| Agile Product Lifecycle Management Security Guide Release 9.3.6 E71146-07 |
|
 Previous |
 Next |
This chapter describes how to configure SSL in Agile PLM, in Agile PLM File Manager(s), and AutoVue.
The following diagram introduces the required keystores/keys for SSL configurations.
You can set up SSL in your Agile PLM environment to work with the following:
SDK
Web Services
Application Server (WebLogic)
File Manager Server (Tomcat)
AutoVue Server
|
WARNING: Once you enable SSL for one of the components listed in the previous step, you must enable SSL for all components listed. |
|
Note: For instructions on how to mitigate vulnerabilities related to SSL 3.0 and SHA-2 certificate, see Appendix E, "SSL Protocol and Signature Algorithm Changes". |
|
Tip: If you are planning on configuring SSL and Web Services Security, use the checklist in Appendix B, "Checklist for Configuring Web Services Security" to help keep track of your progress. |
To set up SSL, you need three keystores. In this document, they will be named as follows:
Agile Server SSL keystore: agile-keystore.jks
Agile Server SSL truststore: agile-truststore.jks
File Manager SSL keystore: fm-keystore.jks
The following sections describe how to enable SSL for security in Agile PLM.
To generate the WebLogic SSL Signature Key and Certificate Signing Request, do the following:
Generate SSL keystore, agile-keystore.jks.
Alias: ssl
Keysize: 2048
Algorithm: RSA
Generate Certificate Signing Request with the SSL keystore above and send to the Certifying Authority.
The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.
Generate the Weblogic SSL truststore, agile-truststore.jks. To generate this truststore, import your Root CA, Intermediate SSL CA, and Issued CA certificates into the keystore, agile-truststore.jks, that constitutes the trust.
Once you have imported the CA certificate to WebLogic SSL keystore and generated the WecbLogic SSL truststore, ontinue with the following procedures to configure SSL on the WebLogic Server that hosts the Agile PLM Application.
To configure the keystore:
In a browser, launch http://<AgileApplicationServerName>:7001/console/login/LoginForm.jsp.
Log in to the Admin Console.
Expand Environment, click on Servers, and click on the server name on the right panel.
In AgileServer > Configuration > Keystores, use Custom Idenitity and Custom Trust for keystores.
In the Identity Section provide the following:
Enter the location in the Custom Identity Keystore field.
Enter "JKS" as the Custom Identity Keystore Type.
Enter the password in the Custom Identity Keystore Passphrase field.
In the Trust Section provide the following:
Enter the location in the Custom Trust Keystore field.
Enter "JKS" as the Custom Keystore Type.
Enter the password in the Custom Trust Keystore Passphrase
Click Save.
Go to AgileServer > Configuration > SSL. In this example, we use "ssl" is the key, and the password.
Navigate to AgileServer > Configuration > General and select the SSL Listen Port Enabled checkbox. The default SSL port is 7002.
Click Save to activate the changes in WebLogic Console.
Connect to https://<hostname>:7002/Agile/PLMServlet and confirm that you can access Agile Web Client successfully.
Log in to Agile.
The SSL setup is now complete and running on your WebLogic server.
You need to configure SSL for each WLS server in the cluster. You also need to configure SSL on Load Balancer (LB), and update the LB URI into Agile PLM Application SSL Configurations. Meanwhile, you have to import the LB SSL certificate into the trust keystore for every WLS server, and import all the WLS server's SSL certificates into LB trust keystore.
Modify the following configuration files for the SSL environment:
jndiurl.properties
Path: <AGILE_HOME>\agileDomain\application\application.ear\APP-INF\classes
server1=t3s://<app_server_alias>:7002
agile.properties
Path: <AGILE_HOME>\agileDomain\config
##### Common Web Security Settings ###########
# Specify whether to use the Secure flag to protect sensitive cookies
WebSecurity.ForceSecureCookies = true
ext.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war\wls
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">
pcclient.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient"><argument>serverURL=t3s://<server_url>:7002</argument><argument>jvuecodebase=https://<fm_server_alias>:8443/Filemgr/jVue</argument><argument>jvueserver=https://<app_server_alias>:7002/Agile/VueServlet</argument>
custom.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">
Once you have completed modifying the configuration files, restart the application server to make the settings effective.
