Configuring for HTTPS (2024)

  • Securing FMEServer and Applications/Services
    • Configuring Authentication for Security Resources
    • Configuring for HTTPS

You are here: Administrator's Guide > Securing FME Server > Securing FMEServer and Applications/Services > Configuring for HTTPS

HTTPS ensures that communication between the client and server is encrypted, so that if it is intercepted, the third party cannot easily view or use the information. For FME Server, you can use HTTPS to ensure that sensitive log in information is not exposed. This is especially important if you are using the Active Directory integration.

Enabling FME Server SSL Support

To enable SSL support:

  1. Modifying Service URLs to Use HTTPS
  2. Enable SSL on the Web and/or Application Server
  3. Enable SSL on the WebSocket Server
  4. Verify the Configuration

Modifying Service URLs to Use HTTPS

To enable SSL for a service, open the FME Server Web User Interface, select Manage > Administration > Services, and click the desired service in the table.

Configuring for HTTPS (1)

The Editing Service page opens.

Configuring for HTTPS (2)

In the URL Pattern field, change HTTP to HTTPS, and modify the port number, if required. Typically SSL is configured on either port 8443 or 443.

Enable SSL on the Web and/or Application Server

Depending on the method, instructions to set up SSL on different application servers vary. The following example provides steps for setting up SSL for Apache Tomcat 7, which is the application server included with an express installation of FMEServer.

For any HTTPS(SSL) page, a certificate is required. For development and testing purposes, self-signed certificates are supported. For production use, we recommend that you use SSL certificates from a verified SSL certificate authority (CA).

First, you must generate a keystore that contains a certificate chain using the keytool command from the Java Developer Kit (JDK).

Note: To ensure the security of the keystore file, allow access to it only by users who run the FME Server Services, and select users with administrative privileges on FMEServer.

  1. Open the command prompt.
  2. Type the following command:

    keytool -genkey -alias tomcat -keyalg RSA

    -keystore <your_keystore_filename>

    If your path is not set to the Java bin directory, navigate to that directory and type the appropriate command.

    Note: A JDK must be installed to use the keytool command.

    A message prompts you to enter a keystore password.

  3. Enter a password for the keystore.

  4. Enter the required details, shown here:

    Configuring for HTTPS (3)

    Note: (CA-issued certificates only): Answer "What is your first and last name?" with the server domain name; for example, "fmeserver.example.org".

  5. Enter the same password you entered in step 3.

    A keystore is generated in the following location:

    <drive>:\Users\<username>\.keystore

  6. (CA-issued certificates only)

    1. Generate a certificate signing request (CSR):

    2. keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr

      -keystore <your_keystore_filename>

    3. Submit the CSR (certreq.scr) to your CA to obtain a certificate, according to your CA's instructions.

    4. Import the certificate into the keystore. Depending on the web application server, you may also need to import a root certificate (consult your web application or CA's instructions).

    5. Import root certificate:

      keytool -import -alias root -keystore <your_keystore_filename>

      -trustcacerts -file <chain_certificate_filename>

      Import certificate:

      keytool -import -alias tomcat -keystore <your_keystore_filename>

      -file <certificate_filename>

  7. Copy the .keystore file to the Tomcat directory, and then copy the path to the file.

    If you are using the default web application included with FMEServer, Tomcat is located at:

    <FME Server Install DIR>\Utilities\tomcat

  8. Open the server.xml file:

    <TomcatDir>\conf\server.xml

  9. Locate the Connector code block, and replace it with the following:

    <Connector protocol="org.apache.coyote.http11.Http11Protocol"

    port="443" minSpareThreads="5"

    enableLookups="true" disableUploadTimeout="true"

    acceptCount="100" maxThreads="200"

    scheme="https" secure="true" SSLEnabled="true"

    keystoreFile="C:\Program Files\FMEServer\Utilities\tomcat\.keystore"

    keystorePass="<your_password>"

    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_RSA_WITH_3DES_EDE_CBC_SHA"

    URIEncoding="UTF8" />

    <Connector port="80" protocol="HTTP/1.1"

    redirectPort="443"/>

    Note: The sslEnabledProtocols and ciphers parameters disallow SSL v3 and ciphers that are considered unsafe. However, these modifications break SSL compatibility with Internet Explorer 6, and may cause unexpected behavior with Java Runtime Environment Version 6.0 Update 45 (Java 6u45). For more information, see http://googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html.

    Note: The values for cipher specified above are compatible with Java v8, which is included with FMEServer 2015.1.2 and later. For FMEServer versions earlier than 2015.1.2, specify these ciphers instead, compatible with Java v7: "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
    . Note that these ciphers have a higher strength rating than those provided in previous versions of the FMEServer documentation.

