How to enable an SSL connection between BOBJ and 360 Web Platform (Linux)

Context

When you want to enable the SSL protocol on the BOBJ environment, certificate files must be generated and stored in the BOBJ configuration.
If those certificates are self-signed, in other words, if they are not coming from an official authority, 360 Web Platform will most certainly return errors indicating that it's not able to use the certificates to activate the secured communication with BOBJ.
The typical error you will encounter is as follows:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to solve this issue, it is necessary to copy and paste the BOBJ certificates into a directory on the 360 server and configure the 360 Tomcat to activate the SSL protocol and indicate where the certificates are stored.
This way, the self-signed certificates will be used and accepted by 360 Web Platform.

Otherwise, if you use certificates from an official authority, you have no specific configuration to do.

Environment

  1. Linux systems
  2. 360 Web Platform's tomcat server configuration
  3. 360 Web Platform's keystore configuration

Process

You first need to locate where the certificate files (cacerts) are in the BOBJ installation.
Then you have to add them in the 360 java truststore.

In order to do this :

Step 1

- Go to /root/extract/360suite/jdk8u202-b08/jre/lib/security
- Copy the cacerts file in a new directory (for instance /root/keystore) and rename it : cacerts360
- In this new directory copy/paste the certificates files (.cer or .cert files depending on the tool you used to create them) from the BOBJ keystore to this new keystore in /root/keystore directory
- If your BOBJ certificates files contain a .jks file, you can skip the following "keytool" part and go directly to step 2
- For each certificate, run the following command : keytool -importcert -file /root/keystore/{certificate}.cer -alias {host alias} -keystore  /root/keystore/cacerts
- Enter the keystore password
- When requested, enter "Yes"

Step 2

When this is done, you have to modify the 360 Tomcat configuration. 
- Stop the 360 Tomcat service.
- Go to /<360 Tomcat installation directory>/bin/ and edit the setenv.sh file
- If this setenv.sh file doesn't exist, please create it with the following commands : 
     mkdir --mode 75O -p setenv.sh
     chown my-tomcat-user:tomcat-user-group setenv.sh

In this setenv.sh file, add the following lines :
JAVA_OPTS="-Djavax.net.ssl.trustStore=/root/keystore/cacerts" (alternatively -Djavax.net.ssl.trustStore=/root/keystore/file.jks)
JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=<truststore password>"

Additional information


If you need to change the truststore password, you can use the following command :
    keytool -storepasswd -truststore /root/keystore/cacerts (alternatively /root/keystore/file.jks)

Finally, start the Tomcat service.

Keywords

360 Web Platform, SSL, certificate, Linux

Product

360 Web Platform

Languages

English US
English UK

Last updated over 2 years ago