Enable ssl for metacat and morpho
Now communication between Metacat and Morpho uses plain text. In order to
increase security, we want to enable SSL.
#1 Updated by Jing Tao over 20 years ago
Just now I read a web site:
It is said, if Tomcat only serves as a Servlet/JSP container behind another
web server (dev has this siuation), the web server (Apache) should be
configured as SSL rather than Tomcat.
In my machine, Tocat serves as both web server and ervlet/JSP container. I
would like to try configure my local machine first.
#2 Updated by Jing Tao over 20 years ago
Here is how we configured Tomcat standalone as both web server and servlet
1. Download and install JSSE
Download JSSE package from java.sun.com and unzip it. Copy the three files -
jcert.jar, jnet.jar and jsse.jar in Jsse_home/lib to $Java_home/jre/lib/ext
2. Edit file $Java_home/jre/lib/security/java.security
Add a line:
3. General public and private keys:
In $Java_home/bin directory, type command:
keytool -genkey -alias tomcat -keyalg RSA
It will create keys and store it in the file ".keystore" in the default
More information can be gotten form java documentation about keytool.
Please remember the keystore password.
4. Edit file $Tomcat_home/conf/server.xml
Uncomment the part about https and make them look like:
Don't comment the Http10Connector for port 8080. It will be use to catch
systle sheet and other things.
4. Edit the build.xml in metacat.
Add a property named systemidserver, its value="http://host.domainname:8080"
Add a token named systemidserver too.
This is for stylesheet. So we can catch sytle without ssl and performance will
5. Edit the knb.xml in metacat/lib
Change every "http://
server" in target to "
systemidserver". It will look
6. Edit the loaddtd.sql in metacat/src
Change every "http://
server to "
systemidserver". It will look like:
INSERT INTO xml_catalog (entry_type, public_id, system_id)
VALUES ('DTD', '-//ecoinformatics.org//eml-software-
7. Install Metacat again from scratch (include "ant dtdsql")
8. Edit the tomcat.sh file in $tomcat_home/bin
Change TOMCAT_OPTS to
9. Stop and restart Tomcat
10. User keytool to create a file and distribute to users
In $java_home/bin, type the command
keytool -export -alias tomcat -file tomcat.cer
tomcat.cer will be create in the directory $java_home/bin.
#3 Updated by Matt Jones over 20 years ago
Great. A note about TOMCAT_OPTS. We should not be editing the tomcat.sh file.
It is not needed. I was able to do the same thing by setting the "TOMCAT_OPTS"
environment variable when running tomcat.sh. Look at /etc/rc.d/init.d/tomcat to
see an example of how this works. This way, when we upgrade TOMCAT stuff will
still work with the new tomcat.sh.
BTW, we need the tomcat startup script to be copied to ecoinfo as well. RIght
now it is manually started.
#4 Updated by Jing Tao over 20 years ago
In my local machine, I cancel the changes in tomcat.sh and got an copy the
file tomcat from /etc/rc.d/init.d in dev. I make some changes to in the tomcat
and it worked fine.
I couldn't copy this /etc/rc.d/init.d/tomcat to ecoinfo because some
permission issue. I will do it soon
#6 Updated by Jing Tao over 20 years ago
When we create the keys by keytool. If it is selfsinged, we should put the
first name and last name as server's name (no port number).
If do this, the style sheet and dtd can be access by ssl (https).
So now metacat can be configured to use ssl or not to access systle sheet and