40.4 Securing HTTP Browser Connections

Using secure HTTP (HTTPS) improves the security of your Micro Focus Vibe site. During installation, you can choose to configure your Vibe site for HTTP or HTTPS. After installation, you can force secure HTTP connections.

40.4.1 Preparing for Secure HTTP Connections

If you want users to access the Vibe site with a secure HTTP connection, you must configure Vibe with a root certificate and a server certificate. The root certificate identifies the root certificate authority (CA) for your Vibe site. The server certificate is customized for the specific server where Vibe is installed.

Understanding How Vibe Handles Certificates

Vibe uses a keystore to store certificates. The default keystore file that is installed along with Vibe is:

Linux:

/opt/novell/teaming/apache-tomcat/conf/.keystore

Windows:

c:\Program Files\Micro Focus\Teaming\
                              apache-tomcat\conf\.keystore

The original certificate in the default keystore is sufficient for you to set up secure HTTP connections during initial installation, but it is self-signed and has an expiration date, so you cannot use it permanently. Soon after installation, you must obtain a permanent certificate. You can use a commercially signed certificate or a self-signed certificate. There are advantages and disadvantages to each approach.

  • Commercially Signed Certificate: The advantage to using a certificate signed by a commercial certificate authority (CA) is that browsers automatically accept these certificates. The disadvantage is that an additional step is required, with some wait time while you obtain the commercially signed certificate.

  • Self-Signed Certificate: The advantage to using a self-signed certificate is that it is quick and easy for you to do as the Vibe administrator. The disadvantage is that users receive a warning in the browser about the self-signed certificate the first time they access the Vibe site using secure HTTP. Users must manually accept the self-signed certificate, then the warning never occurs again.

After you obtain your permanent certificate, you can store it in the default Vibe keystore, or in a location of your own choosing. Vibe reads the location of its keystore from the following file:

Linux:

/opt/novell/teaming/apache-tomcat/conf/server.xml

Windows:

c:\Program Files\Novell\Teaming\
                             apache-tomcat\conf\server.xml

If you do not want to use the default keystore location, you must update the server.xml file to match the location you choose for your keystore.

Creating a New Keystore File

Rather than updating the Vibe .keystore file that is provided during installation, it is easier to create a new .keystore file, then import your signed certificate into it.

  1. Create a new directory where you want to create the new .keystore file, such as a certs directory in a convenient location.

  2. Change to the new certs directory.

  3. Make sure that you can access the keytool tool:

    Linux:

    /opt/novell/teaming/jre/bin/keytool

    Windows:

    c:\Program Files\Novell\Teaming\jre\bin\keytool.exe

    For convenient use, you might need to add its location to the PATH environment variable.

  4. Use the following command to create a new .keystore file:

    keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore
  5. When prompted, specify and confirm changeit as the password for the new .keystore file.

  6. When you are prompted for your first and last name, specify the fully qualified DNS name of the Vibe server, such as vibe.yourcompanyname.com.

    You are then prompted for additional information about your organization:

    • Organizational unit

    • Organization

    • City or locality

    • State or province

    • Two-letter country code

  7. (Conditional) If you are planning to obtain a your certificate from a commercial certificate authority (CA), respond to the additional information prompts with accurate information appropriate to your organization.

    or

    (Conditional) If you are planning to generate a self-signed certificate, press Enter to skip through the prompts.

  8. When you are prompted whether the information you provided is correct, enter yes.

  9. Press Enter to use the same password that you specified in Step 5 as the key password for Tomcat.

  10. List the files in the certs directory to see that a new .keystore file has been created.

Do Not Change the Password for the Keystore File

The password for the .keystore file is hard coded and should not be changed.

The password adds no additional protection because the keystore is secured by being located in a root-owned directory, not by the password.Port 9443 Vibe and Filr Cert management are hard coded to expect the password as it is created on the system.

Changing the password breaks 9443 certificate management.

Generating a Certificate Signing Request

  1. Use the following command to create a certificate signing request (CSR):

    keytool -certreq -alias tomcat -keyalg RSA 
            -file certreq.csr -keystore .keystore
  2. Enter the keystore password (changeit) to create the CSR.

  3. List the files in the certs directory to see that a new certreq.csr file has been created along with the existing.keystore file.

  4. Use the certreq.csr file to obtain a signed certificate.:

    1. To use a commercial certificate authority (CA), continue with Submitting the Certificate Signing Request to a Certificate Authority (CA).

      or

    2. To use a self-signed certificate, skip to Using the Certificate Signing Request to Generate a Self-Signed Certificate.

Submitting the Certificate Signing Request to a Certificate Authority (CA)

You can find a commercial certificate authority (CA) on the Internet by searching for “certificate authority.” The process of obtaining a signed certificate varies from company to company. Each company provides instructions to assist you.

The certificate authority sends you a set of certificate files that you import into the Vibe keystore. Import these files into the same keystore that you used to create the original certificate request. You must import all of the files that you receive.

The following procedure is a guideline for importing the certificate into the Vibe keystore. Instructions might vary depending on the certificate authority.

