...
If access to PhixFlow is only intended for people in your organisation, you may wish to create a self-signed certificate. This still provides a secure connection, but this will generate security warnings when users first connect, and they will not see a padlock in the address bar of their browser. If this is not acceptable to your users or by your company policy, or if you are going to provide access to people outside your organisation, you should obtain your certificate from a certificate authority (CA).
Both approaches are well documented on the web. For example:
Generate a self-signed certificate on ubuntu: https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html.
From the website of a certificate authority: a list of these A list of certificate authorities is given on https://en.wikipedia.org/wiki/Certificate_authority.
| Info |
|---|
Two example installations are given here: a self-signed certificate on ubuntu, and a self-signed certificate on windows. There are the two commonest platforms for PhixFlow, and the instructions are provided to help you set PhixFlow up quickly to operate securely over with HTTPS. Please remember that these are examples only - your organisation may have standards that apply to certificate installation and use, you may need to use certificates from a certificate authority (CA). If you need to use certificates from a CA and there are no special standards in your organisation that apply to the installation process, you can review the example installations below, following special steps where indicated for CA certificates. The examples use a Java tool called keytool, so you must have Java installed to follow these. The examples are based on the tomcat documentation (https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html) - but note that there are alternative approaches. E.g. for ubuntu you can follow instructions for generating a self-signed certificate here: https://help.ubuntu.com/14.04/serverguide/certificates-and-security.html. |
Overview
All installations process will contain the steps:
- Obtain a certificate - whether self-signed or from a certificate authority
- Create a keystore
- Tell tomcat where to find the keystore
...
Obtain certificate
...
The rest of these instructions assume that:
...
and create keystore
Using the Java tool keytool you can create a self-signed certificate
...
Linux
- Copy the private key to /etc/ssl/private, e.g.
| Code Block |
|---|
sudo cp server.crt /etc/ssl/certs |
- Copy the certificate to /etc/ssl/certs, e.g.
| Code Block |
|---|
sudo cp server.key /etc/ssl/private |
...
and a keystore in one step.
U
| Info |
|---|
|
| Tip |
|---|
|
Windows
| Info |
|---|
|
E.g.
| Info |
|---|
|
Linux
| Info |
|---|
|
E.g.
| Info |
|---|
|
Enter a keystore password when prompted - <keystorePasswd>
Enter data about your company, contact name, etc - this information will be displayed when users access PhixFlow
Enter a private key password when prompted - <privateKeyPasswd>
Edit the tomcat configuration file
| Info |
|---|
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> |
| Info |
|---|
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> |