You can optionally configure your Tomcat server to use HTTPS instead of HTTP for user access. Because HTTPS includes SSL encryption, this option alleviates concerns about exposing the data in clear text on the network.
Apache Tomcat is an Open-source third-party product. Apache provides documentation to help you configure SSL for Tomcat with the Apache Tomcat SSL Configuration HOW-TO. You can use the Apache Tomcat HTTP Connector Reference to look up the definitions of the configuration properties that the HOW-TO document utilizes. You can also find other web tutorials that describe the configuration. Locate and follow the steps that are appropriate for the version of Apache Tomcat that your CA OPS/MVS release installed. There are three methods that you can use for your keystore file.
Follow this step:
Note: For more information about trusted certificates, see the Apache Tomcat 7.0 on the Web (Apache Tomcat 7.0 SSL Configuration HOW-TO).
For example:
How to use OMVS (enter the following commands under TSO or ISPF):
OMVS cd {CCS_installation_dir}/OPS/distrib makeks
Note: The JCL job [hlq].OPS.CCLXCNTL(OPWBSVMK) lets you execute the makeks and listks scripts in a batch environment. You must customize this JCL before it is submitted at your site.
cd {CCS_installation_dir}/OPS/distrib $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
A series of prompts appears:
For example:
Enter keystore password: tomcat Re-enter new password: tomcat What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: CA What is the name of your organization? [Unknown]: CA What is the name of your City or Locality? [Unknown]: Pittsburgh What is the name of your State or Province? [Unknown]: PA What is the two-letter country code for this unit? [Unknown]: US Is CN=localhost, OU=CA, O=CA, L=Pittsburgh, ST=PA, C=US correct?
After you use one of the three methods, continue with the following steps and complete the Tomcat configuration:
cd {CCS_installation_dir}/OPS/distrib
$JAVA_HOME/bin/keytool -list -keystore .keystore
The results appear like the following example:
Enter keystore password: Keystore type: jks Keystore provider: IBMJCE Your keystore contains 1 entry Alias name: tomcat Creation date: Feb 3, 2014 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=tomcat, OU=CA, O=CA, L=Pittsburgh, ST=PA, C=US Issuer: CN=tomcat, OU=CA, O=CA, L=Pittsburgh, ST=PA, C=US Serial number: 114822b8 Valid from: 2/3/14 8:15 AM until: 5/4/14 9:15 AM ...
This port is the TLS connector. Specify a keystore file and a keystore password.
A typical connector element for an SSL port appears like the following example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />
Important! You must uncomment this connector element if it is commented. Comment blocks are defined in this file by a starting token of “<!--“ and an ending token of “-->
Figure 1
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1″ keystorePass="tomcat" keystoreFile="{CCS_installation_dir)/OPS/distrib/.keystore" />
We also recommend that you disable SSLv3 in your Internet browser and on your web clients before connecting to CA OPS/MVS web services. Disabling SSLv3 on either client side or server side will mitigate the vulnerability to cyber-attack due to recent compromises with the SSLv3 protocol.
Note: To avoid the potential for cyber-attack, we recommend that you disable SSLv3 in your Apache Tomcat web server. Specify the sslEnabledProtocols attribute (see Figure 1) with only the TLS protocols listed. This step avoids usage of the older SSL protocols. You can find documentation about the sslEnabledProtocols attribute in the JVM documentation under method SSLSocket.setEnabledProtocols(). See the Oracle JDK documentation for Java 7 or Java 8.
If you want to use client certificate authentication, follow these basic steps:
Note: For specific details about accomplishing these tasks, see the Apache Tomcat 7.0 SSL Configuration HOW-TO Java™ Secure Socket Extension (JSSE) Reference Guide.
<security-constraint>
<web-resource-collection> <web-resource-name>Tomcat</web-resource-name> <url-pattern>*.html</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
</security-constraint>
This test assumes that you retained the default TLS port number of 8443.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|