Security → HTTPS for Apache Tomcat with OpenSSL
About HTTPS for Apache Tomcat with OpenSSL
The Incorta Cluster Management Console, Loader Service, and Analytics Service are Java web applications that run on Apache Tomcat, a web application server. One way to secure communications between a web browser and an Incorta Cluster is to configure Hypertext Transfer Protocol Secure (HTTPS) support for Apache Tomcat.
As a protocol, HTTPS requires encrypted communications between websites, web applications, and web browsers. HTTPS requires Transport Layer Security (TLS). TLS requires a valid TLS certificate. In the web browser, you must explicitly declare https
for the Universal Resource Locator (URL) of a website or web application with a valid TLS/SSL certificate. Often, security administrators reference the predecessor terminology of a Secure Socket Layer (SSL) certificate. For this reason, this document will refer to a TLS certificate as a TLS/SSL certificate.
Typically, a security or system administrator for the operating system with root access configures HTTPS for Apache Tomcat for the Incorta Cluster. This includes opening the host network port for HTTPS which is 8443 by default for the Incorta Analytics Service.
You may want to also consider alternative options for HTTPS to secure communications through a reverse proxy server such as NGINX or Apache.
About OpenSSL
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the TLS and SSL protocols. OpenSSL is licensed under an Apache-style license and is available for free for both commercial and non-commercial purposes subject to license conditions.
Please be aware that the import, export, and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world.
About security certificates
Although you can use a self-signed certificate for an internal or developer environment, production systems require a certificate from a Certificate Authority (CA).
Incorta does not recommend using a self-signed certificate as this can restrict access to critical data source connectors such as Google Drive and Google Sheets.
Before issuing a certificate to an applicant, a CA validates a domain’s ownership. Your web browser contains a list of CAs trusted by the browser vendor to perform the validation. A TLS certificate consists primarily of a public key that corresponds to your private server key, and a signature by the CA that is cryptographically tied to the public key.
In other words, when using a HTTPS URL (https://www.mycompany.com
), your web browser connects to a web server and the web server presents a certificate for your web browser to check. Your web browser submits the certificate to a list of trusted CAs. If the signer is on the list, or is accessible through a chain of trust consisting of other trusted signers, the browser negotiates an encrypted data channel with the web server.
Keystore formats and supported implementations for Apache Tomcat
This release of Incorta runs on Apache Tomcat 7.0. Apache Tomcat 7.0 supports JKS, PKCS11 or PKCS12 keystore formats. The JKS format is the standard Java KeyStore format. The PKCS12 format is an open source standard for the internet. You can use OpenSSL or Microsoft’s Key-Manager to work with the PKCS12 format.
Apache Tomcat 7.0 supports two ways to implement TLS/SSL:
- Java Secure Socket Extension (JSSE)
- Apache Portable Runtime (APR) implementation which uses the OpenSSL engine by default
You define the TLS/SSL implementation in a Connector
element of the server.xml
file for Apache Tomcat.
For the most part, a Connector for JSSE requires the JKS format and a Connector for APR requires a PCKCS12 keystore format. The PCKCS12 keystore format supports OpenSSL.
Create a free TLS/SSL certificate for HTTPS with LetsEncrypt, Certbot, and OpenSSL
The Electronic Frontier Foundation (EFF) sponsors Let’s Encrypt as a Certificate Authority (CA) with the goal of encrypting the entire internet. Let’s Encrypt has issued over 1 billion security certificates, 225 million of which are for public websites. Originally a Let’s Encrypt project, and now formally sponsored by EFF, Certbot is a service that provides free HTTPS certificates, including renewals. Certbot creates a certificate to use with OpenSSL.
In order for Certbot to create a TLS/SSL certificate, you must first update the Domain Name Service (DNS) A/AAAA record(s) for a top-level domain to reference the Public IPv4 of a website. In most cases, enterprises and organizations host an Incorta Cluster behind a firewall, within a Virtual Private Network (VPN). Most Security Administrators already have an existing TLS/SSL certificate available for use within their enterprise subdomains behind firewalls. With that in mind, consider this document as an example of the related steps for HTTPS configuration.
In order to create a TLS/SSL certificate with Certbot and configure HTTPS for the Incorta Node that runs the Analytics Service, you must have root access to the host.
Implement HTTPS for Apache Tomcat with OpenSSL and Certbot
Implementing HTTPS for the host with the Incorta Node running the Analytics Service requires that you stop and start the Analytics Service.
Here are the prerequisites for implementing HTTPS for Tomcat using OpenSSL and Certbot for the host with the Incorta Node that runs the Analytics Service:
- Update the Domain Name Server A/AAAA record(s) for a top level public domain to reference the Public IPv4 of the host.
- Open port 8443 as this is the default port for HTTPS for the Analytics Service.
- Confirm root access to the host.
- Install OpenSSL on the host.
In order to stop the Analytics Service, you must also have access to the Cluster Management Console (CMC) for the Incorta Cluster.
Install OpenSSL
Here are the steps to install OpenSSL:
- SSH into the host with the Incorta Node that runs the Analytics Service.
