Versions Compared

Old Version 12

changes.mady.by.user Chris Welford

Saved on

compared with

New Version 13

changes.mady.by.user Chris Welford

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Windows

Run the Tomcat Monitor.

Right click on the Apache Tomcat icon in the system tray and select Configure …

On the ‘General’ tab:

Set Startup Type to Automatic.

Unix

As the root user, install the “tomcat” script listed in in Appendix A and create a softlink to it from the appropriate run-level directory. The actual run-level directories are specific to the particular unix variant.

...

You may wish to install tomcat to support secure connections over SSL.

This is described in the standard tomcat documentation - for example https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html - but some notes are given here to get you started.

Type of certificate

If access to PhixFlow is only intended for people in your organisation, you may wish to create a self-signed certificate. This still provides a secure connection, but this will generate security warnings when users first connect, and they will not see a padlock in the address bar of their browser. If this is not acceptable to your users or by your company policy, or if you are going to provide access to people outside your organisation, you should obtain your certificate from a certificate authority (CA).

A list of certificate authorities is given on https://en.wikipedia.org/wiki/Certificate_authority.

Info

Two example installations are given here: a self-signed certificate on ubuntu, and a self-signed certificate on windows. There are the two commonest platforms for PhixFlow, and the instructions are provided to help you set PhixFlow up quickly to operate securely over with HTTPS.

Please remember that these are examples only - your organisation may have standards that apply to certificate installation and use, you may need to use certificates from a certificate authority (CA). If you need to use certificates from a CA and there are no special standards in your organisation that apply to the installation process, you can review the example installations below, following special steps where indicated for CA certificates.

The examples use a Java tool called keytool, so you must have Java installed to follow these.

The examples are based on the tomcat documentation (https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html) - but note that there are alternative approaches. E.g. for ubuntu you can follow instructions for generating a self-signed certificate here: https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html.

Overview

All installations process will contain the steps:

  1. Obtain a certificate - whether self-signed or from a certificate authority
  2. Create a keystore
  3. Tell tomcat where to find the keystore

Quick start for HTTPS access to PhixFlow

Warning

These quick start instructions will allow you to connect to PhixFlow over an HTTPS connection, but there are other security implications when setting up a production system using cerfiticates and so you may need to check this set up against your company security policies. Consult the standard tomcat documentation for full details of alternative methods of installation.

The following instructions assume that you java installed

Obtain certificate and create keystore

Using the Java tool keytool you can create a self-signed certificate and a keystore in one step.

Tip

 

 

Windows

Code Block
languagepowershell
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile

E.g.

Code Block
languagepowershell
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\keystore

Linux

Code Block
languagebash
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile

E.g.

Code Block
languagebash
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/secure/keystore

To complete the command:

  • Enter a keystore password when prompted - keystorePasswd
  • Enter data about your company, contact name, etc - this information will be displayed when users access PhixFlow
  • Select the default option not to set a separate password for the private key; if you want to do this, consult the tomcat documentation for further details.

Edit the tomcat configuration file

Edit the tomcat configuration file $TOMCAT/conf/server.xml as follows.

  • Find the connector specification like:
Code Block
languagexml
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

and update it to:

Code Block
languagexml
 <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="pathToKeystoreFile" keystorePass="keystorePasswd"
               clientAuth="false" sslProtocol="TLS" />

E.g.

Code Block
languagexml
 <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="C:\app\secure\keystore" keystorePass="Hjq43823LfgreN"
               clientAuth="false" sslProtocol="TLS" />
  • Restart tomcat. PhixFlow will now be available at
Code Block
https://localhost:8443/phixflow

Remove standard HTTP access

Edit the tomcat configuration file $TOMCAT/conf/server.xml to comment out the standard connection.

  • Update the connection like:
Code Block
    <Connector port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

to

Code Block
    <!--
         <Connector port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->