  1. Change to the certs directory where you created the root certificate file and the server certificate file.

  2. Use the following command to import the root certificate file:

    keytool -import -alias root -trustcacerts -keyalg RSA -keystore .keystore
            -file CertificateAuthorityCert.der
  3. Enter the keystore password (changeit) to add the root certificate to the Vibe keystore.

  4. Use the following command to import the SSL certificate file that you received from the certificate authority:

    keytool -import -alias tomcat -keyalg RSA -keystore .keystore
            -file certificate_name.cer
  5. Enter the keystore password (changeit) to add the server certificate to the Vibe keystore.

Using the Certificate Signing Request to Generate a Self-Signed Certificate

If you do not want to wait to receive your signed certificate from a commercial certificate authority (CA), you can generate your own self-signed certificate using iManager. You must generate both a self-signed eDirectory root certificate file and a server certificate file.

For help, refer to Understanding the Certificate Server in the NetIQ eDirectory Administration Guide.

NOTE:If you are using Active Directory rather than eDirectory, consult your Active Directory documentation for comparable procedures.

Importing the Certificate Files into the Vibe Keystore

After you have obtained or generated a signed certificate, you must import the certificate files into the Vibe keystore. This section describes how to import the files associated with a self-signed certificate. For information about how to import the files for a certificate that you receive from a certificate authority, see Submitting the Certificate Signing Request to a Certificate Authority (CA).

  1. Change to the certs directory where you created the root certificate file and the server certificate file.

  2. Use the following command to import the root certificate file:

    keytool -import -alias root -keyalg RSA -keystore .keystore
            -file SelfSignedRootCert.der
  3. Enter the keystore password (changeit) to add the root certificate to the Vibe keystore.

  4. Use the following command to import the server certificate file:

    keytool -import -alias tomcat -keyalg RSA -keystore .keystore
            -file SelfSignedServerCert.der
  5. Enter the keystore password (changeit) to add the server certificate to the Vibe keystore.

    The new .keystore file is now ready to be added to your Vibe system.

  6. Use the following command to verify that the server certificates have been imported into the Vibe keystore:

    keytool -list -keystore .keystore
  7. Enter the keystore password (changeit), then verify that the certificates have been imported.

    You should see the text Your keystore contains 2 entries, followed by information about each certificate that you imported.

  8. Continue with Replacing the Original Vibe Keystore File with Your Permanent Keystore File.

Replacing the Original Vibe Keystore File with Your Permanent Keystore File

  1. Change to the following directory on the Vibe server:

    Linux:

    /opt/novell/teaming/apache-tomcat/conf

    Windows:

    c:\Program Files\Novell\Teaming\
                                 apache-tomcat\conf
  2. Rename the existing .keystore file to keystorebackup.

  3. Copy your new .keystore from the certs directory to the conf directory.

  4. Adjust the ownership and permissions of the new .keystore file to match those of the backed-up keystore file.

  5. Restart Vibe so that Vibe rereads the updated keystore file.

40.4.2 Implementing Secure HTTP Connections

When you run the Vibe installation program, you can choose between non-secure and secure HTTP connections, as described in HTTP/HTTPS Ports in Single-server (Basic) Installation in the Vibe 4.0.8 Installation Guide.

40.4.3 Forcing Secure HTTP Connections

With additional configuration, you can force users from a non-secure HTTP connection to a secure HTTPS connection.

Using NetIQ Access Manager to Force Secure HTTP Connections

With Micro Focus Vibe, you can use NetIQ Access Manager to force secure HTTP connections. For more information, see Configuring Single Sign-On with Novell Access Manager in Advanced Installation and Reconfiguration in the Vibe 4.0.8 Installation Guide.

Configuring Tomcat to Redirect to Secure HTTP Connections

To reconfigure Tomcat, you must update two configuration files (both named web.xml) under two different directories (ssf and ROOT). The ssf directory name refers to SiteScape Forum, a legacy product name. The ssf directory contains the main Vibe web application that you use when you interact with your browser. The ROOT directory name refers to SiteScape File System. The ROOT directory contains the Vibe WebDAV application that you use to access files on a remote WebDAV server from the Vibe site.

  1. Log in to the Vibe server with sufficient rights to edit the web.xml files (root on Linux, Administrator on Windows).

  2. Modify the web.xml file under the ssf directory:

    1. Change to the directory where the web.xml file is located.

      Linux:

      /opt/novell/teaming/apache-tomcat/
                                               webapps/ssf/WEB-INF

      Windows:

      c:\Program Files\Novell\Teaming\apache-tomcat\
                                               webapps\ssf\WEB-INF
    2. Make a backup copy of the web.xml file, then open the web.xml file in a text editor.

