This article is about setting up an HTTPS connection for the software.
You can set up the software to encrypt the data transfer (data transfer with SSL). Alternatively, a private network (VPN) can be set up to shield the software's communication.
Prerequisites
- You need a key certificate or a key pair (private and public key)
- You can create this yourself (see self-signed certificate below)
- Or buy one from an official authority (Note: You may already have one within your company)
- Or you may have an internal certificate authority to create .pem certificate files on your own.
- After that, you can configure the software to use SSL
If you use a self-signed certificate, the browser will provide a notification that the connection is not trusted. The communication is still encrypted!
After you have set up a secure HTTPS connection, you have to consider following aspects:
- Before starting the software with startup/startscreen, you have to edit the "startscreen.html" document and replace (crtl+f) "HTTP" into "HTTPS" in order to get redirected to: https://localhost:9001/zapAudit/login.jsf or https://localhost:9002/zapCash/login.jsf
Configuring the software to use SSL
- Open the zapAudit installation directory
- Open the server.xml file in the folder "/conf" with an editor
- Adjust the corresponding values for keystoreFile, keystorePass and keyAlias (see box below).
- Port 8443 can be changed if necessary (but not the redirection from 9001, which is the
zapAudit default port.) - Start the server and after booting check if https://localhost:8443/zapAudit/login.jsf is
reachable (change localhost to the address of your server if necessary).
Configuration of the connector in the server.xml with a self-signed certificate
connector (with key store):
port="9001"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
URIEncoding="UTF-8"
keyAlias="zapAudit"
keystoreFile="C:/YourPathToKeyStoreFile/keystore.jks" keystorePass="YourKeystoreFilePassword"/>
Configuration of the connector in the server.xml with a .pem certificate file:
<Connector
port="9001"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
secure="true" >
<SSLHostConfig >
<Certificate certificateKeyFile="C:/YourPathToCertificate/privkey.pem"
certificateFile="C:/YourPathToCertificate/cert.pem"
certificateChainFile="C:/YourPathToCertificate/chain.pem"
/>
</SSLHostConfig>
</Connector>
Creating a Self-Signed Certificate (keystore.jks)
- You will need a Java JDK 8 and administrator privileges. (other jdk 11,16, etc are not compatible with zapAudit/zapCash tomcat 8.5)
- Check a detailed tutorial at:
https://stackoverflow.com/questions/42541356/how-to-create-a-self-signed-ssl-certificatefor-use-with-tomcat - Use the following console command (cmd.exe) to create the certificate file. Adjust the directory of the java keytool.exe as well the names of the file keystore.jks for the file and the two passwords:
"C:\Program Files\Java\jdk1.8.0_306\bin\keytool.exe" -genkey -keyalg RSA -
noprompt -alias <alias> -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA"
-keystore "<path to the keystore>" -validity 9999 -storepass <password of keystore> - keypass <password of certificate>
- The given path to the keytool may differ from your path.
- The alias can be changed.
- The information of the dname is defined during the certificate creation and must be adjusted to the information from the certificate.
- The path of the keystore, is the path where the keystore is located.
- Validity is optional. By default a value of 365 days is set.