Whenever user-sensitive cookies are generated in Agile PLM, the HTTPOnly flag is also included in the Set-Cookie HTTP Response Header. This helps mitigate the risk of a client-side script accessing the protected cookie, if the browser supports it.You can change the flag's value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep the HTTPOnly flag set to true.
Additionally, Agile PLM does not mandate use of SSL, so setting the Secure flag prevents non-SSL enabled customers from using Agile. The solution is to introduce a setting for secure mode and if enabled, then set the Secure Flag on all the sensitive cookies. This ensures that sensitive cookies are available in another application only through HTTPS. These cookies are not available through HTTP, even if both the Agile PLM Application and the external application are deployed in the same domain. You can change the value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep this flag set to true.
The following section describes how to configure SSL on a File Manager.
|
Note: When SSL is enabled, you must ensure that the Tomcat Server configuration file (AGILE_HOME\FileManager\conf\server.xml) is protected using File Access Permissions. Visibility/accessibility should be limited to only users with root or elevated privileges. This file contains sensitive password data. |
To generate the SSL signature key and Certificate Signing Request for File Manager, do the following:
Generate SSL keystore fm-keystore.jks.
Alias: fm
Keysize: 2048
Algorithm: RSA
Generate the Certificate Signing Request with the SSL keystore above and send it to the Certifying Authority.
The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.
Once you have imported the CA certificate to the File Manager SSL keystore, continue with the following procedures.
Export the File Manager SSL certificate from fm-keystore.jks, which we named as fm-ssl-cert.cer. Import File Manager SSL certificate into Agile Server SSL Trust Keystore.
Export Agile Server certificate from agile-keystore.jks, which we named as agile-ssl-cert.cer. Import agile-ssl-cert.cer into File Manager key store.
Open <AGILE_HOME>\FileManager\conf\server.xml and add a new connector. The file manager SSL port is 8443. Place the connector code after the code for the connector of port 8080, as shown in the following example:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"redirectPort="8443" /><Connector protocol="org.apache.coyote.http11.Http11NioProtocol"port="8443" maxThreads="200"scheme="https" secure="true" SSLEnabled="true"keystoreFile="<certificate path>\fm-keystore.jks" keystorePass=<keystore_password> keyAlias="fm"clientAuth="false" sslProtocol="TLS"/>
To configure SSL on the File Manager application, change <AGILE_HOME>\agileDomain\config\server.conf as follows:
app.server.url=https://<app_server_ alias>:7002/Agile/FSHelper/FSHelperWSServicefile.server.url=https://<fm_server_alias>:8443/Filemgr/services/FileServerdms.server.url=https://<app_server_ alias>:7002/Agile/DmsService/DmsViewerAPIService
To configure the Java Client File Manager node, log in to Java Client, navigate to Admin >Server Settings > Locations, and do the following:
Change General Information > Web Server URL to https://<app_server_ alias>:7002/Agile/PLMServlet
Change Java Client URL to https://<app_server_ alias>:7002/JavaClient/start.jsp
Change File Manager > iFS to https://<fm_server_ alias>:8443/Filemgr/AttachmentServlet
Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.
SSL is now configured on File Manager. Restart the File Manager and it should work as expected.
You can offload SSL from the Agile PLM application server and File Manager server to a web proxy server or hardware load balancer, which will simplify the SSL configuration. Agile PLM is certified to have SSL terminated at OHS(Oracle HTTP Server), all communication traffic from a client to OHS is over HTTPS protocol, and over HTTP between OHS and Agile PLM application server and File Manager server.
Down load the Oracle HTTP Server 12.2.1.1 from OSDC, then follow the guide https://docs.oracle.com/middleware/1221/core/install-ohs/GUID-D5AFD830-8A7D-42CC-8C22-CE68C452CF4A.htm#WTINS-GUID-D5AFD830-8A7D-42CC-8C22-CE68C452CF4A to install and configure OHS in a standalone domain. Please pay attention to Missing Libraries Might Cause HTTPD to Exit Without Notice if you are installing OHS on Windows OS.
