PhixFlow Help
Configure Tomcat for HTTPS
You may wish to install tomcat to support secure connections over SSL, that is, via HTTPS.
This is described in the standard tomcat documentation - for tomcat 8 at https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html - but some notes are given here to get you started.
Type of certificate
If access to PhixFlow is only intended for people in your organisation, you may wish to create a self-signed certificate. This still provides a secure connection, but this will generate security warnings when users first connect, and they will not see a padlock in the address bar of their browser. If this is not acceptable to your users or by your company policy, or if you are going to provide access to people outside your organisation, you should obtain your certificate from a certificate authority (CA).
A list of certificate authorities is given in https://en.wikipedia.org/wiki/Certificate_authority.
Overview
The installation of a certificate will contain the steps:
- Obtain a certificate - whether self-signed or from a certificate authority
- Create a keystore
- Tell tomcat where to find the keystore
Quick start for HTTPS access to PhixFlow
These instructions will help you get an HTTPS connection to PhixFlow, using a self-signed certificate, on linux and windows.
These quick start instructions will allow you to connect to PhixFlow over an HTTPS connection, but there are other security implications when setting up a production system using certificates - in particular, whether you use a certificate from a certificate authority. Therefore, you may need to check this set up against your company security policies. Consult the standard tomcat documentation for full details.
The examples use a Java tool called keytool, so you must have Java installed to follow them.
Obtain certificate and create keystore
Using the Java tool keytool you can create a self-signed certificate and a keystore in one step.
Windows
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile
E.g.
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore C:\app\secure\keystore.jks
Linux
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore pathToKeystoreFile
E.g.
sudo mkdir /opt/tomcat/secure $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/secure/keystore.jks sudo chown -R tomcat:tomcat /opt/tomcat/secure sudo chmod 500 /opt/tomcat/secure sudo chmod 400 /opt/tomcat/secure/keystore.jks
Ensure that you create your keystore in a location that is only accessible to privileged users
To complete the command:
- Enter a keystore password when prompted - keystorePasswd
- Enter information about your company, contact name, etc - this information will be displayed when users access PhixFlow
- Select the default option not to set a separate password for the private key; if you want to do this, consult the tomcat documentation for further details.
Edit the tomcat configuration file
Edit the tomcat configuration file $TOMCAT/conf/server.xml as follows.
- Find the connector specification like:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
and update it to:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="pathToKeystoreFile" keystorePass="keystorePasswd" clientAuth="false" sslProtocol="TLS" />
E.g.
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="C:\app\secure\keystore" keystorePass="Hjq43823LfgreN" clientAuth="false" sslProtocol="TLS" />
By default, tomcat uses the port 8443 for SSL connections; if you want to use a different port, update the port setting of the connection details in the server.xml file
Because the password for the keystore is stored in the server.xml file, ensure that this file is only accessible to privileged users
- Restart tomcat. PhixFlow will now be available at
https://server:portNumber/webappName
E.g.
https://localhost:8443/phixflow
Remove standard HTTP access
Edit the tomcat configuration file $TOMCAT/conf/server.xml to comment out the standard connection.
- Update the connection like:
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
to
<!-- <Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> -->
Using a Certificate from a Certificate Authority
To use a certificate from a certificate authority, follow instructions in the standard tomcat documentation, e.g. the section Installing a Certificate from a Certificate Authority on the page https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Please let us know if we could improve this page feedback@phixflow.com