-
As the root user, install OpenSSL with yum:
sudo su yum install openssl-devel
Install Certbot
Here are the steps to install Certbot:
-
As the root user, onstall Certbot with yum:
yum install certbot
With Certbot, create a certificate
Here are the steps to create a standalone certificate for your domain:
-
As the root user, create a standalone certificate for the domain with Certbot, replacing
<My_Domain>
:MY_DOMAIN=<My_Domain> certbot certonly --standalone -d $MY_DOMAIN
-
Verify the creation of
cert.pem
,chain.pem
,fullchain.pem
, andprivkey.pem
:ls -l /etc/letsencrypt/live/$MY_DOMAIN
Create a PKCS12 keystore archive file
A .pfx
file is a PKCS12 archive file. The PFX format is a single encrypted file in binary format that contains the server certificate, any intermediate certificates, and the private key. Here are the steps to create the .pfx
file with OpenSSL:
-
As the root user, navigate to domain cert directory and create the file with OpenSSL, replacing
<File_Name>
and<Password>
.MY_PFX_FILE=<File_Name> MY_PFX_PASSWORD=<Password> cd /etc/letsencrypt/live/$MY_DOMAIN openssl pkcs12 -export -out ${MY_PFX_FILE}.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:${MY_PFX_PASSWORD}
-
Verify the creation of the
.pfx
file.ls -l /etc/letsencrypt/live/$MY_DOMAIN | grep $MY_PFX_FILE
Never share the privkey.pem
. After Certbot creates this file and you create the .pfx
file, take the necessary steps to safeguard the privkey.pem
file accordingly to your organization’s cybersecurity practices.
Move the PKCS12 keystore archive file to the Incorta installation parent directory
Here are the steps to move the .pfx
file:
-
Create a certs directory in the parent directory of the Incorta Analytics installation path, replacing
<Incorta_Analytics_Install_Path>
. This should be similar to/home/incorta/IncortaAnalytics
.INCORTA_ANALYTICS_INSTALL_PATH=<Incorta_Analytics_Install_Path> cd $INCORTA_ANALYTICS_INSTALL_PATH mkdir ../certs/
-
Move the
.pfx
file.mv /etc/letsencrypt/live/${MY_DOMAIN}/${MY_PFX_FILE}.pfx ../certs/${MY_PFX_FILE}.pfx
-
Verify that the
.pfx
file exists in the new directory.ls -l ../certs/ | grep $MY_PFX_FILE
Modify the file bits and ownership of the file
Most likely the Incorta Analytics process runs as the incorta
Linux user. For this reason, you will need to change the ownership of the certs
directory to match that of the user that runs the Incorta process for the Analytics Service. You will also need to modify the file bits so that the Incorta user can read the file. Follow these steps:
-
Change the ownership of the certs directory to the
incorta
Linux user.cd .. sudo chown -R incorta:incorta certs/ sudo chmod 0640 certs/${MY_PFX_FILE}.pfx
-
View the path to the certs directory as you will need this reference later.
pwd
- Leave this SSH bash terminal open as you will continue on and configure HTTPS for Apache Tomcat.
Stop the Analytics Service from the CMC
- Sign in to the CMC with the administrator username and password.
- In the Navigation bar, select Clusters.
- In the List view, select the specific cluster.
- In the canvas tabs, select Services.
- In the Services list view, select the name of the service of the type Analytics.
- In the details page, in Runtime footer, select Stop.
- Keep the CMC open as you will shortly Start the Analytics Service again.
Enable HTTPS over port 8443 on the Analytics service
Here are the steps to configure HTTPS for Apache Tomcat on the host with the Incorta Node that runs the Analytics Service:
-
As the
incorta
user or another user that runs the Incorta Analytics Service process, identify the Globally Unique Identifier (GUID) for the Analytics Service, replacing<Incorta_Analytics_Install_Path>
. This should be similar to/home/incorta/IncortaAnalytics
.sudo su incorta INCORTA_ANALYTICS_INSTALL_PATH=<Incorta_Analytics_Install_Path> cat $INCORTA_ANALYTICS_INSTALL_PATH/IncortaNode/services/services.index
-
Change directories to the Analytics Service, replacing
<Analytics_Service_GUID>
with the GUID from the previouscat
command output.cd $INCORTA_ANALYTICS_INSTALL_PATH/IncortaNode/services/<Analytics_Service_GUID>/conf/
-
Create a backup file of the
server.xml
file.cp server.xml server.xml.bak
-
In vim, edit the
server.xml
(i
keystroke to edit in INSERT mode,ESC
for read-only), replacing<Incorta_Analytics_Certs_Directory_Path>
,<File_Name>
, and<Password>
for the keystoreFile and keystorePass attributes:<Connector port="8443" protocol="HTTP/1.1" maxThreads="500" SSLEnabled="true" scheme="https" secure="true" URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="<Incorta_Analytics_Certs_Directory_Path>/<File_Name>.pfx" keystorePass="<Password>" compression="on" compressionMinSize="100" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,application/javascript ,application/json" maxHttpHeaderSize="10485760" maxPostSize="10485760" />
- To save your changes to
server.xml
, use the keystroke:wq!
(force-quit-save).
Start the Analytics Service from the CMC
- If needed, sign in to the CMC with the administrator username and password.
- In the Navigation bar, select Clusters.
- In the List view, select the specific cluster.
- In the canvas tabs, select Services.
- In the Services list view, select the name of the service of the type Analytics.
- In the details page, in Runtime footer, select Start.
Verify the HTTPS configuration
Now that HTTPS is configured for Apache Tomcat using OpenSSL, you can verify the configuration. The default port for HTTPS for the host with an Incorta Node running the Analytics Service is 8443. Here are the steps to confirm HTTPS:
- In a supported web browser, in the Address bar, enter
https:<My_Domain>:8443/incorta
, replacing<My_Domain>
as required. - Verify that you see the Sign-In form.