Configure Twproject on HTTPS

Running a web application using https is generally e good idea, and nowadays is a must if your application is publicly exposed. Since release 6.3, running Twproject on https is necessary to enable desktop notifications.

Configuring Tomcat with https certificate requires some IT skills but there are several guides available online that can be of help to guide you in this procedure.

The Tomcat official guidelines is available here:

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Sometimes the guides supplied by the certificate authorities are simpler, so we suggest you to check the one of your certificate provider before proceeding, try to find the guide that is simpler for you.

In our experience,  we create an handcrafted guide that should not replace the one supplied by the certificate provider but could be of help, just to understand the main steps to follow.

This guide works for Windows, but it will work for Linux too with some syntax changes:

The certification process consists in 4 phases:

  1. Private key generation
  2. Certification request to authority
  3. Certification Installation
  4. Tomcat configuration

Private key generation

To Create the private key open command  console and navigate to C:\Program Files\twproject\jre\bin (check your Twproject installation folder)

Now generate the key with the following command:

keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
pwd: [keystorepassword]
last name: [Twproject public server name e.g. tw.acme.com]
organization unit: [your organization name e.g IT Departement]
Organization: [Your Company Name e.g. Acme]
city: [Your city]
state/province: [Your state/province]
country:[Your country code two letters e.g IT]

Insert again the same password of keystore

Certification request to authority

Generate now the certification request:

keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore

Send the request to the certification authority following your provider guidelines, this could require several hours.

Certification Installation

One your certificate is emitted download it and import it on the keystore:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file certificate from CA.crt

Tomcat configuration

First stop Twproject service to modify Tomcat conf/server.xml to enabled https :

<Connector port="80" enableLookups="false" redirectPort="443" URIEncoding="UTF-8" connectionTimeout="20000" sisableUploadTimeout="true" maxHttpHeaderSize="1048576" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" keystoreFile="C:\program files\twproject\https\tomcat.keystore" keystorePass="keystorepassword"/>

If you already have your .pfx file, containing both Secret a Certificate, you have to change the server.xml configuration file in this way:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" KeystoreFile="myCertificateFile.pfx" keystorePass="***" keystoreType="JKS"/>

In order to force https on /conf/web.xml use these tags

<security-constraint> 
<web-resource-collection> 
<web-resource-name>Entire Application</web-resource-name
<url-pattern>/*</url-pattern> 
</web-resource-collection> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint>

 

At the end of these process restart Tomcat.

This should be everything you need to run Twproject on https.