To configure your Tomcat server, provide the following:
|HTTP Connector port||Enter the HTTP connector port that Tomcat will use on this server. If you clear the port value, the connector is no longer used.|
|HTTPS Connector port||Enter the HTTPS connector port that Tomcat will use on this server. If you clear the port value, the connector is no longer used.|
|HTTPS client certificate port for Smart Card authentication||Enter the HTTPS port that will be used for client cert authentication, which is used for Smart Card authentication in SBM.|
You can configure SSL for Tomcat by generating a sample certificate or importing a new certificate from a well-known certificate authority (CA) or a self-signed certificate generated by your own CA. You can also manage the current SSL configuration by selecting an existing SSL certificate. If SSO is enabled, this creates a secure communication channel between the browser and the SSO Security Server.
The Tomcat Server tab only appears when you run SBM Configurator in utility mode on servers that hosts Tomcat components. If you want to enable SSL in a distributed server environment, you must run SBM Configurator on each Tomcat server and configure these settings.
To configure SSL, use the following options:
- Generate Sample Certificate
Select this option to create a new certificate that is based on the sample CA certificate that is installed with SBM. For example, if you have not yet purchased a certificate from a well-known certificate authority (CA), select this option to secure Tomcat with a sample certificate.
- In the Generate Certificate dialog box that appears, you can accept the default values to create a new sample certificate with a common name that matches the local server's hostname. By default, the sample certificate is signed by the CA, but you can import and use a different CA cert if necessary.
- If you clear the Certificate authority check box, SBM Configurator generates a self-signed certificate. You can configure additional parameter including the public key size, validity dates, and signature algorithm as needed.
- The newly-generated certificate and the CA certificate that was used to generate the sample certificate are placed in the local Tomcat keystore and truststore, respectively. If an existing certificate is found, SBM Configurator provides you with the option to remove it from the keystore.
- Once the certificate has been created, you can export the public key and import it into a third party keystore to establish a trust. To export the certificate, click View more details, select the Details tab, and click Copy to File. Complete the export wizard that appears to generate a DER-encoded certificate.
- Import New Certificate
Select this option to import a well-known or self-signed certificate (in PEM format, which is a base64-encoded DER). For example, if you have purchased a certificate from a well-known CA, select this option to have SBM Configurator import the certificate for you. This operation adds the new certificate to the Tomcat keystore.
- SBM does not support using certificates that contain wildcards.
- If you configure your server for Smart Card authentication, there are restrictions when configuring SSL. Specifically, if you replace the server SSL certificate with a self-signed server certificate, you must create the self-signed certificate using the RSA algorithm. The SSL handshake fails when using a self-signed DSA certificate in earlier FireFox browsers. This is not an issue for Internet Explorer browsers.
- Export Current Certificate
Launches the Export dialog box, from which you can: export the certificate and optionally the private key; export the entire certificate chain plus the certificate; export just the chain without the certificate. Note that the certificate path options are disabled if you are using a self-signed certificate.
Select Existing Certificate
Select this option to select an existing certificate from the Windows keystore to secure Tomcat. For example, if you need change the current certificate that is installed, use this option to select an alternative certificate from the keystore. This operation replaces the current certificate (if one is installed) with the certificate that you select.
- Change Keystore Password
Select this option to change the default Tomcat SSL keystore password. Changing the default password updates the SSL keystore and certificates with a password of your choice, which improves security.
To update the default password:
- Click Change Keystore Password.
- A window appears and displays the current password.
- Enter a new password and click OK.
- Click Apply.
Managing Trusted Certificates
- Import Certificates – Imports a trusted certificate into the truststore.
- Export Certificates – Exports a trusted certificate.
- Remove Certificates – Removes one or more selected certificates.
- View Details – Select a certificate and click View Details to see more information.
To execute an external Web service call from SBM using SSL, the SBM certificate truststore must contain the external service's public certificate (in the event that the certificate does not already exist in the truststore). Therefore, you must import the service's public certificate into either the Windows or Tomcat truststore—depending on which SBM component performs the call.
For example, if the external Web service call is invoked from a workflow transition, you must add the public certificate to the Windows truststore in the IIS tab on the IIS server. This ensures that SBM Application Engine calls are trusted by the external service. Similarly, you must add the public certificate to the Tomcat truststore to ensure that SBM Orchestration Engine calls are trusted by the external service. For example, if you create an SBM orchestration that contains an external Web service call that is secured by SSL, the public certificate for that service must be added to the Tomcat truststore. The truststore may already contain some public certificates, but if you create your own certificates or use certificates that are newer than those the truststore, the truststore must be updated to successfully complete calls over HTTPS.
Under Advanced Settings you can override the maximum HTTP header size for SBM Tomcat requests and responses. Tomcat allocates two buffers with the maxHttpHeaderSize per request, which can create out-of-memory problems when SBM Tomcat is handling heavy server traffic. If users are experiencing 400 errors from Tomcat, consider increasing the maximum HTTP header size as appropriate.
For systems that are configured to use Windows Domain authentication with SSO, SBM Configurator automatically doubles the default maximum HTTP header size from 8192 bytes to 16384 bytes.
Use the Minimum and Maximum memory size fields to control Tomcat memory utilization on your current server. For example, you might increase the Maximum memory size setting for Tomcat in the event you are seeing out-of-memory errors in the tomcat.log file.