Configuring SSL for Enhanced Data Security
This article provides a comprehensive guide on setting up a secure HTTPS connection for software, ensuring encrypted data transfer through SSL (Secure Sockets Layer) or via a Virtual Private Network (VPN). Following these steps, users can safeguard their data during transmission, mitigating the risk of unauthorized access or tampering.
Prerequisites
Before proceeding with the setup, ensure you have the following prerequisites in place:
- A key certificate or a key pair (private and public key). You can create self-signed certificates, purchase from official authorities, or utilize an internal certificate authority.
- Access to the software's installation directory and necessary configuration files. If you use a self-signed certificate, the browser will notify you that the connection is untrustworthy. The communication is still encrypted!
Setting Up a Secure Connection:
1. Configuring SSL:
-
- Open the software's installation directory.
- Locate the server.xml file in the "/conf" folder.
- Adjust the values for keystoreFile, keystorePass, and keyAlias to configure SSL (see below)
- Ensure port 8443 is configured accordingly.
- Verify connectivity by accessing the designated HTTPS URL.
Example Configuration with a Self-Signed Certificate (keystore.jks):
<Connector
port="9001"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
URIEncoding="UTF-8"
keyAlias="zapAudit"
keystoreFile="C:/YourPathToKeyStoreFile/keystore.jks" keystorePass="YourKeystoreFilePassword"/>
Example Configuration with a .pem Certificate File:
<Connector
port="9001"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
secure="true" >
<SSLHostConfig >
<Certificate certificateKeyFile="C:/YourPathToCertificate/privkey.pem"
certificateFile="C:/YourPathToCertificate/cert.pem"
certificateChainFile="C:/YourPathToCertificate/chain.pem" certificateKeyPassword="YourOptionalCertificatePassword"
/>
</SSLHostConfig>
</Connector>
Use the Port 9001 for zapAudit and 9002 for zapCash.
2. Editing Startup Configuration:
- Before launching the software, ensure to edit the "startscreen.html" document to replace "HTTP" with "HTTPS" for secure redirection.
Creating a Self-Signed Certificate (keystore.jks)
- Utilize Java JDK 8 and administrator privileges. Other jdk 11, 16, etc. are not compatible with zapAudit/zapCash tomcat 8.5
- Follow a detailed tutorial or use the following console command to create the certificate file:
"C:\Program Files\Java\jdk1.8.0_306\bin\keytool.exe" -genkey -keyalg RSA -
noprompt -alias <alias> -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA"
-keystore "<path to the keystore>" -validity 9999 -storepass <password of keystore> - keypass <password of certificate>
- Adjust paths, alias, and other parameters as per your setup
- The given path to the keytool may differ from your path.
- The alias can be changed.
- The information of the dname is defined during the certificate creation and must be adjusted to the information from the certificate.
- The path of the keystore, is the path where the keystore is located.
- Validity is optional. By default a value of 365 days is set.
- The keytools.exe file is located in the JDK installation directory