wiki:HttpsRemoteFiles

Configuring the Proteios server to access remote files via https

To allow Proteios to use a certificate when accessing remote files over https, it needs to be configured with the location of the certificate files, and a file with th epassword to the certificate. For security reason it could be good to set permissions to the certificate and password files so that they are only readable by the tomcat user. Note that the certificate file need to be configured with an alias (name) for the certificate to use.

Alternative 1: Settings in properties file (Proteios SE 2.20.0 and higher)

The preferred method is to set the connection parameter values in properties file connection.properties. Copy template file client/servlet/conf/connection.properties.in to a file connection.properties and add the settings to the latter:

  • cert.alias = ALIAS (This is the name of the certificate to look for in the P12 file)
  • javax.net.ssl.keyStore = PATH_TO_P12_FILE (This is the path to the certificate to use for remote connections)
  • javax.net.ssl.trustStore = PATH_TO_JKS_FILE (This is the path to the JKS format file with host certificates to trust)
  • javax.net.ssl.trustStorePassword = JKS_TRUSTSTORE_PASSWORD

And the password to the P12 certificate specified either as:

  • javax.net.ssl.keyStorePassword = P12_KEYSTORE_PASSWORD

or

  • cert.passFile = PATH_TO_P12_PASSWORD_FILE

If keyStorePassword is missing, an attempt is made to read it from cert.passFile.

The connection.properties file should be readable for the tomcat user, and preferably not readable for other users if it contains passwords. The same goes for the separate password file.

Alternative 2: settings as jvm parameters

tomcat

The following jvm parameters need to be set for tomcat:

  • -Djavax.net.ssl.keyStore=PATH_TO_P12_FILE
  • -Dcert.passFile=PATH_TO_P12_PASSWORD_FILE (or -Djavax.net.ssl.keyStorePassword=P12_KEYSTORE_PASSWORD)
  • -Dcert.alias=ALIAS
  • -Djavax.net.ssl.trustStore=PATH_TO_JKS_FILE
  • -Djavax.net.ssl.trustStorePassword=JKS_TRUSTSTORE_PASSWORD

This can be done by configuring your tomcat.conf file. However, if a property (like alias) contains a space character, instead write to catalina.properties:
cert.alias=ALIAS
(for example cert.alias=my name)

FTP server

If the connection parameters are set in a properties file (alternative 2 above), no specific changes should be needed for the ftp server. Otherwise, make the following additions:

For the ftp server, currently the startup script has to be edited: Add a line in the beginning:
PROP="-Djavax.net.ssl.keyStore=PATH_TO_P12_FILE -Dcert.passFile=PATH_TO_P12_PASSWORD_FILE -Djavax.net.ssl.trustStore=PATH_TO_JKS_FILE -Djavax.net.ssl.trustStorePassword=JKS_TRUSTSTORE_PASSWORD -Dcert.alias=\"my name\""

And change the two lines with 'su':
su - tomcat -c "nohup java -server $PROP -Xmx$MEMORY -cp $CLASSPATH se.lu.thep.coreftpd.ProteiosFTPServerControl -t\"$temp_dir\" -start $PORT&"

known problem

If Java version 6 is used by tomcat, you may have to set the protocols property in order to allow for download of files from Swestore:

-Dhttps.protocols=TLSv1,SSLv3

This can be set in JAVA_OPTS for tomcat (in Ubuntu the file to edit is /etc/defaults/tomcat6).

Last modified 7 years ago Last modified on Sep 11, 2014, 8:55:13 AM