How to set up a secure connection?

This article is about setting up an HTTPS connection for the software.

You can set up the software to encrypt the data transfer (data transfer with SSL). Alternatively, a private network (VPN) can be set up to shield the software's communication.

Prerequisites

  • You need a key certificate or a key pair (private and public key)
    • You can create this yourself (see self-signed certificate below)
    • Or buy one from an official authority (Note: You may already have one within your company)
  • After that, you can configure the software to use SSL
    If you use a self-signed certificate, the browser will provide a notification that the connection is not trusted. The communication is still encrypted.

Configuring the software to use SSL

  1. Open the zap Audit installation directory
  2. Open the server.xml file in the folder "/conf" with an editor
  3. Adjust the corresponding values for keystoreFile, keystorePass and keyAlias from line 91. (see box below)
  4. Port 8443 can be changed if necessary (but not the redirection from 9001, which is the
    zap Audit default port)
  5. Start the server and after booting check if https://localhost:8443/zapliance/login.jsf is
    reachable (change localhost to the address of your server if necessary).

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" redirectPort="9001" keyAlias="tomcat" keystoreFile="F:/zapliance/ssl_tomcat/keystore.jks" keystorePass="YourPasswordWhichYouHaveChosenInTheCreationProcessOfTheKeystoreFile"/>


The integration of other certificate files is documented at the following link:
https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration

Creating a Self-Signed Certificate (keystore.jks)

  1. You will need a Java JDK and administrator privileges
  2. Check a detailed tutorial at:
    https://stackoverflow.com/questions/42541356/how-to-create-a-self-signed-ssl-certificatefor-use-with-tomcat
  3. Use the following console command (cmd.exe) to create the certificate file. Adjust the directory of the java keytool.exe as well the names of the file keystore.jks for the file and the two passwords:

    "C:\Program Files\Java\jdk1.8.0_121\bin\keytool.exe" -genkey -keyalg RSA -noprompt -alias zapAudit -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore "C:\Users\user\keystore.jks" -validity 9999 -storepass myPassword -keypass myPassword
  4. The keytools.exe file is located in the JDK installation directory