This chapter provides encrypting to protect your data. It includes the following sections:
It is important to encrypt traffic in order to ensure both that it is neither read nor modified while traversing the network. If read, unencrypted traffic could expose data records being processed, or the results of that processing. If modified, instructions from client to server could be changed, allowing requests to be executed using the permissions of the user to whom the connection belongs.
There are four key EDQ areas that must be encrypted:
Connections between web browsers and EDQ user applications (such as Director), to the EDQ server
Connections from EDQ to authentication servers (such as LDAP)
Connections from EDQ to databases
Connections from remote systems to the FTP/SFTP servers included with EDQ
To enable encrypted connections with Tomcat, the HTTPS connector must be configured using the following procedure:
Locate the server.xml file for the Tomcat installation (generally this would be conf/server.xml within the Tomcat directory). By default it contains a section such as the following:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
Enable the Connector element by removing the XML comment characters around it.
Set the port value for HTTPS if needed. The default is 8443, so if a different value is used also change the redirectPort value in the HTTP connector to match.
Remember that if using a port below 1024, the server may require special permissions depending on the OS.
Generate the server key and certificate, and have the certificate signed by a recognized certificate authority. Self-signed certificates can be used, however they will need to be installed on the client machines in order for them to be recognized.
Note:
The certificate is stored either in a Java keystore (JKS format) or as a PKCS#12 file. The latter may be preferred in certain instances, as there are many tools available for working with PKCS#12 files.Update the connector element as follows, replacing pathtokeystorefile, keystorepassword and keystoretype with the referenced information:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="pathtokeystorefile" keystorePass="keystorepassword" keystoreType="keystoretype" />
Set the keystoreType value to JKS or PKCS12 as required. If the key store contains multiple certificates, use the keyAlias attribute to set the alias.
Some Tomcat distributions include the Apache Portable Runtime (APR) native library. If this is the case, the certificate must be configured using Apache HTTPD mod_ssl style attributes. For example:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" SSLCertificateFile="pathtocrtfile" SSLCertificateKeyFile="pathtokeyfile" />
For additional Tomcat information, see Apache Tomcat Configuration Reference at
http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
For additional mod_ssl information, see Apache Module mod_ssl at
For instructions on configuring SSL with WebLogic Server, see the WebLogic documentation:
https://docs.oracle.com/middleware/1221/wls/SECMG/ssl_overview.htm#SECMG386
Connections from EDQ to an LDAP directory can be encrypted using either an SSL/TLS connection layer or by negotiating encryption after a connection has been established (StartTLS). These options and their configuration are described in more detail in Section 2.6, "Configuring Individual Realm LDAP Settings".
JDBC URL syntax for connections over TLS is dependent on the database driver being used. For Oracle Database, this is achieved by adding PROTOCOL=tcps to the connection specification, for example:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername
)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))
For details on JDBC URL syntax see https://docs.oracle.com/database/121/JJDBC/