Configure HTTPS and Certficate Stores in the Application Server
Configuration for SSL for
MashZone NextGen can be defined in the application server that hosts the
MashZone NextGen Server. These instructions discuss the basic steps for configuring SSL in Tomcat. See
Tomcat Documentation or the documentation for your application server for detailed information.
1. If you do not yet have a key store, trust store and certificate for the MashZone NextGen Server, find or create these stores and certificate. See The Certificate Store and Certificates for instructions. 2. Configure Tomcat for secure connections from clients to the MashZone NextGen Server:
a. Edit the server.xml file for Tomcat to uncomment and configure the <Connector> element for SSL/HTTPS 1.1. For example:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="conf/tomcat.jks"
keystorePass="keystrpwd"
truststoreFile="conf/tomcat.jks"
truststorePass="truststrpwd" />
This example uses the default Tomcat port, 8443, and mutual SSL, based on the clientAuth value. If this was a one-way connection, you would set clientAuth to false. This example also uses the default Tomcat certificate store, conf/tomcat.jks, as both the key store and the trust store. See Tomcat documentation for information on other properties.
c. Enable MashZone NextGen to use secure session cookies:
a. Open the web.xml file located in <MashZone NextGen installation>/apache-tomcat/webapps/mashzone/WEB-INF/ in a text editor.
b. Find the session-config/cookie-config/secure element and change the value to true.
Example
<session-config>
<session-timeout>30</session-timeout>
<!--
Set the "secure" flag to true when using HTTPS for enhanced security
-->
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
Note: | Once this is set to true, only HTTPS access will be allowed. |