Configuring SSL for the Tomcat server
To provide communication security among applications, configure SSL for the Apache Tomcat server. If you enabled SSL as part of installation, SSL is already configured. Otherwise, follow this procedure.
Best practice
Before you begin
Perform the BMC Digital Workplace installation.
Video demonstration: Configuring SSL for BMC Digital Workplace
Note
The following video shows an older version of BMC Helix Digital Workplace. (The previous product name was MyIT.) Although there might be minor changes in the user interface, the overall functionality remains the same.
To configure SSL for the Tomcat server
For more information about creating a certificate, see
http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
.
- Generate a self-signed certificate by running the following command:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA
-keystore \path\to\my\keystore
A .keystore file is generated in %USERPROFILE% (Windows) or $HOME (Linux), and the file is protected with a password. - Place the generated file in the CATALINA_BASE/external-conf folder.
Update CATALINA_BASE/conf/server.xml to enable HTTPS Connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="${catalina.base}/external-conf/.keystore" keystorePass="Bmcmyit1" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"/>
You can find a sample server.xml file in the bsmapps\main\server\external\tomcat\conf folder.
Restart the Tomcat server.
To check the configuration, open https://localhost:8443/dwp/rest/version in a browser.
Upon initial access, a warning about a non-trusted certificate appears (because this is a self-signed certificate, not generated by a trusted CA).Click OK to continue.
To enable Strict-Transport-Security response header
To enable the Strict-Transport-Security response header for BMC Digital Workplace to tell browsers that it should be accessed with HTTPS (instead HTTP), uncomment the following code in digitalWorkplaceInstallationFolder/dwp/WEB-INF/web.xml and restart BMC Digital Workplace:
<init-param>
<param-name>Strict-Transport-Security</param-name>
<param-value>max-age=16070400</param-value>
</init-param>
Comments
How to enable SSL for DWP Catalog Server?
Thank you for the comment, Shekhar Raj. Please see Configuring access to the BMC Digital Workplace Catalog server over SSL. Hope this helps.
Regards,
Olha Horbachuk
Log in or register to comment.