Difference between revisions of "SSL Configuration using Certificate"

From LogicalDOC Community Wiki
Jump to navigationJump to search
(Install PFX certificates)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
{{TOCright}} __TOC__
  
 
LogicalDOC embeds the Tomcat application server and it can be configured to support the encrypted protocol HTTPS. This is useful when you want to expose the program on the Internet.
 
LogicalDOC embeds the Tomcat application server and it can be configured to support the encrypted protocol HTTPS. This is useful when you want to expose the program on the Internet.
Line 7: Line 8:
 
What follows is a re-visioned extract from that how-to
 
What follows is a re-visioned extract from that how-to
  
== Preparing the certificate (skip this step if you already have your own SSL certificate) ==
+
== Preparing the certificates ==
 +
Note: skip this step if you already have your own SSL certificate
 +
 
 
To install and configure SSL support on Tomcat, you need the following things:
 
To install and configure SSL support on Tomcat, you need the following things:
 
* The file of your server certificate (the format must be PEM-encoded)
 
* The file of your server certificate (the format must be PEM-encoded)
Line 29: Line 32:
 
The final step is to configure your secure socket in the <LDOC_HOME>/tomcat/conf/server.xml file, where <LDOC_HOME> represents the base directory for the LogicalDOC installation. An example <Connector> element for an SSL connector looks something like this:
 
The final step is to configure your secure socket in the <LDOC_HOME>/tomcat/conf/server.xml file, where <LDOC_HOME> represents the base directory for the LogicalDOC installation. An example <Connector> element for an SSL connector looks something like this:
  
 +
<source lang="xml">
 
     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
 
     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
 
               port="8443" maxThreads="200"
 
               port="8443" maxThreads="200"
Line 39: Line 43:
 
               </SSLHostConfig>
 
               </SSLHostConfig>
 
     </Connector>
 
     </Connector>
 +
</source>
 
    
 
    
 
<small>replace <LDOC_HOME> with the installation path of LogicalDOC</small>
 
<small>replace <LDOC_HOME> with the installation path of LogicalDOC</small>
Line 54: Line 59:
 
and you should see the usual login page.
 
and you should see the usual login page.
  
== Use directly a .P12 file ==
+
== Install PFX certificates ==
<nowiki>
+
 
 +
As regards certificates with the .pfx or .p12 extension, there is no need to convert them, because they are certificate archives already supported by Tomcat.
 +
 
 +
Modify the value of the Connector attribute in the server.xml file to the following:
 +
 
 +
<source lang="xml">
 
     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
 
     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
 
               port="8443" maxThreads="200"  
 
               port="8443" maxThreads="200"  
Line 61: Line 71:
 
               maxHttpHeaderSize="16384"    
 
               maxHttpHeaderSize="16384"    
 
               scheme="https" secure="true" SSLEnabled="true"
 
               scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false"  
+
              clientAuth="false"  
  sslProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
+
              sslProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
               keystoreFile="${catalina.home}/../conf/mycert.p12"
+
               keystoreFile="${catalina.home}/../conf/mycert.pfx" # Path of the certificate file
  keystoreType="PKCS12"
+
              keystoreType="PKCS12"  
               keystorePass="certpasswd" />
+
               keystorePass="certpasswd" # Replace the value with the password of your certificate
</nowiki>
+
              />
 +
</source>
 +
Save the file and restart LogicalDOC service/daemon.
 +
 
 +
Now you can access LogicalDOC pointing your browser to https://YourServerDomain:8443 (ofc replace 'YourServerDomain' with the actual domain of your server).
 +
 
 +
This procedure works for both certificate files with the .pfx extension and those with the .p12 extension

Latest revision as of 15:14, 27 February 2024

LogicalDOC embeds the Tomcat application server and it can be configured to support the encrypted protocol HTTPS. This is useful when you want to expose the program on the Internet.


Note idea.png Please be aware that this procedure is not coverded by the standard support contract.
In case you want this matter to be handled professionally, please write to sales@logicaldoc.com for a quote.


Basically you only have to follows the steps described in the Apache how-to at SSL Configuration HOW-TO What follows is a re-visioned extract from that how-to

Preparing the certificates

Note: skip this step if you already have your own SSL certificate

To install and configure SSL support on Tomcat, you need the following things:

  • The file of your server certificate (the format must be PEM-encoded)
  • The file containing the certificate chain associated with the server certificate (the format must be PEM-encoded)
  • The file that contains the server private key (the format must be PEM-encoded)

You get those 3 files as a result of the certificate issuing procedure.

Most of the times you server's certificate and the chain file are in .crt, .cer or .der format. In this case please convert them openssl:
openssl x509 -in cert.crt -out cert.pem
openssl x509 -in cert.cer -out cert.pem
openssl x509 -in cert.der -out cert.pem

In the same way, probably your secret key is in .txt format, so please convert it into .pem using openssl:
openssl rsa -in privkey.txt -out privkey.pem

We suggest to put your .pem files in <LDOC_HOME>/conf and in any case outside the tomcat folder.

Edit the Tomcat configuration file

The final step is to configure your secure socket in the <LDOC_HOME>/tomcat/conf/server.xml file, where <LDOC_HOME> represents the base directory for the LogicalDOC installation. An example <Connector> element for an SSL connector looks something like this:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               port="8443" maxThreads="200"
               URIEncoding="UTF-8" server="Undisclosed/8.41"
               scheme="https" secure="true" SSLEnabled="true">
               <SSLHostConfig>
                 <Certificate certificateFile="${catalina.home}/../conf/<b>cert.pem</b>"
                              certificateKeyFile="${catalina.home}/../conf/<b>privkey.pem</b>"
                              certificateChainFile="${catalina.home}/../conf/<b>chain.pem</b>" />
               </SSLHostConfig>
    </Connector>

replace <LDOC_HOME> with the installation path of LogicalDOC


Note idea.png LogicalDOC application will be updated from time to time so it is not safe to maintain the keystore inside the tomcat/ folder, please put your .pem files inside the conf/ folder of the LogicalDOC installation path.


The port attribute (default value is 8443) is the TCP/IP port number on which Tomcat will listen for secure connections. You can change this to any port number you wish.

If you change the port number here, you should also change the value specified for the redirectPort attribute on the non-SSL connector. This allows Tomcat to automatically redirect users who attempt to access a page with a security constraint specifying that SSL is required.

After completing these configuration changes, you must restart LogicalDOC as you normally do, you should be able to access via SSL. For example, try:

   https://localhost:8443

and you should see the usual login page.

Install PFX certificates

As regards certificates with the .pfx or .p12 extension, there is no need to convert them, because they are certificate archives already supported by Tomcat.

Modify the value of the Connector attribute in the server.xml file to the following:

    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               port="8443" maxThreads="200" 
               URIEncoding="UTF-8" server="Undisclosed"
               maxHttpHeaderSize="16384"			   
               scheme="https" secure="true" SSLEnabled="true"
               clientAuth="false" 
               sslProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
               keystoreFile="${catalina.home}/../conf/mycert.pfx"  # Path of the certificate file
               keystoreType="PKCS12" 
               keystorePass="certpasswd" # Replace the value with the password of your certificate 
               />

Save the file and restart LogicalDOC service/daemon.

Now you can access LogicalDOC pointing your browser to https://YourServerDomain:8443 (ofc replace 'YourServerDomain' with the actual domain of your server).

This procedure works for both certificate files with the .pfx extension and those with the .p12 extension