For security reasons it’s recommended to run AppBoard over SSL (Secure Socket Layer). This will ensure all communications between clients (browsers) and the AppBoard server are encrypted.
By default AppBoard is configured with SSL disabled, but it does ship with a self-signed server certificate and can easily be enabled. In production environments this certificate should be replaced with one issued by a known Certificate Authority (CA) or one signed by a trusted root certificate within the organization.
The overall process involves:
For SSL Tomcat requires a Java keystore containing the private key, signed certificate, and any intermediate certificates from the CA. To create and work with a keystore it is necessary to have Java installed and be able to run the keytool command.
The recommended approach is to use keytool to create the private key, CSR, and keystore. The CA with then sign and provide a signed certificate along with their own certificate chain which can be imported into the keystore. Most CAs have this process well documented for popular web server platforms. Just follow the instructions for Tomcat such as these from VeriSign – and remember to refer back to this documentation on installing the keystore:
A limitation of keytool is that existing private keys cannot be imported. So for situations with an existing private key, and regardless of the certificate format then it will be necessary to use openssl to do conversion.
For existing private key with signed certificate and intermediate certificates in X.509 format follow these steps:
For existing private key with signed certificate and intermediate certificates in PKCS#7 (.p7b) format follow these steps:
Once a valid keystore has been created it can be installed on the AppBoard server:
See the Runtime Options page for complete information on all runtime options.
Once a certificate expires, you will need to generate a new certificate and replace the old one in the keystore. The following steps assume that you are updating the keystore located in [INSTALL_HOME]/server/conf/ssl.crt/:
There are two recommended approaches for redirecting standard HTTP traffic to HTTPS: