keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12
-destkeystore clientcert.jks -deststoretype JKS
Guide étape par étape
Création d'un certificat non authentifié (auto-signé)
Le programme keytool est situé dans le répertoire bin de votre JDK. La commande à utiliser pour générer le certificat est :
keytool -genkey -keyalg RSA -keystore /chemin/vers/jmap/conf/certificat.keystore
(certificat.keystore est le nom du fichier qui sera régéné)
Lors de la création du certificat, le nom de domaine visé par HTTPS doit être entré dans: 'What is your first and last name?'. Seule cette resource sera sécurisée et donc tout accès via un autre nom (ex: localhost, 127.0.0.1, etc.,) retournera une erreur de sécurité.
Code Block |
---|
Enter keystore password: javacaps What is your first and last name? [Unknown]: development.sun.com What is the name of your organizational unit? [Unknown]: Development what is the name of your organization? [Unknown]: Sun What is the name of your City or Locality? [Unknown]: Monrovia What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is<CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes |
Configuration du certificat en format JKS
- Une fois le certificat faitcréé, il faut changer les paramètres suivants dans :
dans /chemin/vers/jmap/conf/jmapserver.properties - Le certificat créé :
server.https.keystore.file=/chemin/vers/jmap/conf/certificat.keystore (Exemple : server.https.keystore.file=../conf/star_jmaponline_net.jks) - Le mot de passe de votre certificat :
server.https.keystore.password=xxxxx - La valeur 'encrypted' indique si le mot de passe est encrypté, donc lorsque vous le configurez pour la première fois, vous devrez changer la valeur pour 'false'. Lorsque JMap sera démarré pour la première fois, votre mot de passe devrait être encrypté et la valeur changera automatiquement pour 'true'. Cette valeur n'est disponible dans les anciennes versions de JMap, si elle n'apparaît pas dans le fichier de configuration, ignorer cette étape ou mette à jour JMap à la dernière version.
server.https.keystore.password.encrypted=false - Le port à utiliser pour HTTPS (443 par défaut) :
server.https.port=443
Une fois ces étapes effectuées, il suffit de redémarrer JMap Server et de lancer JMap Admin en HTTPS: https://xxx.xxx.xxx.xxx:443/jmapadmin
L'option redirectEnabled forcera HTTPS en redirigeant automatiquement HTTP vers HTTPS si mise à 'true'.
Exemple de configuration:
server.https.client.auth=false
server.https.keystore.file=../conf/certificat.keystore
server.https.keystore.password=votreMotDePasse
server.https.keystore.password.encrypted=false
server.https.keystore.type=JKS
server.https.port=443
server.https.redirectEnabled=true
server.https.scheme=https
server.https.ssl.protocol=TLS
Si HTTPS ne répond pas, consultez les logs (jmap_log et le dernier fichier *.err ). Il est possible que le certificat ne soit pas reconnu par Java et qu'il doit être ajouté au keystore: https://k2geospatial.atlassian.net/wiki/x/AoA1Eg
Anchor | ||||
---|---|---|---|---|
|
English version
It is very simple to configure JMap to use HTTP encrypted connections (HTTPS / SSL).
This configuration requires a compatible JKS certificate. If you do not have a certificate, it is possible to create a non-authenticated certificate with JDK tools. To convert an existing PEM certificate into the JSK format, use the following procedure: https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html
Step-by-step guide
Creating a self-signed certificate
The keytool program can be found in the bin directory of your JDK. The command for generate the certificate is:
keytool -genkey -keyalg RSA -keystore /chemin/vers/jmap/conf/certificat.keystore
When generating the certificate, the domain name must be entered as the answer to: 'What is your first and last name?'. Only through this name will you be able to securely access JMap via HTTPS; any other URL (ex: localhost, 127.0.0.1, etc.) will return a security error.
Code Block |
---|
Enter keystore password: javacaps What is your first and last name? [Unknown]: development.sun.com What is the name of your organizational unit? [Unknown]: Development what is the name of your organization? [Unknown]: Sun What is the name of your City or Locality? [Unknown]: Monrovia What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is<CN=development.sun.com, OU=Development, O=Sun, L=Monrovia, ST=California, C=US> correct? [no]: yes |
Certificate configuration
1. Once the certificate is done, you must change the following settings:
/chemin/vers/jmap/conf/jmapserver.properties
2. The certificate created:
server.https.keystore.file=/chemin/vers/jmap/conf/certificat.keystore (Example : server.https.keystore.file=../conf/star_jmaponline_net.jks)
3. Your certificate password:
server.https.keystore.password=xxxxx
4. The value password.encrypted=false indicates if the password is encrypted. So when you first configure the certificate, make sure that the encrypted value is set to false. When JMap will start for the first time with the HTTPS configuration, it will encrypt the passwod and change the value to 'true'. This value is not available in all JMap versions, if it is present in the configuration file, either ignore this step or upgrade to the latest JMap version.
server.https.keystore.password.encrypted=false
5. The port to use for HTTPS (443 by default):
server.https.port=443
Once these steps donne, simply restart JMap Server and launch JMap Admin HTTPS: https://xxx.xxx.xxx.xxx:443/jmapadmin
Example of configured file:
server.https.client.auth=false
server.https.keystore.file=../conf/certificat.keystore
server.https.keystore.password=yourPassword
server.https.keystore.password.encrypted=false
server.https.keystore.type=JKS
server.https.port=443
server.https.redirectEnabled=true
server.https.scheme=https
server.https.ssl.protocol=TLS
The option redirectEnabled when set to true will force HTTPS by automatically redirect HTTP to HTTPS.
If an SSL error occurs when starting JMap server, it might be because the certificate is not recognized by Java. Verify your jmap_log and latest .err and see this article https://k2geospatial.atlassian.net/wiki/x/AoA1Eg