{scrollbar}

{quote}*

Note:

...

This

...

document

...

is

...

only

...

applicable

...

for

...

the

...

CAS

...

server.

...

There

...

is

...

no

...

need

...

to

...

enable

...

SSL

...

on

...

the

...

servlet

...

container

...

running

...

the

...

Pentaho

...

BI

...

Server.

...

SSL Overview

For the purpose of this document, SSL, and its successor TLS, are identical. SSL provides security in several ways, including:

• Verification of server identity.
• Encryption of data between client and server.

A frequent source of trouble in setting up SSL is the configuration of the server certificate. Below is a breakdown of the parties involved to get SSL setup.

• certificate issuer, also known as certificate authority: A certificate issuer is a company that vouches for the identity of the server. The company vouches for the server by signing the server's certificate with its private key. Because everyone in the world has access to the certificate issuer's public key, they can verify that the certificate was in fact signed by the certificate issuer.
• certificate recipient: A certificate recipient is the web server. It's the server to which a user's browser will connect via HTTPS.
• browser: The browser receives the certificate from the server and will only proceed without user interaction if the signer of the certificate (the certificate authority) is "trusted." You'll receive a browser warning dialog window if the signer of the certificate is not trusted. This can happen when the certificate is "self-signed." This means that the certificate recipient signed (using its private key) its own certificate. This is only appropriate for development and should not be used in production.

Self-Signed Certificates

Tomcat Setup (Using a Self-Signed Certificate)

Enabling SSL in Tomcat follows the Tomcat documentation. Where the Pentaho setup deviates from the Tomcat documentation, it is documented below.

Creating a Self-Signed Certificate

When creating the certificate, you will be prompted with What is your first and last name? Enter just the word localhost at that prompt. Otherwise the HostnameVerifier will fail.

Trusting the Self-Signed Certificate

Why does one need to trust the certificate? Usually, only clients that are connecting to servers via https need to trust the certificate of the server. And while the client (the web browser in one case) must trust the certificate of the CAS server, there is another client that must trust the CAS server. That client is the web application using CAS services--in this case, the Pentaho BI Server. The Pentaho BI Server connects via https to the CAS server during the ticket validation process. See section 2.6. in the CAS Protocol documentation.

Note: If you do not trust the certificate, you'll get the following error: sun.security.provider.certpath.SunCertPathBuilderException:

...

unable

...

to

...

find

...

valid

...

certification

...

path

...

to

...

requested

...

target

1. Execute the following in %USER_HOME%

...

1. :

...

1. Panel

...

1. keytool

...

1. -export

...

1. -alias

...

1. tomcat

...

1. -file

...

1. tomcat.cer

...

1. -storepass

...

1. changeit

...

1. -keypass

...

1. changeit

...

1. -keystore

...

1. .keystore

...

2. Execute the following in %JAVA_HOME%/jre/lib/security

...

1. :

   Note:

...

1. You

...

1. might

...

1. need

...

1. to

...

1. run

...

1. the

...

1. command

...

1. below

...

1. as

...

1. an

...

1. administrator.

...

1. Also,

...

1. if

...

1. you

...

1. are

...

1. setting

...

1. up

...

1. security

...

1. with

...

1. the

...

1. PCI

...

1. on

...

1. Windows,

...

1. the

...

1. start-pentaho

...

1. script

...

1. sets

...

1. %JAVA_HOME%

...

1. to

...

1. the

...

1. PCI's

...

1. jre

...

1. directory:

...

1. pentaho-demo\jre.

...

1. So

...

1. run

...

1. the

...

1. command

...

1. from

...

1. pentaho-demo\jre\lib\security.

...

1. Furthermore,

...

1. if

...

1. you're

...

1. on

...

1. Windows,

...

1. and

...

1. you

...

1. have

...

1. created

...

1. the

...

1. tomcat.cer

...

1. in

...

1. C:\Documents

...

1. and

...

1. Settings\User,

...

1. you

...

1. will

...

1. need

...

1. to

...

1. put

...

1. double

...

1. quotes

...

1. (")

...

1. around

...

1. the

...

1. -file

...

1. argument

...

1. because

...

1. of

...

1. the

...

1. spaces

...

1. in

...

1. the

...

1. path

...

1. name.

...

1. Panel
   keytool -import -alias tomcat -file %USER_HOME%/tomcat.cer

...