Use the following to configure SSL on an OHS Server:
After you have completed the configuration in a standalone domain, you can start the OHS instance. By default, SSL is enabled on port 4443 with a demo certificate. The private-public key pair is stored in demo wallet configured in <OHS_DOMAIN>/config/fmwconfig/components/OHS/<OHS_INSTANCE>\ssl.conf
# The Listen directive below has a comment preceding it that is used
# by tooling which updates the configuration. Do not delete the comment.
#[Listen] OHS_SSL_PORT
Listen 4443
##
## SSL Virtual Host Context
##
#[VirtualHost] OHS_SSL_VH
<VirtualHost *:4443>
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
SSLVerifyClient optional
# SSL Protocol Support:
# Configure usable SSL/TLS protocol versions.
SSLProtocol ALL
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
</IfModule>
</VirtualHost>
Open a command console and execute the following command to create an Auto-Login Wallets:
<Oracle_Home>\oracle_common\bin\orapki wallet create -wallet new_wallet -auto_login_only
If you want to create a password protected wallet, please refer to this MOS.
Doc ID 1629906.1
<Oracle_Home>\oracle_common\bin\orapki wallet add -wallet new_wallet -dn "CN=hostname.us.oracle.com,OU=TESTING PURPOSE ONLY,O=Oracle Corporation,L=Redwood City,ST=California,C=US" -asym_alg RSA -sign_alg sha256 -keysize 2048 -auto_login_only
Generate a CSR and send it to Certifying Authority.
<Oracle_Home>\oracle_common\bin\orapki wallet export -wallet new_wallet -dn "CN=hostname.us.oracle.com, OU=TESTING PURPOSE ONLY,O=Oracle Corporation,L=Redwood City, ST=California,C=US" -request myserver.csr
Once you get the CA signed certificate along with the Root CA and Intermediate Ca certificate, import the Root CA and Intermediate Ca certificate into the wallet as trusted certificate, and import your server certificate as user certificate.
<Oracle_Home>\oracle_common\bin\orapki wallet add -wallet new_wallet -trusted_cert -cert VTN-PublicPrimary-G5.pem -auto_login_only
<Oracle_Home>\oracle_common\bin\orapki wallet add -wallet new_wallet -trusted_cert -cert Oracle_SSL_CA_G2.pem -auto_login_only
<Oracle_Home>\oracle_common\bin\orapki wallet add -wallet new_wallet -user_cert -cert cert.cer -auto_login_only
To display the content in the wallet you can run following command:
<Oracle_Home>\oracle_common\bin\orapki wallet display -wallet new_wallet
Use the following steps if you have an existing JKS keystore and want to import the key pair into a newly created wallet:
# Generate a PKCS12 file from JKS keystore using JDK keytool keytool -importkeystore -srckeystore agile-keystore.jks -srcstorepass srcstorepass -destkeystore sslkeystore.p12 -deststoretype PKCS12 -deststorepass deststorepass -destkeypass keypass -srcalias ssl # Import the PKCS12 into a wallet <Oracle_Home>/oracle_common/bin/orapki wallet create -wallet new_wallet -auto_login_only <Oracle_Home>/oracle_common/bin/orapki wallet import_pkcs12 -wallet new_wallet -auto_login_only -pkcs12file sslkeystore.p12 -pkcs12pwd agile123
Update the configuration file
<OHS_DOMAIN>/config/fmwconfig/components/OHS/<OHS_INSTANCE>\ssl.conf by editing below line:
SSLWallet
"${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/new_wallet
After you have changed the wallet location in ssl.conf, restart the OHS instance. It will now use the CA signed certificate.
Use the following information to Configure OHS:
Optionally create a virtual host to listen on the default HTTP port and redirect all requests to SSL port, or do not configure any HTTP listen port.