  10. Be sure to set the keystoreFile path to the correct location and the keystorePass to the password you entered in step 3. Also, if you configured the FME Server Service URLs to use a port other than 443, that port number must be corrected in the port and redirectPort directives.
  11. Change the Listener className line (found near the beginning of the file) to how it is written below:

    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine='off'/>

  12. Save the server.xml file.
  13. Open the web.xml file:

    <TomcatDir>\conf\web.xml

  14. Add the following code block to the end of the file, just before the closing </web-app> tag:
  15. <security-constraint>

    <web-resource-collection>

    <web-resource-name>HTTPSOnly</web-resource-name>

    <url-pattern>/*</url-pattern>

    </web-resource-collection>

    <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

    </security-constraint>

  16. Save the web.xml file.
  17. If you are using the default FMEServer Application Server, restart that service. Or, if you are using your own Tomcat application, restart that.
  18. Open a browser and navigate to https://localhost:<port>. If you used the same port as specified in Step 9, <port> is 443.

    This should show you the same Tomcat home page, but in a secured format.

  19. (Self-signed certificates only) On the machine that hosts the FME Server Core, run the following JDK keytool command from the command prompt:
  20. keytool -import -v -trustcacerts -alias server-alias -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file <your self-signed certificate> -keypass <key password> -storepass <keystore password>

    This command imports the untrusted certificate into the FME Server database and instructs the web application server to make an exception for it.

Enable SSL on the WebSocket Server

The FME Server WebSocket server supports insecure or secure connections. (Only one or the other protocol is currently supported). To enable SSL, edit the fmeWebSocketConfig.txt file in your server installation (<FMEServerDir>\Server).

  1. Set WEBSOCKET_SSL_ENABLED=true.
  2. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you generated under Enable SSL on the Web and/or Application Server. For example:
  3. WEBSOCKET_KEYSTORE_FILE_PATH=/data/fmeserver/Utilities/tomcat/keystore.jks

  4. Specify the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives in the following files:
  • <FMEServerDir>\Server\config\subscribers\websocket.properties
  • <FMEServerDir>\Server\config\publishers\websocket.properties

Enable SSL on the WebSocket Publisher and WebSocket Subscriber

To enable SSL on the Notification Service WebSocket Publisher and WebSocket Subscriber, update the value property of the PROPERTY directive from "ws://localhost:7078/websocket" to "wss://localhost:7078/websocket" in the following files:

  • <FMEServerDir>\Resources\publishers\websocket\publisherProperties.xml
  • <FMEServerDir>\Resources\subscribers\websocket\subscriberProperties.xml

Verify the Configuration

To verify that HTTPS is configured properly, perform the relevant checks here, including confirmation that the web services are available, and confirmation that FMEServer can run a job.

See Also

  • Unable to Run Workspaces Registered to Notification Service When SSL is Configured
Configuring for HTTPS (2024)
Top Articles
The 7 Things You Need to Know Ahead of 'Claim to Fame' Season 3
Maybe Meant To Be Chapter 43
Breaded Mushrooms
Practical Magic 123Movies
Women's Beauty Parlour Near Me
Regular Clear vs Low Iron Glass for Shower Doors
18443168434
Rapv Springfield Ma
REVIEW - Empire of Sin
Methodist Laborworkx
Samsung Galaxy S24 Ultra Negru dual-sim, 256 GB, 12 GB RAM - Telefon mobil la pret avantajos - Abonament - In rate | Digi Romania S.A.
Studentvue Columbia Heights
Haunted Mansion Showtimes Near Millstone 14
Tamilrockers Movies 2023 Download
Wicked Local Plymouth Police Log 2022
Bj Alex Mangabuddy
Ess.compass Associate Login
Csi Tv Series Wiki
Lawson Uhs
Epguides Strange New Worlds
Panic! At The Disco - Spotify Top Songs
Decosmo Industrial Auctions
north jersey garage & moving sales - craigslist
U Of Arizona Phonebook
Reborn Rich Kissasian
UMvC3 OTT: Welcome to 2013!
12 Facts About John J. McCloy: The 20th Century’s Most Powerful American?
F45 Training O'fallon Il Photos
Jcp Meevo Com
Why Are Fuel Leaks A Problem Aceable
Greensboro sit-in (1960) | History, Summary, Impact, & Facts
January 8 Jesus Calling
Cardaras Funeral Homes
Ghid depunere declarație unică
Opsahl Kostel Funeral Home & Crematory Yankton
Grandstand 13 Fenway
Teenbeautyfitness
Chris Provost Daughter Addie
Wsbtv Fish And Game Report
Laff Tv Passport
Frommer's Philadelphia &amp; the Amish Country (2007) (Frommer's Complete) - PDF Free Download
Improving curriculum alignment and achieving learning goals by making the curriculum visible | Semantic Scholar
Umiami Sorority Rankings
Courses In Touch
Paul Shelesh
Jimmy John's Near Me Open
Sherwin Source Intranet
News & Events | Pi Recordings
Anonib New
All Buttons In Blox Fruits
Quest Diagnostics Mt Morris Appointment
Anthony Weary Obituary Erie Pa
Latest Posts
Article information

Author: Edwin Metz

Last Updated:

Views: 5595

Rating: 4.8 / 5 (58 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Edwin Metz

Birthday: 1997-04-16

Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

Phone: +639107620957

Job: Corporate Banking Technician

Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.