Installation and Administration Getting Started Command Line Configuration Eclipse Plugin Reference Manual API
Show on single page Show on multiple pages
Installation and Administration Guide > Integrating Squore on Your Network > Accessing Squore via HTTPS

Accessing Squore via HTTPS

You can configure WildFly to allow https access to Squore Server instead of http by following the instructions below.

Note

These instructions are based on the standard WildFly instructions from https://docs.jboss.org/author/display/WFLY10/Security+Realms#SecurityRealms-DetailedConfiguration for securing the web server and use a self-signed certificate managed in the Java keystore, which may show a warning in users' browsers.

If your company supply their own certificate and you want to import it instead of generating one, refer to the instructions in the section called “Key and Certificate Management”.

Tip

It is also possible to use Apache as a reverse proxy on top of Squore Server to achieve the same result. For more information, consult the section called “Proxying Squore Server with Apache”.

  1. Generate a secret key/certificate and store it in a file called a "key store" (foo.keystore in the current directory). The certificate is valid for 30 years (10950 days). The password use for encryption is "secret". One important issue is the common name (CN) of the certificate. For some reason this is referred to as "first and last name". It should however match the name of the web server, or some browsers like IE will claim the certificate to be invalid although you may have accepted it already.

    $ keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
Enter keystore password: secret
Re-enter new password: secret
What is your first and last name?
  [Unknown]:  foo.acme.com
What is the name of your organizational unit?
  [Unknown]:  Foo
What is the name of your organization?
  [Unknown]:  acme corp
What is the name of your City or Locality?
  [Unknown]:  Duckburg
What is the name of your State or Province?
  [Unknown]:  Duckburg
What is the two-letter country code for this unit?
  [Unknown]:  WD
Is CN=foo.acme.com, OU=Foo, O=acme corp, L=Duckburg, ST=Duckburg, C=WD correct?
  [no]:  yes

Enter key password for <deva> secret
    (RETURN if same as keystore password):  
Re-enter new password: secret

  2. Create a new security realm in WildFly's <SQUORE_HOME>/server/standalone/configuration/standalone.xml to configure an SSL Server identity:

    <management>
	<security-realms>
		<security-realm name="SslRealm">
			<server-identities>
				<ssl>
					<keystore path="/path/to/foo.keystore" keystore-password="keystore_password" alias="foo" key-password="key_password" />
				</ssl>
			</server-identities>
		</security-realm>
		<security-realm name="ManagementRealm">
		...
		</security-realm>
	</security-realms>
</management>

    Note

    It is recommended to store configuration files outside of <SQUORE_HOME> to avoid losing them when upgrading your installation.

  3. Add a HTTPS listener next to the default HTTP listener in <SQUORE_HOME>/server/standalone/configuration/standalone.xml:

    <http-listener [...] name="default" socket-binding="http" [...] />
<https-listener name="default-ssl" socket-binding="https" max-post-size="0" security-realm="SslRealm"/>

    Note

    After HTTPS access is configured and working correctly, it is recommended to remove the http connector completely.

  4. Configure safe session cookies by editing the default servlet-container

    Warning

    Skip this step if your server redirects HTTP to HTTPS.

    Add the secure="true" to session-cookie element:

    <servlet-container name="default">
		<jsp-config/>
		<session-cookie http-only="true" secure="true"/>
		<websockets/>
</servlet-container>

  5. Start Squore Server. The SSL port is 8443 + the offset selected at installation. By default you should therefore be able to access the web interface via https://localhost:8543 in your browser.

If you need to leave the HTTP connector active, you can automatically redirect insecure traffic to HTTPS by modifying <SQUORE_HOME>/server/standalone/configuration/standalone.xml:

  1. Find the host section of the undertow subsystem and add a filter-ref element to match URLs using the server's HTTP port:

    <host name="default-host" alias="localhost">
	<location name="/" handler="welcome-content"/>
	<filter-ref name="http-to-https" predicate="not(equals(%A,'127.0.0.1')) and equals(%p,8180)"/>
</host>

  2. Find the filters section of the undertow subsystem and add a rewrite element to redirect insecure requests to HTTPS:

    <filters>
	<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
	<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
	<rewrite name="http-to-https" target="https://localhost:8543%U" redirect="true"/>
</filters>

  3. Start Squore Server and access http://localhost:8180 to verify that you are automatically redirected to https://localhost:8543.

Prev Up Next
Chapter 6. Integrating Squore on Your Network Home | ToC Proxying Squore Server with Apache
Squore 18.0.18
© 2019 Squoring Technologies All rights reserved. This material may not be reproduced, displayed, modified or distributed without the express prior written permission of the copyright holder. Squore is protected by an Interdeposit Certification registered with Agence pour la Protection des Programmes under the Inter Deposit Digital Number IDDN.FR.001.390035.001.S.P.2013.000.10600.