SSL is disabled by default for Workbench as a server.
To enable SSL security between Workbench and its clients, you must do the following:
Set up a certificate for the Workbench server. For details, see the Oracle Commerce Guided Search Security Guide. The server certificate for Workbench must be issued to the fully qualified domain name of the server.
Modify the
server.xml
file for the Endeca Tools Service to enable the HTTPS connector and point to the new keystore.
Clients can make secure connections to Workbench either by taking advantage of a redirect from the non-SSL port or, if you have disabled the non-SSL port or do not wish to use the redirect, by making an HTTPS connection directly to the SSL port.
Workbench supports version 3.0 of the Secure Sockets Layer (SSL) protocol for its communication endpoints.
The non-SSL version of Oracle Commerce Workbench is installed by default.
To enable the SSL version of Workbench:
Navigate to
%ENDECA_TOOLS_CONF%\conf\Standalone\localhost
(on Windows) or$ENDECA_TOOLS_CONF/conf/Standalone/localhost
(on UNIX).Locate the line in which the
docBase
is defined.For example:
docBase="${catalina.base}/../webapps/workbench-legacy-tools-3.1.1.war"
Note
The file name in the example may not match the one in your installation.
Change this to point to the SSL version of the WAR by adding -ssl to the filename.
For example:
docBase="${catalina.base}/../workbench-legacy-tools-3.1.1-ssl.war"
If you want to restore the non-SSL version at a later date, you can
reverse the process by editing the
ROOT.xml
file accordingly.
Before you can use SSL with Workbench, you must edit its
server.xml
file as described.
This procedure assumes you have already generated server certificates for Workbench as described in the Oracle Commerce Guided Search Security Guide and uploaded them to the Endeca Workbench server.
To enable the HTTPS connector:
Navigate to
%ENDECA_TOOLS_CONF%\conf
(on Windows) or$ENDECA_TOOLS_CONF/conf
(on UNIX).Locate and remove the comments around the Connector element for port 8446 as follows:
<Connector port="8446" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" maxPostSize="0" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/eac.ks" keystorePass="eacpass" truststoreFile="conf/ca.ks" truststorePass="eacpass" />
Optionally, change the port number to something other than 8446 if you do not want to use that default.
If you do not use the default port, update the
redirectPort
attribute on the non-SSL HTTP connector to point to the new port as in the following example:<!-- Define a non-SSL HTTP/1.1 Connector on port 8006 --> <Connector port="8006" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" redirectPort="8446" acceptCount="10" connectionTimeout="60000" disableUploadTimeout="true" debug="0" URIEncoding="UTF-8"/>
If you want to disable the redirect from the non-secure port to the secure port, comment out the non-SSL connector in the
server.xml
file. By default, the redirect is enabled.Update the
keystoreFile
,keystorePass
,truststoreFile
, andtruststorePass
with the appropriate values for your certificates.The
keystoreFile
andtruststoreFile
values should be the paths to the location where you uploaded your keystore and truststore files. These paths can be specified as absolute paths, or paths relative toENDECA_TOOLS_CONF
, although the files themselves can be located anywhere on the server.