For security reasons it's recommended to run enPortal over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the enPortal server are encrypted.
By default enPortal is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.
1. Configuring enPortal for SSL
To enable HTTPS (HTTP over SSL) mode use the HTTP_SSL runtime option and set it to true. In addition you may want to also change:
- HTTP_PORT: HTTPS is typically served on port 443
- KEYSTORE_FILE: if using your own certificate
- KEYSTORE_PASS: if using your own certificate
- KEYSTORE_TYPE: if using your own certificate
See the Runtime Options page for more information on these settings and how to configure them. After making any changes then restart the enPortal service.
2. Creating a Certificate
The basic process is:
- Pick a Certificate Authority. This may be in-house if the organization has a Standard Operating Environment with their own root certificate installed on all systems. Otherwise this would be a commercial CA such as VeriSign, Thawte, or Go Daddy.
- Create a Certificate Signing Request (CSR)
- Have the CA sign the request
- Download the signed certificate on the enPortal server. Depending on the CA there should be instructions and options for the format of the signed certificate; ensure an appropriate format is downloaded for use with Tomcat. It's then necessary to import this certificate into a keystore file, replace the one shipped with enPortal, and update the keystore pass and type options.
Another option is to generate a self-signed certificate to replace the self-signed certificate Edge ships with enPortal. However, to end-users they will still be presented with certificate errors and warnings.
As an example, VeriSign have documented the process for Tomcat as follows:
- creating a CSR and submitting for signing.
- importing the signed certificate into a JKS keystore. NOTE: as mentioned previously do not edit server.xml directly. Use the runtime options as documented above.
Additionally, a legacy enPortal's SSL certificate will need to be converted into Tomcat's certificate format to be used in enPortal 5. See the link below: