HTTPS

Common steps

1. Prepare

  • Before a HTTPS connection is created and linked to a Java Key Store (JKS), make a backup of the multiserver.conf file.
  • Use CMD to add Keytool to your path (use the real path to keytool) e.g.:
SET PATH=%PATH%;%PROGRAMFILES%\java\jre8\bin

2. Generate an X509 Certificate and Keystore

keytool -genkey -alias noodle.domain.tld -keysize 2048 -validity 365 -keyalg RSA -keystore noodle.jks

The alias MUST be the domain name (this restriction permits the use of SSL SNI). Wild card alias are supported.
Once this command has been entered, Keytool will ask some questions regarding your company. Enter information as follows:

  • Keystore Password: The first time you run this tool, it will create the keystore file protected by a password. You will need this password every time you access the keystore file.
  • First and Last name: MUST be the domain name, for example intranet.company.com .
  • Name of organizational unit: This is not the company name, but may be an internal department, e.g. Marketing Department.
  • Name of your organization: Your company name, e.g. Vialect Inc.
  • City or location, e.g. Windsor
  • State or Province, e.g. Ontario
  • 2-Letter Country code, e.g. CA
  • Certificate password: This can be the same as the password for the keystore file.

3. Get your Certificate signed

Popular Certificate Authorities (CA) include Let's Encrypt, Thawte, VeriSign, GoDaddy, Network Solutions.

  • Make a certificate signing request (CSR):
keytool -certreq -sigalg MD5withRSA -alias noodle.domain.tld -keystore noodle.jks -file noodlecert.csr

Select "Tomcat" as the format when downloading your signed public key from your CA.

  • Import root certificates, if required:
keytool -import -alias carootcert -trustcacerts -file ca-root.crt -keystore noodle.jks
  • Import intermediate certificates, if required:
keytool -import -alias intermediate -trustcacerts -file intermediate.crt -keystore noodle.jks
  • Apply the Certificate Signature:
keytool -import -alias noodle.domain.tld -trustcacerts -file noodlecert.crt -keystore noodle.jks

4. Create a HTTPS Connection

4.1 Using a text editor

Edit multiserver.conf by adding and adjusting the following example:

Channel.CM_1.channel_0.Enabled = yes
Channel.CM_1.channel_0.Servlet = intranet
Channel.CM_1.channel_0.Url = "/"
Connection.CM_1.Type = https
Connection.CM_1.Port = 443
Connection.CM_1.ThreadTimeout = 1
Connection.CM_1.ClientTimeout = 1
Connection.CM_1.NumThreads = 1000
Connection.CM_1.QueueSize = 1000
Connection.CM_1.KeyManagerProvider = SunJSSE
Connection.CM_1.TrustManager = SUNX509
Connection.CM_1.KeyManagerAlgorithm = SUNX509
Connection.CM_1.KeyStoreProvider = JKS
Connection.CM_1.ClientAuthentication = false
Connection.CM_1.SSLContextProvider = SunJSSE
Connection.CM_1.SecureRandomProvider = SUN
Connection.CM_1.SecureRandomAlgorithm = SHA1PRNG
Connection.CM_1.Password = 123456
Connection.CM_1.KeyStoreLocation = "/opt/Noodle/noodle.jks"

4.2 Using the Enhydra Console

  • Open the Admin app on the Noodle server (port 8001 by default) with your web browser.
  • You will be prompted for a username and password (listed in multiserver.conf).
  • Click on
    • Intranet application
    • Connections tab
    • Create Connection button at the top-right
    • HTTPS radio button at the top
  • Leaving the defaults, and update;
    • Key Store Location: should contain path and filename of the JKS
    • Password: should contain the JKS file password.
  • Click the Save State button on the left-hand menu.

Noodle can now be accessed using the HTTPS protocols.

Options

GUI

For those with command line phobia, use one of these tools:

Free

Consider a free certificate (not self signed) as an alternative to not using SSL.

Quick godaddy example

Redirect HTTP to HTTPS

Read how here.

Use Strong Encryption

Read how here.

Converting