Configure RCM JBoss to only use secure communication methods

Document ID : KB000050046
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

RCM Server is being installed, by default, allowing unsecure communication over port 8080.

This document shows steps required to setup RCM Server so it will only use secure communication methods over HTTPs.

Solution:

Follow these steps to allow JBoss to communicate only over HTTPs (port 8443):

  1. Prerequisites:

    SSL Encryption
    Make sure that SSL Encryption has been implemented according to the directions in RCM installation guide Chapter 3, "SSL, Authentication and Certificates" section (For example keytool -genkey -alias name -keyalg RSA -keystore server.keystore)

    URL
    Make sure all references to url specify 8443. (As an exception: You may want to leave "tms.workflow.url" at port 8080 until the certificate is imported into the jvm keystore {it will not work until after that step})

    Property Settings:

    Figure 1

    Common Properties:

    Figure 2

    Server.xml

    Make sure the server.xml file is pointing to the keystore file you plan to use:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS"
    keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
    keystorePass="YOUR_PASS" />
    Validate

    Test the portal to make sure everything seems to be functional using port 8443.

    Otherwise, if things don't work after the install you cannot be certain that the changes caused the problem.

    As you click around the portal, make sure the url is always https

    https://<JBOSS_FQDN>:8443/eurekify/portal/

  2. Install the certificate into the JVM Keystore

    Export the certificate from the browser:

    Figure 3

    Figure 4

    Select "Copy to file..."

    Figure 5

    Use DER encoded x.509

    Figure 6

    Import the certificate to the jvm keystore
    keytool -import -alias rcmkey -keystore "D:\Program
    Files\Java\jdk1.5.0_22\jre\lib\security\cacerts" -file "D:\ w1pvap179_der_x509.cer"
    C:\Program Files\Java\jdk1.5.0_16\bin>keytool -import -alias RCMSP3 -keystore "C:\Program Files\Java\jdk1.5.0_16\jre\lib\security\cacerts" -file E:\rcmsp3.cer

    Enter keystore password:
    Owner: CN=RCMSP3, OU=Support, O=CA, L=London, ST=England, C=GB
    Issuer: CN=RCMSP3, OU=Support, O=CA, L=London, ST=England, C=GB
    Serial number: 4dff710b
    Valid from: Mon Jun 20 17:10:51 BST 2011 until: Sun Sep 18 17:10:51 BST 2011

    Certificate fingerprints:
    MD5: 37:99:99:2A:FC:E1:42:22:7E:36:03:C5:1E:06:6B:83
    SHA1: FD:75:04:03:E4:15:38:85:3C:3D:6D:32:82:0D:B6:CD:B4:6B:85:98
    Trust this certificate? [no]: yes
    Certificate was added to keystore

    When completed, restart jboss.

  3. Update Workpoint to use port 8443

    In the workpoint DB Administrator menu, select "Update Workpoint Processes" to use 8443 and https.

    Click "Update"

    Figure 7

    It will take about a minute to reload the workpoint processes.

    Figure 8

    At the bottom of the screen, look for the message:

    Figure 9

    Update Host and Port in Workpoint Processes" to use 8443 and https.

    Figure 10

    Open Workpoint Designer to Validate:

    Figure 11

    Open any script

    Figure 12

    You should see that http...8443 is being used in the processes.

    Run the Workpoint checkup:

    Figure 13

    Make sure the URL now uses https

    Figure 14

    Figure 15

    Figure 16

    Test the portal:

    • Create a Campaign

    • Create a new role using the Role Management menu

  4. Turn off port 8080
    Stop JBoss

    Edit the server.xml file:
    ..\CA\RCM\Server\eurekify-jboss\server\eurekify\deploy\jbossweb.deployer\server.xml

    Comment out the section defining port 8080

    Restart JBoss

    Repeat the portal testing

    Verify only ports JBoss is listening to are 8009 and 8443 (on eurekif.log)

    INFO [org.apache.coyote.http11.Http11Protocol] Initializing Coyote HTTP/1.1 on http-8443
    INFO [org.apache.coyote.ajp.AjpProtocol] Initializing Coyote AJP/1.3 on ajp-0.0.0.0- 8009

NOTE:
If Client Tools are installed on a different server than main RCM/GM Server, the relevant certificates (Server and root CA) must be imported on the Client Tools machine in order to be able to connect securely.

Figure 17