#[Listen] OHS_HTTP_PORT
Listen 7777
<VirtualHost *:7777>
Redirect permanent / https://ohs_host:ssl_port/
</VirtualHost>
Open the <OHS_DOMAIN>/config/fmwconfig/components/OHS/<OHS_INSTANCE>\mod_wl_ohs.conf
LoadModule weblogic_module "${PRODUCT_HOME}/modules/mod_wl_ohs.so"
# This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level
<IfModule weblogic_module>
Debug ON
WLLogFile c:/temp/weblogic.log
WLProxySSL ON
<Location /Agile>
WLSRequest on
WebLogicHost weblogic_host
WebLogicPort port
#For Clustered environment, you can configure the WebLogicCluster as follow
#WebLogicCluster host1:8002,host2:8003
</Location>
<Location /CoreService>
WLSRequest on
WebLogicHost weblogic_host
WebLogicPort port
</Location>
<Location /JavaClient>
WLSRequest on
WebLogicHost weblogic_host
WebLogicPort port
</Location>
</IfModule>
<VirtualHost *:4443>
Modify the <OHS_DOMAIN>/config/fmwconfig/components/OHS/<OHS_INSTANCE>\ssl.conf by adding following directives into the SSL virtual host.
<IfModule ossl_module> ProxyPreserveHost On ProxyPass /Filemgr http://fm_host:fm_port/Filemgr ProxyPassReverse /Filemgr http://fm_host:fm_port/Filemgr </IfModule>
If you want to offload SSL for DFM, you can configure another virtual host in the same OHS instance or in a separate OHS instance. If you configure the virtual host in the same OHS instance, you need to open up another listen port and enable SSL for it.
Listen 4445
<VirtualHost *:4445>
<IfModule ossl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require.
SSLVerifyClient optional
# SSL Protocol Support:
# Configure usable SSL/TLS protocol versions.
SSLProtocol ALL
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
# SSL Certificate Revocation List Check
# Valid values are On and Off
SSLCRLCheck Off
#Path to the wallet
SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
ProxyPreserveHost On
ProxyPass /Filemgr http://DFM_HOST:DFM_PORT/Filemgr
ProxyPassReverse /Filemgr http://DFM_HOST:DFM_PORT/Filemgr
</IfModule>
</VirtualHost>
Enable the Weblogic Plug-In at domain level:
Login WLS Console
Navigate to Domain > Configuration > Web Applications
Check the checkbox with the text 'WebLogic Plug-In Enabled'
Save the changes and restart WebLogic Servers
Modify the following configuration files:
<AGILE_ HOME>/agileDomain/config/agile.properties
##### Common Web Security Settings ###########
# Specify whether to use the Secure flag to protect sensitive cookies
WebSecurity.ForceSecureCookies = true
<AGILE_ HOME>/agileDomain/application/application.ear/JavaClient.war/wls/ext.jnlp
<jnlp spec="1.0+" codebase="https://ohs_host:ohs_ssl_port/JavaClient">
<AGILE_HOME>/agileDomain/application/application.ear/JavaClient.war/pcclient.jnlp
<jnlp spec="1.0+" codebase="https://ohs_host:ohs_ssl_port/JavaClient">
<argument>serverURL=t3://app_server:app_port</argument>
<argument>jvuecodebase=https://ohs_host:ohs_ssl_port/Filemgr/jVue</argument>
<argument>jvueserver=https://ohs_host:ohs_ssl_port/Filemgr/VueServlet</argument>
<AGILE_HOME>/agileDomain/application/application.ear/JavaClient.war/custom.jnlp
<jnlp spec="1.0+" codebase="https://ohs_host:ohs_ssl_port/JavaClient">
Use the following information to change the server URLs in JavaClient:
Login Java Client, go to Admin? Server Settings, open Locations.
Update the Web Server URL: https://ohs_host:ohs_ssl_port/Agile/PLMServlet.
Click Save.
