Transcription
Implementing HTTPS in Contract ManagerOverviewThis document intends to walk through the steps required to implement SSL / HTTPS on the ContractManager Web server. HTTPS uses the SSL protocol to encrypt the data traveling between the Webserver and the client workstation. This encryption helps protect the data being transmitted. A DigitalCertificate is used to confirm the identity of the server.This document is for Contract Manager installations on Jboss/Tomcat only. WebLogic usersshould review the WebLogic documentation for HTTPS implementation.This document uses the following conventions for items that may need to be modified:BOLDItems in bold may need to be modified to match the environment being used.Examples in this document will use the defaults created by a standard installation(e.g. the drive and directory in which Contract Manager is installed)ITALICSItems in italics are values that must be created or modified based on theorganization (for example, the name of the company or a password).Please review this entire document before proceeding.Before BeginningBefore beginning, prepare answers for the following questions. This information will be required.Note: For Contract Manager using HTTPS, 12.0 to 12.1 upgrades are a special case. No modifications of theserver.xml file are needed because it has already been modified for HTTPS at the 12.0 level, and is copied as isto the 12.1 location. Only the exponline.properties file needs to be modified as shown on page 6. For Standaloneinstalls, the desktop shortcuts URL addresses for both Contract Manager and Contract Manager Administrationmust be modified. Ensure that both shortcuts point to an https address (as opposed to an http address), and areusing the proper port number.1. Where is JBoss installed? The primary default location for all installs and upgrades is:C:\jboss-4.0.5.GAExamples in this document will refer to the default location as JBOSS HOME.2. Where is the Java SDK installed? The default location is C:\j2sdk1.5.0 13Examples in this document will refer to this as JAVA HOME.3. What is the DNS name clients use to connect?Example: myserver.mycompany.com This can usually be found by checking the addressworkstations use to connect to Contract Manager. An Internet Service Provider can help establish anexternal domain name.4. Will a Certificate Authority be used?Page – 1
A Certificate Authority acts as a Trusted Third Party to certify that the certificate can betrusted. Using a Certificate Authority allows the server to say “I trust this party to trust me”and the client to say “I trust this party to tell me I can trust this server”.Most common Certificate Authorities are pre-authorized within Internet Explorer and otherWeb browsers.Use of a Certificate Authority is optional. Without it, the digital certificate on the Web serverwill be “self-signed,” and end users will be prompted to verify the identity of the server andaccept the self-signed certificate.5. When can the Contract Manager Web server be taken off-line? The Contract Manager Web server must be restarted for the changes to take effect. Prepare fora period of downtime in case problems are encountered.6. What passphrase will be used for the certificate? This passphrase will only be used on the Web server. Client workstations will not need to knowit. This is exclusively used when creating the certificate and configuring the Web Server. The sample passphrase peekaboo is used in examples in this documentSetting Up HTTPSSteps One through Four are all performed on the Contract Manager Web server.Step One - Create A Certificate:A digital certificate is needed to enable HTTPS. The Java SDK includes a utility called “keytool” which isused to create a Keystore file.The following command can be run through Start Run, or from a Command Prompt. Running thesecommands from a Command Prompt is recommended, because it will allow any error messages thatappear to remain visible before the window is closed.Commands shown are one continuous line. Where the document wraps to the next line, assume aspace. After running this command, a prompt will appear asking for the passphrase. This is the samepassphrase as used in the command line, entered after -keypass (your passphrase).JAVA HOME\bin\keytool -genkey -keyalg RSA -alias primavera -keystoreJBOSS HOME\server\ Your JBOSS domain for ContractManager \conf\primavera.keystore -keypass your passphrase -dname “CN yourserver’s DNS name, OU organizational unit, O organization, L city or locale,S state or province, C two-letter country abbreviation”In the preceding: OU Organizational Unit - such as the department or division within the companyO Organization - such as the name of the companyL city or locale - where the server or the company is locatedS State or Province - where the server or company is locatedC two-letter country abbreviation - where the server or company is locatedPage – 2
