Configuring for HTTPS (2024)

Open a text editor and copy the example script below, replacing the argument values with your own.

Note: The storepass and keypass arguments must be the same and at least 6 characters.

keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias <alias> -dname "<dname>" -storepass <storepass> -keypass <keypass> -ext san="<san>" -deststoretype pkcs12

Example:

keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeserver.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeserver.example.org,dns:fmeserver" -deststoretype pkcs12

1. Open a command prompt as administrator and navigate to the FME Server installation Java bin directory:

cd <FMEServerDir>\Utilities\jre\bin\

Where <FMEServerDir> is the location of the FME Server installation folder.

2. Execute the command created in step 1.

In the command prompt, remain in <FMEServerDir>\Utilities\jre\bin\ and run:

keytool -certreq -keyalg RSA -alias <alias> -file <filename> -keystore tomcat.keystore

Specify the certificate signing request path and filename, and update the alias to match that set in step 1.

Example:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore

Submit the CSR (for example, certreq.csr) generated in step 3 to your CA to obtain a certificate, according to your CA's instructions.

If you have multiple certificates, install them in the following order, and be sure to update the alias and certificate path for each.

1. Import the root certificate (if you have one):

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

2. Import the intermediate certificate (If you have one):

keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

3. Import the certificate:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

In a command prompt, from <FMEServerDir>\Utilities\jre\bin\, use the following command to import the keystore into FME Server's trusted certs, specifying the srcstorepass argument with the password from step 1.

keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEServerDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>

Note: Ignore the warning that the destination type must default to jks.

Navigate to <FMEServerDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml. We recommend this step so that you can easily revert the configuration at any point if necessary.

1. Run a text editor as an administrator and open server.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
2. Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".
3. Locate the <Connector> element that contains protocol="org.apache.coyote.http11.Http11NioProtocol" and replace the entire element with:

Copy

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
minSpareThreads="5"
enableLookups="true"
disableUploadTimeout="true"
acceptCount="100"
maxThreads="200"
maxHttpHeaderSize="16384"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="<file>"
keystorePass="<password>"
clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
URIEncoding="UTF8" />
<Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>

Make sure to update the keystoreFile and keystorePass parameters to the keystore location and password set in step 1. For an example, see this server.xml reference.

4. (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.
5. Save and close the server.xml file.

1. Open web.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
2. Add the following code block to the end of the file, just before the closing </web-app> element:

<security-constraint>

<web-resource-collection>

<web-resource-name>HTTPSOnly</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

3. Save and close the web.xml file.

1. Open context.xml, located in <FMEServerDir>\Utilities\tomcat\conf.
2. Add the following to the end of the file, just before the closing </context> element:

<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />

3. Save and close the context.xml file.

a. Run a text editor as an administrator and open fmeServerConfig.txt.

b. Update the FME_SERVER_WEB_URL directive by changing http to https and change the port to the same one specified in step 8.

c. Save and close the file.

1. Restart FME Server.
2. Open a web browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
3. You should see the FME Server login page in a secured format.

To submit jobs on FME Server via HTTPS, you must enable SSL for the FME Server Web Services.

1. In the FME Server Web User Interface, open the Services page.
2. Click Change All Hosts and, in the URL Pattern field, change HTTP to HTTPS. (FME Server may have already set this change.) If required, modify the port number—typically SSL is configured on either port 8443 or 443. When finished, click OK.
3. Run a sample workspace with the data download and job submitter services to confirm your FME Server is working with HTTPS.

Your FME Server is now configured to work via HTTPS. However, if you are using the WebSocket Server or Integrated Windows Authentication, some additional steps are required.

The FME Server WebSocket Server supports insecure (ws://) or secure connections (wss://). This configuration is only required if you want to use the WebSocket Server or Topic Monitoring (legacy).

1. Run a text editor as an administrator and open the fmeWebSocketConfig.txt file in your FME Server installation directory (<FMEServerDir>\Server).
2. Set WEBSOCKET_ENABLE_SSL=true.
3. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file set in server.xml in step 8. For example:

WEBSOCKET_KEYSTORE_FILE_PATH=<FMEServerDir>/Utilities/tomcat/tomcat.keystore

Note: Use forward slashes, which may be different from the path in server.xml.

4. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to reference the keystore file password set in server.xml in step 8. For example:

WEBSOCKET_KEYSTORE_FILE_PASSWORD=password1

Note: Do not enclose the password in quotes.

5. Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files: