Configuring FME Flow for HTTPS

Introduction

FME Flow can be configured to use HTTPS for secure communication. The methods in this document are for version 2025.1 and later. The recommended method is to use a PFX or P12 certificate with the automated installer or configuration script on Windows, or configure the bundled NGINX reverse proxy on Linux. Other methods remain available for specific scenarios, but are not recommended for most users.

Before You Begin

Obtain a valid certificate (Recommended: PFX/P12; less desirable/more complex: CRT/KEY).
Ensure you have the certificate password if you are using a PFX or P12 file.
Confirm you can manually stop and start FME Flow services.
For reverse proxy configurations, ensure you control DNS and firewall rules.

Recommended Methods

Using a PFX or P12 Certificate (During Installation)

Run the FME Flow installer.
Select Enable HTTPS with certificate.
Provide the path to the .pfx or .p12 file and enter the password.
Complete the installation. The installer will configure Tomcat and update the FME Flow service URLs.

Using a PFX or P12 Certificate (Automated, PowerShell Script)

After installation, open PowerShell as Administrator.
Run the script:

<FMEFlowDir>\Utilities\configureSSL.ps1

Provide the path to the .pfx or .p12 file and enter the password when prompted.
Restart FME Flow services preferably in the following order:
- FME Flow Database
- FME Flow Core
- FME Flow Engines
- FME Flow Application Server
If the certificate is issued by an internal CA, import the certificate into the Java trust store, then restart the services.

Importing an Internal CA Certificate to Java Trust Store

To import the keystore, open a command prompt and navigate to <FMEFlowDir>\Utilities\jre\bin\. Then, run the following command.

Specify the srckeystore argument with the path to your keystore file, the srcstorepass argument with your keystore password, and <FMEFlowDir> as the location of the FME Flow installation folder:

keytool -importkeystore -noprompt -srckeystore "<FMEFlowDir>\Utilities\tomcat\conf\certs\server.pfx" -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>

Ignore the warning that the destination type must default to jks.

Configuring HTTPS on Linux (Bundled NGINX)

FME Flow on Linux includes an NGINX reverse proxy that enables easy SSL configuration and allows users to choose ports under 1024 without requiring root permissions. HTTPS is configured on the NGINX reverse proxy rather than the Apache Tomcat web application server.

If you are using a .pfx or .p12 certificate, you must convert it into .crt and .key format.

Step-by-step Instructions

1. Create a directory for the certificate:

sudo mkdir /etc/nginx/ssl

2. Place a certificate and key in the new directory.

If using a CA-issued certificate: place the .crt (or bundle) and .key files.

3. Alternatively, generate a self-signed certificate and key:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/nginx/ssl/<KeyName>.key \
  -out /etc/nginx/ssl/<CertName>.crt

4. Replace <KeyName> and <CertName> with filenames such as nginx.key and nginx.crt.

5. Enable Diffie-Hellman key exchange:

sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
sudo chmod 400 /etc/nginx/ssl/dhparam.pem

6. Edit /etc/nginx/conf.d/fmeflow.conf.

Uncomment the block that listens on port 80 and redirects to 443:

server {
    listen 80;
    server_name <<hostname>>;

 
    location / {
        return 301 https://$host$request_uri;
                     }
            }

In the main server block, comment out the listen 80; line and uncomment the SSL lines:

#listen 80;
listen 443 ssl;
include /etc/nginx/fmeflow/ssl.conf;

In the WebSocket server block, comment and uncomment so it listens with SSL on port 7078:

#listen 7078;
listen 7078 ssl;
include /etc/nginx/fmeflow/ssl.conf;

7. Edit /etc/nginx/fmeflow/ssl.conf and update paths to your certificate and key files.

Make sure the SSL certificate and key values match the filenames defined in steps 3

8. Reload NGINX:

service nginx reload

9. Edit server.xml as an administrator at <FMEFlowDir>/Utilities/tomcat/conf.

Update proxyPort = "443"
Update scheme = "https"
Save and close the file.

10. Edit propertiesFile.properties at /opt/fmeflow/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties.

Update: WEB_SOCKET_SERVER_PORT=443

11. Edit fmeFlowConfig.txt and fmeFlowWebApplicationConfig.txt.

Under FME SERVER SETTINGS START > Port and Host Assignments, update FME_SERVER_WEB_URL from http to https and change the port to 443.

12. Restart FME Flow.

Configuration Verification Steps

Restart FME Flow services.
Open a browser and navigate to:

https://<hostname>/
Log in to the Web User Interface.
Run a test job using the Data Download and Job Submitter services.
In the Web User Interface, go to Services > Change All Hosts and ensure service URLs use HTTPS.

Updating an Expired Certificate

All certificates have an expiration date. Once this has passed, you can still access FME Flow via HTTPS; however, you will no longer be able to submit jobs to run via the Web UI. For instructions on how to update each certificate type, refer to our guide, "Updating an expired Certificate."

Upgrading FME Flow

The HTTPS configuration is not part of the backup and restore process. When upgrading FME Flow, you will need to reconfigure this from scratch.

Before uninstalling FME Flow, consider making a copy of the files that were manually altered during HTTPS configuration. Although these files should not be reused, they can serve as a helpful reference.

<FMEFlowDir>\Utilities\tomcat\conf\server.xml
<FMEFlowDir>\Utilities\tomcat\conf\web.xml
<FMEFlowDir>\Utilities\tomcat\conf\context.xml
<FMEFlowDir>\Server\fmeWebSocketConfig.txt
<FMEFlowDir>\Server\config\subscribers\websocket.properties
<FMEFlowDir>\Server\config\publishers\websocket.properties
<FMESharedResourceDir>\localization\publishers\websocket\publisherProperties.xml
<FMESharedResourceDir>\localization\subscribers\websocket\subscriberProperties.xml

Optional HTTPS Configuration Methods (For versions older than 2025.1)

These methods are not recommended for configuring HTTPS with FME Flow, but can be used in versions older than 2025.1, for special cases and testing scenarios. Please use the PFX automated method (Windows) or bundled NGINX (Linux) whenever possible.

Common Issues and Solutions

Browser Shows “Not Secure”: Confirm the full certificate chain is imported and service URLs are updated to HTTPS.
Error while running script "ConfigureSSL.ps1 cannot be loaded because running scripts is disabled on this system": To enable script execution, run the following command in PowerShell as an administrator: Set-ExecutionPolicy RemoteSigned.
Jobs Fail After HTTPS Configuration: Update service URLs under Services and test with a sample workspace.
Alias or Keystore Errors in catalina.log (Windows): Verify the alias name, password, and keystore type.
Internal CA PFX Works, but WebSocket or SSO Fails: Import the certificate into the Java trust store and restart the services.

Troubleshooting

If you are experiencing issues, please consult our FME Flow and HTTPS troubleshooting Guide. If this does not resolve your problem, then contact Safe Software Support.

FAQs

Do I need to open port 443? Yes, if HTTPS is configured directly on Tomcat (Windows) or NGINX (Linux). If using an external reverse proxy, open port 443 on the proxy only.

Can I mix HTTP and HTTPS? No. The automated configuration forces HTTPS.

What about Linux installations? FME Flow for Linux includes NGINX by default. Configure SSL certificates in NGINX and update the Tomcat and FME Flow properties accordingly.

How do I update an expiring certificate? Please see Configuring FME Flow for HTTPS: Updating an expired Certificate

Search