For Example:C:\j2sdk1.5.0 13\bin keytool -genkey -keyalg RSA -alias primavera a.keystore -keypass secret -dname"CN myserver.mycompany.com, OU Customer Support, O Primavera Systems, L BalaCynwyd, S Pennsylvania, C US"Where:cm is Your JBOSS domain for Contract Manager .The preceding example created a file called primavera.keystore in:C:\jboss-4.0.5.GA\server\cm\conf\It tells the certificate that the server’s name is myserver.mycompany.com, the Organization Unit isCustomer Support within the Organization Primavera Systems in Bala Cynwyd in PA in US and createdthe certificate with the passphrase peekaboo.Note: The server name must match that which the clients enter into the address bar when connectingto the Contract Manager Web server. In this example, this value is myserver.mycompany.com. If theclient connects to https://myserver.mycompany.com/ there will be no problem. Connecting to https://www.myserver.mycompany.com/ or https://myserver/ would prompt the user that the address to whichthey are connecting does not match the address entered in the certificate. This is a warning only. Theend user can review the discrepancy and decide if they wish to proceed. More detail is provided in the“Connecting to Contract Manager Via HTTPS” section later in this document.Step Two Configuring Contract Manager to Use HTTPSOnce the digital certificate is created, Contract Manager must be configured to use it and communicatevia the HTTPS protocol.1. Stop the Contract Manager Web server.2. Find the file SERVER.XML located in:JBOSS HOME\server\ Your JBOSS domain for ContractManager \deploy\jbossweb-tomcat55.sar\3. Make a backup copy of this file before proceeding. Open this file in Notepad.If the file opens in Notepad and is not readable, close the file and open in WordPad. Edits to the filemay be done in WordPad. However, you must save the file as Text Only.The SERVER.XML file contains information for both HTTP and HTTPS communication. By default, ituses the HTTP parameters, and the HTTPS section is commented out.The HTTP section must be commented out. This is done using the comment codes shown in thefollowing image. See the sample image on the next page for an example of what this will look like.To comment out a section:1. Type the following before the area to comment: !- And type the following after:-- XML documents ignore the text located between the codes.Page – 3
2. Remove the corresponding comments surrounding the HTTPS section.3. Edit the following values:Port – The port number the Web server uses to communicate. The default is 443.Port “443”keystoreFile - The path to, and filename of, the primavera.keystore file. Use the followingformat:keystoreFile “BOSS HOME\ server\ your JBOSS domain for ContractManager \conf\primavera.keystore”keystorePass - The passphrase used when creating the digital certificate (peekaboo in theexamples).keystorePass “peedaboo”After the modifications are made, the file should resemble the following example.Page – 4
4. Save the file.Next, do the following:1. Find the file EXPONLINE.PROPERTIES located in:JBOSS HOME\server\ Your JBOSS domain for Contract Manager \lib\ext\com\primavera\exponline\common\2. Make a backup copy of this file before proceeding, and then edit the file in Notepad.3. Find the following two lines:WebProtocol httpWebPort 80Change them to the following:WebProtocol httpsWebPort 4434. Save the file. Contract Manager is now configured to use the HTTPS protocol with the digitalcertificate.5. Start the Contract Manager Web server.At this point, the Contract Manager Web server will start with the self-signed certificate. Log intoContract Manager and verify the configuration of HTTPS at this point.Page – 5
Note: If the purpose of implementing HTTPS was solely to encrypt data sent across the network usingthe Secure Socket Layer, then no further steps are necessary. If HTTPS was implemented with theintention of reassuring end users that they are connecting to the correct server, then it may be desirableto replace the self signed certificate with one signed by a Certificate Authority.Only proceed with Steps 3 and 4 if a Certificate Authority will be used. It is recommended only toproceed after testing the server with a self-signed certificate to verify that Steps One and Two werecompleted properly.Step Three Create a “Certificate Signing Request” (CSR)1. Stop the Contract Manager Web server.2. Run the following command to create a Certificate Signing Request to submit to the CertificateAuthority:JAVA HOME\bin\keytool -certreq -alias primavera -keystore JBOSS HOME\server\ your JBOSS domain for Contract Manager \conf\primavera.keystore-keypass your passphrase -file primavera.csrExample:C:\j2sdk1.5.0 13\bin\keytool -certreq -alias primavera a.keystore -keypass peekaboo-file primavera.csrWhere:cm is Your JBOSS domain for Contract Manager .The utility again prompts for the passphrase.This will create a file called PRIMAVERA.CSR in the JAVA HOME directory. Open this file inNOTEPAD. Its contents will resemble the following:-----BEGIN NEW CERTIFICATE Oh05iI9PuxBpDfVYl f272PTrKFu8Ij6wjGn6tvr5pLASiutOaZzIlrGyKXXrYw -----ENDNEW CERTIFICATE REQUEST---- Copy the entire contents of this file to submit to the Certificate Authority.The response received from the CA will look similar, but without the word “REQUEST”. Save the contents of the response as a new Notepad document, and save it with the namePRIMAVERA.CER in the JAVA HOME\bin directory. Make sure Notepad does not append .TXT tothe end of the file name. Also, ensure that there are no spaces at the end of, or following, the lastline in the PRIMAVERA.CER file.This is the certificate created in Step One “chained” together with the CA’s “root” certificate.Step Four - Import the Chained Certificate into the Keystore File:Page – 6
Note: Some Certificate Authorities, including Verisign, may require an additional “IntermediateCertificate” to be imported prior to importing the Chained Certificate. Please review the CA’sdocumentation before proceeding. More information on Verisign’s Intermediate Certificate is covered inthe FAQ section.1. Run the following command to import the PRIMAVERA.CER:JAVA HOME\bin\keytool -import -alias primavera -trustcacerts -fileJAVA HOME\bin\primavera.cer -keystoreJBOSS HOME\server\ Your JBOSS domain for ContractManager \conf\primavera.keystore -keypass your passphraseExample:C:\j2sdk1.5.0 13\bin\keytool -import -alias primavera -trustcacerts fileC:\j2sdk1.5.0 13\bin\primavera.cer a.keystore -keypass peekaboowhere:C:\jboss-4.0.5.GA is the JBOSS HOME, and cm is the Your JBOSS domain for ContractManager .The digital certificate is now installed.2. Start the Contract Manager Web server.Connecting to Contract Manager via HTTPSNow that Contract Manager has been modified to communicate via HTTPS, clients must change theURL to match. Open the Web browser on the computer(s) that will connect to Contract Manager andmodify the shortcuts or bookmarks to match the new line/logon.jspNote the S in httpS above.Warnings Users May Encounter If the digital certificate created was not signed by a Certificate Authority, or a Certificate Authoritythat the browser does not recognize was selected, a dialogue box displays that prompts forpermission to proceed:Page – 7
Click Yes to proceed. Click View Certificate to view the contents of the security certificate.Users will receive the preceding prompt every time they connect to Contract Manager. Topermanently accept this security certificate, click View Certificate, and then click InstallCertificate. Once permanently accepted, the preceding message no longer displays. At the login page for Contract Manager, the Java Runtime Environment will prompt to accept its ownsecurity certificate.Page – 8
Click Yes to accept this certificate for this session. Check Always trust content from thispublisher to permanently accept this certificate. If the address entered into the Address Bar of the browser does not match the server namecontained within the digital certificate, users will receive a warning similar to the following:Users can click “Run” to proceed. If this message is due to a typo or error in the digital certificate,the primavera.keystore file on the Web server can be deleted and recreated by returning to StepOne described earlier in this document.The browser is now connected to the Web server via a secure encrypted connection.Note: The preceding sample warnings may change as software updates are delivered to Web browsers,Java, etc.Frequently Asked Questions1. Why implement HTTPS?HTTPS allows communication between the client browser and the Web server to be encryptedinstead of sending in “plain text”. This makes it difficult for the communication to be intercepted andviewed by other parties.2. Does that mean that with HTTPS, all the communication is impenetrable and other securitymeasures are unnecessary?No, as with any server, appropriate measures should be taken to safeguard the network, computer,and data. HTTPS is not a substitute for firewalls, safe password practices, and other securitymeasures.3. Are there any downsides to HTTPS?Besides the time taken to implement, HTTPS does require a little more CPU usage on the serverand the client. Additionally, the encrypted data tends to be larger than unencrypted data. As a result,there may be a small performance drop. How noticeable this is depends on the processing power ofthe Web server and the client computers, and the Internet or network connection between them.Most users do not experience a significant performance hit.4. Can HTTPS and HTTP be used at the same time?Page – 9