Click the File Manager tab, update URLs for all File Managers
User the following information to change the configuration on the File Manager Server:
Modify the following property settings in <AGILE_ HOME>/agileDomain/config/server.conf
app.server.url =https://ohs_host:ohs_ssl_port/Agile/FSHelper/FSHelperWSService file.server.url =https://ohs_host:ohs_ssl_port/Filemgr/services/FileServer dms.server.url =https://ohs_host:ohs_ssl_port/Agile/DmsService/DmsViewerAPIService
Generate trusted JKS keystore by JDK tool and import OHS SSL Certificates into File Manager trusted keystore
keytool -import -keystore fmTrustedkeystore.jks -storepass storepass -file root.pem -alias rootca keytool -import -keystore fmTrustedkeystore.jks -storepass storepass -file intermediate.pem -alias intermediateca keytool -import -keystore fmTrustedkeystore.jks -storepass storepass -file cert.cer -alias ohsssl
<AGILE_ HOME>/FileManager/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" truststoreFile="C:/Release/fmTrustedkeystore.jks" truststorePass="storepass" proxyName="ohs_host" proxyPort="ohs_port"/>
If you enabled WSS with SSL terminated at OHS, please update the server.xml as below. Please note that the alias orakey referenced in the keyAlias parameter is the File Manager Server SAML signature key.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" scheme="https" secure="true" keystoreFile="C:/Release/fmkeystore.jks" keystorePass="storepass" keyAlias="orakey" truststoreFile="C:/Release/fmtruststore.jks" truststorePass="truststorePass" proxyName="ohs_server" proxyPort="ohs_port"/>
After changing the configuration and updating all the server URL settings in Java Client, restart the application servers to effect the changes.
AutoVue server should be configured to point to SSL protected VueServlet which is hosted on File Manager.
Import both the Application server and File Manager server certificates into the AutoVue Server's JRE (<AGILE_HOME\jre\lib\security\cacerts>) using Java's keytool command:
|
Note: The certificates have already been generated in steps 1 and 2 of "Configuring SSL on the File Manager". |
Restart the AutoVue server.
If there are multiple DFM nodes deployed, you need to do the following configurations on each node.
Set up DFMs.
Follow the steps on section Securing Agile PLM File Manager(s) Using SSL.
Export DFMs SSL certificate.
Import DFMs SSL certificate into Agile Server trust store (agile-truststore.jks) and File Manager keystore (fm-keystore.jks).
Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.
|
WARNING: This is for AutoVue 21.0.1 only |
In the Applet-Free AutoVue Client, the user's web browser sends commands to the client using the XMLHttpRequest API. If the user launches AutoVue from a secure page, the Mixed Active Content rules that are enforced by browsers requires that the browser also communicate to the AutoVue Client through an HTTPS channel. This requires that the AutoVue Client provide a server certificate. The certificate can be either self-signed, or signed with an existing local certificate authority.
To support this configuration, installers for products embedding AutoVue should follow these steps:
Generate a security certificate for "localhost". This certificate will only be used to enable SSL communication between the user's browsers and the AutoVue Client, so it should be as restricted as possible. An administrative tool is provided with AutoVue (<AutoVue Install Dir>\tools\makeAvCert) which produces suitable certificates. When the utility is run, it generates two files: av_cert.pem, which contains the complete certificate with keypair, and localhost.cer, which contains the public information.
Extract <Agile_Home>\agileDomain\applications\application.ear by using tool ExtractArchive(<Agile_Home>\Install\bin).
Copy the complete certificate file, av_cert.pem, to <Agile_Home>\agileDomain\ \applications\ExpandedEar\JavaClient.war in the Admin server where it can be accessed by web browsers when their users have been authenticated.
Add the URL which will reference the SSL certificate file as a parameter to autovue.jnlp (<Agile_Home>\agileDomain\ \applications\ExpandedEar\application.war\jVue):
<application-desc main-class="com.cimmetry.jvue.JVueApp">
<argument>-paramsslcert_url=https://<Agile_or_Proxy_Host>/JavaClient/av_cert.pem
</argument>
...
</application-desc>
Repack <Agile_Home>\agileDomain\applications\ExpandedEar by using tool RepackArchive(<Agile_Home>\Install\bin).
|
Note: The use of self-signed localhost certificates requires that they are loaded as a certificate exception in each user's browser. The localhost.cer file generated by makeAvCert is intended for this purpose. For the best experience, this should be done before users attempt to use AutoVue. See Appendix E, "SSL Protocol and Signature Algorithm Changes" for details. |
