How to enable an SSL connection between BOBJ and 360 Web Platform (Windows)

Context

When you want to enable the SSL protocol on the BOBJ environment, certificate files must be generated and stored in the BOBJ configuration.
If those certificates are self-signed, in other words, if they are not coming from an official authority, 360 Web Platform will most certainly return errors indicating that it's not able to use the certificates to activate the secured communication with BOBJ.
The typical error you will encounter is as follows :

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to solve this issue, it is necessary to copy and paste the BOBJ certificates into a folder on the 360 server and configure the 360 Tomcat to activate the SSL protocol and indicate where the certificates are stored.
This way, the self-signed certificates will be used and accepted by 360 Web Platform.

Otherwise, if you use certificates from an official authority, you have no specific configuration to do.

Environment

  1. Windows systems
  2. 360 Web Platform's tomcat server configuration
  3. 360 Web Platform's keystore configuration

Process

You first need to locate where the certificate files (cacerts) are in the BOBJ installation.
Then you have to add them in the 360 Java truststore.

In order to do this :

Step 1

- Go to C:\Windows\360Suite424\OpenJDK8u275-b01-jre\lib\security
- Copy the cacerts file in a new folder (for instance C:\keystore) and rename it : cacerts360
- In this new folder copy/paste the certificates files (.cer or .cert files depending on the tool you used to create them) from the BOBJ keystore to this new C:\keystore folder
- If your BOBJ certificates files contain a .jks file, you can skip the following "keytool" part and go directly to step 2
- Open a CMD window and navigate to C:\Windows\360Suite424\OpenJDK8u275-b01-jre\bin
- For each certificate, run the following command : keytool -importcert -file C:\keystore\{certificate}.cer -alias {host alias} -keystore  C:\keystore\cacerts
- Enter the keystore password
- When requested, enter "Yes"

Step 2

When this is done, you have to modify the 360 Tomcat configuration. 
- Stop the 360 Tomcat service.
- Go to WebPlatform installation Directory, double click on Tomcat Configuration shortcut
- Browse to the Java tab
- In the Java Options field, add:
    -Djavax.net.ssl.trustStore=C:\keystore\cacerts (alternatively -Djavax.net.ssl.trustStore=C:\keystore\file.jks)
    -Djavax.net.ssl.trustStorePassword=<truststore password>
Do not set those options on the Java 9 Options field, this field must be kept empty.

Additional information

If you need to change the truststore password, you can use the following command :
    keytool -storepasswd -truststore C:\keystore\cacerts (alternatively C:\keystore\file.jks)

Finally, start the Tomcat service.

Keywords

360 Web Platform, SSL, certificate, Windows

Product

  1. 360 Web Platform

Languages

  1. English US
  2. English UK


Last updated 5 months ago