signed by the official CA.

Generate the certificate signing request CSR file by entering the following command:

keytool -certreq -sigalg SHA256withRSA -alias tomcat -keystore D:\key.keystore -file D:\key.csr

Provide relevant information such as CSR to the official CA according to the requirements, and obtain the SSL certificate signed by the CA. The obtain certificate file compression package is decompressed to obtain a corresponding certificate file (for example,D:/certifile.pfx) and a password file (for example, D:/certifile.txt).

  1. Modify the SuperMap iServer installation directory/conf/server.xml config file to enable SSL

A) Comment out the following configuration and do not use APR:

<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

B) Locate the configuration of the SSL HTTP/1.1 Connector, that is:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
        …
</Connector>

Remove the notes and change as follows:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
         port="8443" 
         relaxedQueryChars="[]|{}" 
         relaxedPathChars="[]|{}"
         maxThreads="200" 
         scheme="https" 
         secure="true" 
         SSLEnabled="true"
         keystoreFile="${user.home}/${keystoreFile}" 
         keystorePass="证书密码"
         clientAuth="false" 
         sslProtocol="TLS"
         sslEnabledProtocols="TLSv1.2"
         URIEncoding="utf-8" />

Note that for "keystoreFile", please fill in the actual absolute path of the certificate file, such as the generated server certificate information in the development test environment "D:/key.keystore"; fill in the real certificate information obtained in the actual production environment "D:/certifle.pfx". Please set the "keystorePass" as the password set when generating the certificate, for example, fill in the "123456" in the development test environment, and fill in the contents in the "certifile.txt" password file in the actual production environment.

C) It is recommended that you turn off HTTP. That is, within the server.xml, comment out the following:

<Connector port="8090" protocol="HTTP/1.1"
         relaxedQueryChars="[]|{}"
         relaxedPathChars="[]|{}"
         connectionTimeout="8000"
         redirectPort="8453"
         executor="tomcatThreadPool" 
         enableLookups="false"
         URIEncoding="utf-8"
         compression="on"
         compressionMinSize="2048"
         compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/javascript,application/xml,application/json,application/rjson"
/>
  1. Modify the iserver-system.xml (located in the SuperMap iServer installation directory/webapps/iserver/WEB-INF directory) config file, and find the following in the config file < hosts > node:
<hosts>
        <host cacheEnabled="true" port="8090" type="webapp" uriBase="/services">
          <interface-type>com.supermap.services.wms.WMSServlet</interface-type>
          <interface-type>com.supermap.services.rest.RestServlet</interface-type>
          <interface-type>com.supermap.services.handler.HandlerServlet</interface-type>
          <interface-type>com.supermap.services.wfs.WFSServlet</interface-type>
          <interface-type>com.supermap.services.wmts.WMTSServlet</interface-type>
          <interface-type>com.supermap.services.wcs.WCSServlet</interface-type>
          <interface-type>com.supermap.services.wps.WPSServlet</interface-type>
        </host>
      </hosts>

Modify the value of the port parameter in the < host > node to "8443" and add protocolScheme Parameter, the value is "HTTPS", modify as follows:

<hosts>
        <host cacheEnabled="true" port="8443" protocolScheme="https" type="webapp" uriBase="/services">
          <interface-type>com.supermap.services.wms.WMSServlet</interface-type>
          <interface-type>com.supermap.services.rest.RestServlet</interface-type>
          <interface-type>com.supermap.services.handler.HandlerServlet</interface-type>
          <interface-type>com.supermap.services.wfs.WFSServlet</interface-type>
          <interface-type>com.supermap.services.wmts.WMTSServlet</interface-type>
          <interface-type>com.supermap.services.wcs.WCSServlet</interface-type>
          <interface-type>com.supermap.services.wps.WPSServlet</interface-type>
        </host>
      </hosts>
  1. After configuring SSL, to avoid the security vulnerability of "missing Secure attribute in Cookie", the Secure attribute can be added through middleware. Taking Tomcat as an example, in the SuperMap iServer installation directory/conf/web.xml, find the following configuration:
<session-config>
      <session-timeout>30</session-timeout>
</session-config>

Add < cookie-config >, modify to:

<session-config>
      <session-timeout>30</session-timeout>
      <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
      </cookie-config>
</session-config>
  1. Restart Tomcat to access Web applications such as https://localhost:8443/iserver/manager over HTTPS on port 8443.