No, the Contract Manager Web server can only support one protocol at a time. If HTTPS isimplemented, all clients must now use it to connect.5. If HTTPS is implemented with a self-signed certificate, can that certificate be signed later by aCertificate Authority?Yes. Simply pick up with Step Three above and proceed from there. Remember to restart theContract Manager service.6. The primavera.keystore file was created incorrectly. Can this be fixed?Yes. Stop the Contract Manager Web server and delete the existing primavera.keystore file. Followthe instructions in the “Step One - Create A Certificate” section (described earlier in this document)to create a new one.7. Does port 443 have to be used?No. Any available port can be used for HTTPS communication. The URL that clients enter must nowinclude :portnumber at the end of the server name. For example, if port 6557 is used, the URL mustlook like /logon.jspPlease remember that regardless of which port number is used, any firewalls or routers must beconfigured to allow HTTPS traffic on this port. Run the Server Configuration utility, or editSERVER.XML and EXPONLINE.PROPERTIES to make this change.8. What needs to be done to revert to standard HTTP instead of HTTPS?Simply undo the changes made to the SERVER.XML and EXPONLINE.PROPERTIES files. Ifbackup copies of these files were made before modifying, revert to those backups. Theprimavera.keystore file can be deleted, or just left there - it will not be used in any way while set toHTTP.9. How is Verisign’s Intermediate CA Certificate installed?From Verisign.com find the Intermediate CA Certificate that corresponds to your certificate purchase.Copy and paste this into Notepad and save the file as intermediateCA.cer in the JBOSS HOME\binfolder. Be sure not to include any spaces or additional characters or lines at the end of the file.Modify the following as needed:JAVA HOME\bin\keytool -import -alias intermediateCA -keystoreJBOSS HOME\server\ Your JBOSS domain for ContractManager \conf\primavera.keystore -trustcacerts -fileJAVA HOME\bin\intermediateCA.cerExample:C:\j2sdk1.5.0 13\bin\keytool -import -alias intermediateCA a.keystore-trustcacerts -file C:\j2sdk1.5.0 13\bin\intermediateCA.cerWhere:C:\jboss-4.0.5.GA is the JBOSS HOME and cm is the Your JBOSS domain for ContractManager Further detail is available at the following location:Page – 10
upport/page dev020195.html10. Where can I find more information about HTTPS, SSL, and Certificate Authorities?The following websites can provide more -howto.html dia.org/wiki/Certificate authorityhttp://en.wikipedia.org/wiki/Secure Sockets Layer11. Is there a way to confirm the JAVA HOME directory?Contract Manager stores the path to the JAVA HOME location within the exponline.properties file.The entry will resemble the following:JavaHome C:\j2sdk1.5.0 1312. When will the Certificate expire?By default, certificates will expire after 90 days. An expired certificate will not result in any loss offunctionality. However, users will receive a warning message indicating the expiration.To change the expiration of the certificate, use the -validity parameter when creating the certificate inthe “Step One - Create A Certificate” section (described earlier in this document). Immediatelyfollowing the parameter is a number representing days.JAVA HOME\bin\keytool -genkey -keyalg RSA -alias primavera -validityXXX -keystoreJBOSS HOME\server\ Your JBOSS domain for ContractManager \conf\primavera.keystore -keypass your passphrase -dname“CN your server’s DNS name, OU organizational unit, O organization,L city or locale, S state or province, C two-letter countryabbreviation”For Example:C:\j2sdk1.5.0 13\bin\keytool -genkey -keyalg RSA -alias -validity 365primavera -keystoreC:\jboss-4.0.5.GA\server\ Your JBOSS domain for ContractManager \conf\primavera.keystore -keypass peekaboo -dname“CN myserver.mycompany.com, OU Customer Support, O Primavera Systems,L Bala Cynwyd, S PA, C US”Where:C:\jboss-4.0.5.GA is the JBOSS HOME.In the preceding example, -validity 365 sets the certificate to 365 days until expiration. This valuemay be changed to any number desired.13. More questions or problems not covered in this document? Please do not hesitate to contactPrimavera Technical Support!In the United States: In the UK: Hong Kong: 1.610.949.6557 44.20.8563.5555 852.2111.8299e
Stop the Contract Manager Web server. 2. Run the following command to create a Certificate Signing Request to submit to the Certificate Authority: JAVA_HOME\bin\keytool -certreq -alias primavera -keystore JBOSS_HOME\ server \ your JBOSS domain for Contract Manager \conf\primavera.keysto
