...
where KIUWAN_HOST and KIUWAN_PORT match the values of those properties as configured in settings.custom
Step 6. Making Kiuwan On Premise running on https
X.X Create your KOP SSL configuration file
SSL configuration is currently done by creating a configuration file (ssl.custom) within ssl directory
There's a file (ssl.tpl) you can use as a template to configure your own settings.
- cd ssl
- Create ssl.custom file by copying the template file
- cp ssl.tpl ssl.custom
- Edit the properties of ssl.custom file
PropertyName | Default value | Meaning |
|---|---|---|
| Commons | ||
| SSL_O | Your Organization | |
SSL_LOCALITY | Your Locality | |
| SSL_STATE | Your State | |
| SSL_COUNTRY | Your Country | |
| SSL_OU | Your Organization Unit | |
| Keystore | ||
| SSL_KS_PWD | Password for Keystore that will be created | |
| Aliases | ||
| SSL_ALIAS | wildfly | Alias of the Certificate to be created. |
| HTTPS_PORT | 443 | HTTPS port |
X.X Create the Private key and Certificate Signing Request (CSR) for your server
- within ssl directory execute the script CreateKey_and_ReqCSR.sh
- this script generates the CSR file under ssl/certs (named as <yourhost.yourdomain.com>.csr , as set by $KIUWAN_HOST configuration property)
- send CSR file to your CA (Certificate Authority)
- CA will send back to you two files
- CA's Certificate file (IMPORTANT: rename it to ca.crt )
- your host's Certificate file : for example yourhost.yourdomain.com.crt
- copy above files to ssl/certs directory
X.X Create the Keystore and switch from HTTP to HTTPS
- within ssl directory execute the script TransferFilesToContainer.sh
- this script transfers your server's certificate, your private key and CA's certificate to KOP container
also, it transfers the script templates that will be used to create the keystore and to change the configuration from http to https
within ssl directory execute the script run_create_Keystore.sh
- this script executes (into the container) the script create_Keystore.sh (created from template create_Keystore.tpl)
- within ssl directory execute the script run_change_ToHTTPS.sh
- this script stops wildfly service and executes the script change_ToHTTPS.sh (created from template change_ToHTTPS.tpl), this script will create files with .rollback extension of modified ones
- then, it starts wildfly service
X.X Just in case you are using your own CA, make it valid to your browsers and Java
If the certificate is signed by your own Certification Authority, the browsers will not recognize it as a valid CA and you will get an error messages such as:
Your connection is not private
Attackers might be trying to steal your information from youthost.yourdomain.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
To solve this issue, you have to import your CA Certificate into your browser :
- In Chrome: Configuration >> Settings >> Advanced >> Manage certificates >> Import (ca.crt) into "Trusted root certification entity store"
Log in to the KOP container and execute next commands:
- cd /opt/jdk1.8.0_141/jre/lib/security/
- supervisorctl stop wildfly
- cp cacerts cacerts.bck.original
- keytool -import -noprompt -alias root -keystore cacerts -trustcacerts -file /<kiuwan_vol>/configurations/ssl/ca.crt -storepass changeit
- NOTE: change <kiuwan_vol> to the value of $KIUWAN_VOL (as configured in settings.custom)
- supervisorctl start wildfly
Then, log in to your docker server and make above changes persistent (i.e. to keep them after rebooting the container):
- docker commit <kop docker name> <kop docker image>
- NOTE: run 'docker ps' to get NAMES and IMAGE values of your KOP container
Advanced Configuration
As above specified, settings.custom file allows you to specify most (but not all) configuration parameters.
...