Configuring REST API for HTTPS connection
Follow the steps given below to configure REST API for HTTPS connection.
Import the existing signed primary certificate into an existing Java keystore:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
If you do not have a certificate, create a new keystore by using a new password to secure the certificate:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA
After the keystore has been created, you must provide six parameters that form a distinguished name for a certificate associated with the key.
- CN—Common Name of the certificate owner (usually the name of the host)
- OU—Organizational Unit of the certificate owner
- O—Organization to which the certificate owner belongs
- L—Locality name of the certificate owner
- ST—State or province of the certificate owner
C—Country of the certificate owner
Note
The keystore file is created in the current directory of the command window.
- Obfuscate the SSL connector keystore password for greater security.
For more information, see Obfuscating the password. Update the jetty-http.xml file with the new password for the keystore.
Note
* In
<Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
, remove<Property name="jetty.home" default="." />.
* Replace
/etc/keystore/
with the actual path to the keystore.Restart the AR System server.
After you restart the AR System sever, the following warning is displayed and you may experience runtime errors.
WARN:oejob.JettyBootstrapActivator:main: OSGi support for java.util.ServiceLoader may not be present.
Perform the following steps to turn-on the logging for jetty:
- Enable jetty log level in the arserver.config file for Windows and in the arserverd.conf file for Linux. Use the following JVM option:
-Dorg.eclipse.jetty.LEVEL=DEBUG
Enable extra Jetty Related logs in the Jetty/etc/Jetty.xml file. Refer to the following code sample:
<Call class="org.eclipse.jetty.util.log.Log" name="getRootLogger"> <Call name="setDebugEnabled"> <Arg type="boolean">false</Arg> </Call>
Here, set the boolean argument of the setDebugEnabled property to
true
.
Once you enable the logging, the jetty logs are displayed on the server console or in the armonitor.log file.
After you create a self-signed certificate, browsers and other programs issue warnings to users about an insecure certificate each time the user authenticates. You can prevent the certificate warning by adding the self-signed certificate to the Trusted Root Certification Authorities store. For more information, see Importing a certificate into the Trusted Root Certification Authorities store.
Obfuscating the password
The Jetty passwords are stored as clear text, obfuscated, check-summed, or in encrypted form. For the keystore/ key/ truststore passwords, you must obfuscate the passwords. The class org.eclipse.jetty.util.http.security.Password
is used to generate all types of secure passwords. Create password at <install directory>
\lib\start\startlevel1
location. The following command is used to create a new password:
The username
parameter in the following command is optional.
java -cp jetty-util-9.4.11.v20180605 org.eclipse.jetty.util.security.Password username password
If you are using a reverse proxy, uncomment the below section from the jetty-http.xml file.
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
</Call>
Reference topic
Configuring REST API for HTTP connection
jetty-util-9.4.11.v20180605
Comments
Log in or register to comment.