1. -keystore

...

1. cacerts

...

1. -storepass

...

1. changeit

2. Now confirm that the tomcat entry in %USER_HOME%/.keystore

...

1. is

...

1. the

...

1. same

...

1. entry

...

1. that

...

1. is

...

1. in

...

1. %JAVA_HOME%/jre/lib/security/cacerts

...

1. .

...

1. Do

...

1. this

...

1. by

...

1. comparing

...

1. the

...

1. fingerprints

...

1. of

...

1. the

...

1. two

...

1. entries.

...

1. 1. Execute

...

1. 1. the

...

1. 1. following

...

1. 1. in

...

1. 1. %USER_HOME%

...

1. 1. :

...

1. 1. Panel

...

1. 1. keytool

...

1. 1. -list

...

1. 1. -keystore

...

1. 1. .keystore

...

1. 1. Panel
      title Output of keytool -list -keystore .keystore
      Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry tomcat, Mar 1, 2007, keyEntry, Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

...

1. 2. Note the fingerprint of the tomcat entry. Execute the following in %JAVA_HOME%/jre/lib/security

...

1. 1. :

...

1. 1. Panel

...

1. 1. keytool

...

1. 1. -list

...

1. 1. -keystore

...

1. 1. cacerts

...

1. 1. Panel
      title Output of keytool -list -keystore cacerts
      Keystore type: jks Keystore provider: SUN Your keystore contains n entries entries omitted tomcat, Mar 1, 2007, trustedCertEntry, Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

...

1. 1. entries

...

1. 1. omitted

   2. Make sure that the fingerprint for the tomcat entry in cacerts is the same as the tomcat entry in .keystore.

Certificate Authority-Signed Certificates

Using keytool

The instructions given in the Tomcat documentation cover the generation of a private and public key pair, the creation of a signing request, and the importation of the signed certificate into the keystore using keytool. If this is your scenario, consult that documentation. However, what if the generation of the private and public key pair and the creation of the signing request are done using a tool, such as OpenSSL?

Using OpenSSL

When keytool is not used to generate the private and public key pair, there are some extra steps when importing a CA-signed certificate. As a user from a Tomcat mailing list states, "the signed cert is only what Tomcat sends to the browser; it needs the private key in order to decipher the stuff that the browser encrypts using the public key." Because you did not use keytool to generate the private and public key pair, you need to import both the private key and the CA-signed certificate!

The first issue is related to key and certificate format. By default, OpenSSL uses the PEM format. The Tomcat documentation says that, "OpenSSL often adds a readable comments before the key; keytool does not support that." The trick is to convert both the key and certificate to DER format.

The next issue is related to the actual import into the keystore.

Number 2 above is the closest matching reason, but it assumes that you used keytool to generate the signing request. This assumption doesn't hold true in the case when OpenSSL is used to generate the signing request. In this case, rely on a small Java program that uses the java.security.* API to programmatically add the private key as well as the CA-signed certificate to a keystore.

Consideration for Mozilla Browsers

Some cryptographic algorithms used by Mozilla browsers during SSL connections are not provided by the JVM. The solution is to add other security providers.

If using Sun JRE 1.4.2:

1. Download the Legion of the Bouncy Castle security provider.
2. Copy the JAR into jre/lib/ext directory of the JRE running Tomcat.
3. Edit jre/lib/security/java.security

...

1. and

...

1. add

...

1. security.provider.n=org.bouncycastle.jce.provider.BouncyCastleProvider

...

1. where

...

1. n

...

1. is

...

1. the

...

1. highest

...

1. unused

...

1. integer

...

1. available

...

1. in

...

1. the

...

1. file.

...

If

...

using

...

Sun

...

JRE

...

1.5.n:

...

1. Copy

...

1. the

...

1. Sun

...

1. JCE

...

1. provider

...

1. from

...

1. {Program

...

1. Files}/Java/j2re1.5.n_nn/lib/ext/sunjce_provider.jar

...

1. file

...

1. into

...

1. the

...

1. jre/lib/ext

...

1. of

...

1. the

...

1. JRE

...

1. running

...

1. Tomcat.

...

References

• Wikipedia on SSL
• Generate certificate chains for testing Java applications
• http://www

...

• .

...

• comu.de/docs/tomcat_ssl.htm

...

• OpenSSL
• SSL Configuration HOW-TO
• keytool