Open a text editor and copy the example script below, replacing the argument values with your own.
Note: The storepass and keypass arguments must be the same and at least 6 characters.
keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias <alias> -dname "<dname>" -storepass <storepass> -keypass <keypass> -ext san="<san>" -deststoretype pkcs12
Keytool Arguments
Argument | Description |
---|---|
genkey | The keytool program command to generate a new keystore. |
noprompt | Using this argument in the command removes any interaction with the user. |
keyalg | The algorithm to generate a private/public key pair. |
keystore | The keystore file name. |
deststoretype | Keystore type, pkcs12 or jks. |
dname | The CN name, Organization Unit, Organization, Location (city), State, and two-letter country code. The distinguished name is a set of values used to create the certificate and should be entered as you would like them to be presented to FME Server users and visitors. |
storepass, keypass | The password of the key and keystore. The value must be a minimum of six characters and must be the same for both arguments. |
ext san | The subject alternative name is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate. |
alias | The name of the key inside the keystore being created. |
Example:
keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeserver.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeserver.example.org,dns:fmeserver" -deststoretype pkcs12
- Open a command prompt as administrator and navigate to the FME Server installation Java bin directory:
- Execute the command created in step 1.
cd <FMEServerDir>\Utilities\jre\bin\
Where <FMEServerDir> is the location of the FME Server installation folder.
In the command prompt, remain in <FMEServerDir>\Utilities\jre\bin\ and run:
keytool -certreq -keyalg RSA -alias <alias> -file <filename> -keystore tomcat.keystore
Specify the certificate signing request path and filename, and update the alias to match that set in step 1.
Example:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore
Submit the CSR (for example, certreq.csr) generated in step 3 to your CA to obtain a certificate, according to your CA's instructions.
If you have multiple certificates, install them in the following order, and be sure to update the alias and certificate path for each.
- Import the root certificate (if you have one):
- Import the intermediate certificate (If you have one):
- Import the certificate:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>
keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>
In a command prompt, from <FMEServerDir>\Utilities\jre\bin\, use the following command to import the keystore into FME Server's trusted certs, specifying the srcstorepass argument with the password from step 1.
keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEServerDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>
Note: Ignore the warning that the destination type must default to jks.
Navigate to <FMEServerDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml. We recommend this step so that you can easily revert the configuration at any point if necessary.
- Run a text editor as an administrator and open server.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
- Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".
- Locate the <Connector> element that contains protocol="org.apache.coyote.http11.Http11NioProtocol" and replace the entire element with:
- (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.
- Save and close the server.xml file.
Copy
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
minSpareThreads="5"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
maxHttpHeaderSize="16384"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="<file>"
keystorePass="<password>"
clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
URIEncoding="UTF8" /><Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>
Make sure to update the keystoreFile and keystorePass parameters to the keystore location and password set in step 1. For an example, see this server.xml reference.
- Open web.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
- Add the following code block to the end of the file, just before the closing </web-app> element:
- Save and close the web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- Open context.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
- Add the following to the end of the file, just before the closing </context> element:
- Save and close the context.xml file.
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />
a. Run a text editor as an administrator and open fmeServerConfig.txt.
b. Update the FME_SERVER_WEB_URL directive by changing http to https and change the port to the same one specified in step 8.
c. Save and close the file.
- Restart FME Server.
- Open a web browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
- You should see the FME Server login page in a secured format.
To submit jobs on FME Server via HTTPS, you must enable SSL for the FME Server Web Services.
- In the FME Server Web User Interface, open the Services page.
- Click Change All Hosts and, in the URL Pattern field, change HTTP to HTTPS. (FME Server may have already set this change.) If required, modify the port number—typically SSL is configured on either port 8443 or 443. When finished, click OK.
- Run a sample workspace with the data download and job submitter services to confirm your FME Server is working with HTTPS.
Your FME Server is now configured to work via HTTPS. However, if you are using the WebSocket Server or Integrated Windows Authentication, some additional steps are required.
The FME Server WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if you want to use the WebSocket Server or Topic Monitoring (legacy).
- Run a text editor as an administrator and open the fmeWebSocketConfig.txt file in your FME Server installation directory (<FMEServerDir>\Server).
- Set
WEBSOCKET_ENABLE_SSL=true
. - Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file set in server.xml in step 8. For example:
- Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password set in server.xml in step 8. For example:
- Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
WEBSOCKET_KEYSTORE_FILE_PATH=<FMEServerDir>/Utilities/tomcat/tomcat.keystore
Note: Use forward slashes, which may be different from the path in server.xml.
WEBSOCKET_KEYSTORE_FILE_PASSWORD=password1
Note: Do not enclose the password in quotes.
Note: This step is applicable only if you want to use Integrated Windows Authentication (single sign-on) to access the FME Server Web Interface.