    3. Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
    4. (Conditional) If users access the Vibe site with Internet Explorer, find the following single line in the security constraint you just added:

       <url-pattern>/*</url-pattern>
    5. Replace it with the following set of lines:

        <!-- Patterns from web.xml.tmpl. -->
        <url-pattern>/a/*</url-pattern>
        <url-pattern>/ws/*</url-pattern>
        <url-pattern>/rss/*</url-pattern>
        <url-pattern>/atom/*</url-pattern>
        <!-- Patterns from subdirectories of webapps/ssf. -->
        <url-pattern>/applets/*</url-pattern>
        <url-pattern>/css/*</url-pattern>
        <url-pattern>/help/*</url-pattern>
        <url-pattern>/help_doc/*</url-pattern>
        <url-pattern>/i/*</url-pattern>
        <url-pattern>/images/*</url-pattern>
        <url-pattern>/js/*</url-pattern>

      For Internet Explorer, this list of URL patterns forces secure HTTP connections for everything except the /s/* pattern (document files with extensions such as .odt and .doc) and the /ical/* pattern (calendar .ics files).

    6. Save the modified web.xml file, then exit the text editor.

  3. Modify the web.xml file under the ROOT directory:

    1. Change to the directory where the web.xml file is located.

      Linux:

      /opt/novell/teaming/apache-tomcat/
                                            webapps/ROOT/WEB-INF

      Windows:

      c:\Program Files\Novell\Teaming\apache-tomcat\
                                             webapps\ROOT\WEB-INF
    2. Make a backup copy of the web.xml file, then open the web.xml file in a text editor.

    3. Add the following security constraint at the bottom of the file, immediately above the </web-app> tag.

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Entire Application</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
    4. Save the modified web.xml file, then exit the text editor.

Adding the Apache Web Server to Force Secure HTTP Connections

You can set up the Apache web server to front your Vibe site and use a meta refresh to redirect users to a secure URL.

  1. Install the Apache web server on one server.

  2. Configure Apache to listen on port 80.

  3. Create an index.html file similar to the following example:

    <html>
    <head>
      <meta http-equiv="refresh" content="0;url=https://vibe_url" />
      <title>Redirected to Secure Vibe</title>
    </head>
    <body>
      This page is used to redirect to the Secure Vibe server. If your 
      browser does not automatically redirect you in a few seconds, click 
      <a href="https://vibe_url">here</a> to go to the secure page.
    </body>
    </html>
  4. Replace vibe_url with the URL to your Vibe site.

  5. Place the index.html file in the document root directory of the Apache web server.

    Linux:

    /srv/www/htdocs

    Windows:

    c:\Program Files\Apache Software Foundation\Apache2.2\htdocs
  6. Restart the Apache web server.

40.4.4 Defaulting to Secure HTTP URLs

Defaulting to Secure HTTP URLs in Vibe Links

Vibe includes URLs to locations on the Vibe site in various links throughout the Vibe system. By default, the URLs are formed with HTTP rather than HTTPS. You can reconfigure Vibe to default to HTTPS for Vibe site URLs.

  1. Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).

  2. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes/config
  3. Open the ssf.properties file in a text editor.

  4. Locate and copy the following lines:

    adapter.web.protocol=context-http
    servlet.web.protocol=context-http
    rss.web.protocol=context-http
    ical.web.protocol=context-http
    ssfs.web.protocol=context-http
    simpleurl.web.protocol=context-http
  5. Make a backup copy of the ssf-ext.properties file, located in the same directory with the ssf.properties file.

  6. Open the ssf-ext.properties file in a text editor.

  7. Paste the lines that you copied in Step 4 to the bottom of the file.

  8. Change http to https.

    adapter.web.protocol=context-https
    servlet.web.protocol=context-https
    rss.web.protocol=context-https
    ical.web.protocol=context-https
    ssfs.web.protocol=context-https
    simpleurl.web.protocol=context-https
  9. Close the ssf.properties file without saving.

  10. Save the ssf-ext.properties file, then exit the text editor

  11. Restart Vibe to put the change into effect.

Defaulting to Secure HTTP URLs in Email Notifications

When an email notification is sent from Vibe, Vibe includes a URL to the location on the Vibe site where the notification was sent. By default, the URLs in email notifications are formed with http rather than https. You can reconfigure Vibe to default to https for Vibe site URLs.

  1. Log in to the Vibe server with sufficient rights to edit the ssf-ext.properties file (root on Linux, Administrator on Windows).

  2. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               webapps/ssf/WEB-INF/classes/config

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               webapps\ssf\WEB-INF\classes/config
  3. Open the ssf.properties file in a text editor.

  4. Locate and copy the following line:

    ssf.secure.links.in.email=false
  5. Close the ssf.properties file without saving.

  6. Make a backup copy of the ssf-ext.properties file, located in the same directory with the ssf.properties file.

  7. Open the ssf-ext.properties file in a text editor.

  8. Paste the line that you copied in Step 4 to the bottom of the file:

    ssf.secure.links.in.email=false
  9. Change false to true so that the line now looks like this:

    ssf.secure.links.in.email=true
  10. Save the ssf-ext.properties file, then exit the text editor

  11. Restart Vibe to put the change into effect.

All system-generated email notifications now default to secure HTTP URLs. However, all user-generated emails from the Vibe system follow the current user’s context. For example, if a user is logged in as HTTP and chooses to share an entry with another user, the link in the email notification uses HTTP.