TLS termination and end to end TLS for FME Server

Introduction

When deploying FME Server in the cloud there are several options to configure for SSL. In this article, we will describe different options applying to simple express install scenarios as well as distributed deployment scenarios utilizing load balancing, see Load Balancing Concepts for FME Server in the Cloud.

TLS Termination

TLS or SSL termination terminates HTTPS traffic from clients, relieving your upstream web and application servers of the computational load of SSL/TLS encryption. For FME Server, this means the clients will reach FME Server via an HTTPS address, but the HTTPS traffic will be forwarded as HTTP traffic to the FME Server Web Application after TLS termination. TLS termination can be done via an NGINX reverse proxy on the same machine or an application load balancer that forwards traffic to FME Server in a secure network. Either of these options can be used with your FME Server deployment. The following paragraphs will go through the basic steps of this configuration for an express install as well as for distributed deployments in Microsoft Azure and Amazon Web Services.
 

NGINX

To implement TLS termination with NGINXrunning on the same machine as FME Server, follow these instructions: Configure FME Server for SSL using NGINX as a reverse proxy

Azure Application Gateway

To configure Azure Application Gateway for TLS termination please review this tutorial: Configure an Application Gateway with TLS termination using the Azure portal. If you already have an FME Server deployment using an Azure Application Gateway (e.g Azure Marketplace deployment) you can also follow these steps to update your Application Gateway for TLS termination:

1. Create a PFX certificate for the FQDN (for example, with openssl): 

openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
openssl pkcs12 -export -inkey key.pem -in certificate.pem -out certificate.pfx

2. Add an HTTPS Listener to the Application Gateway using the newly created certificate
3. Make sure you have a backend setting connecting to the backend pool via HTTP on port 8080
4. Add an HTTPS routing rule to the Application Gateway associated with the HTTPS Listener, created in step 2 and add the existing FME Server Backend pool using the HTTP backend setting
5. Make sure an HTTP Listener for port 80 is configured
6. Update the HTTP routing rule to redirect to the HTTPS  listener instead of the FME Server backend pool. This makes sure that all requests sent to FME Server via port 80 will be redirected to the HTTPS port 443 before the traffic is forwarded to FME Server.
7. In a final step, update tomcat the server.xml file located in <FMEServerDir>\Utilities\tomcat\conf\ by changing the following attributes in the connector element for port 8080:

proxyPort="443"
scheme="https"

For a more robust implementation, it is recommended to use Azure Key Vault to store certification for your application in Azure. The Azure Application Gateway Standard V2 SKU does support Azure Key Vault certificates. Review the following documentation for more details: TLS termination with Key Vault certificates
 

AWS Application Load Balancer

To configure AWS Application Load Balancer for HTTPS please review this documentation: Create an HTTPS listener for your Application Load Balancer. If you already have an FME Server deployment using an AWS Application Load Balancer for an AutoScaling Group, you can also follow these steps to update your Application Load Balancer for TLS termination:

1. Create a PEM certificate for the FQDN (for example, with openssl)

openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

2. Add the certificate to the Amazon Certificate Manager
3. Add HTTPS Listener using the newly created certificate with a forward rule pointing to the FME Server Core Autoscaling Group via port 8080
4. Make sure an HTTP Listener for port 80 is configured that forwards traffic to the FME Server Core Autoscaling Group on port 8080
5. Update the HTTP listener to redirect traffic to the HTTPS listener. This makes sure that all requests sent to FME Server via port 80 will be redirected to the HTTPS port 443 before the traffic is forwarded to FME Server.
6. In a final step, update the connector element for port 8080 in the tomcat server.xml file located in <FMEServerDir>\Utilities\tomcat\conf\ by changing the proxyPort from 8080 and the scheme from http to the following  in the:

proxyPort="443"
scheme="https"

End-to-end TLS

In certain scenarios, TLS termination at the load balancer level might not be suitable or compliant with security requirements and end-to-end TLS needs to be implemented. The recommended implementation for end-to-end TLS with FME Server using Azure Application Gateway or an AWS Application Load Balancer is to follow the instructions above, but instead of connecting to FME Server via port 8080 the FME Server needs to be configured for SSL using NGINX as a reverse proxy on each FME Core host to allow the application load balancer to forward traffic via port 443. This requires the following updates to the application load balancer:
 

Azure Application Gateway

1. Configure FME Server for SSL with NGINX
2. Export CER file from the certificate used in NGINX
3. Add an HTTPS backend setting connecting to the FME Server backend pool via HTTPS on port 443 using the exported certificate. This verifies that Azure Application Gateway connects to the correct backend
4. Update HTTPS routing rule to use newly created HTTPS backend setting

AWS Application Load Balancer

1. Configure FME Server for SSL with NGINX
2. Update the HTTPS listener to connect to the FME Server Autoscaling Group via HTTPS on port 443.

Network Load Balancer

In a case where no application load balancer is needed, FME Server can also be configured for SSL with NGINX. A network load balancer forwarding traffic to NGINX via HTTPS on port 443 might be sufficient and potentially simplify the deployment by eliminating the TLS termination configuration on the application gateway.
 

Additional Resources

Please consider posting to the FME Community Q&A  if you have any further questions or issues that are not addressed in this article. There are also different support channels available.

Make sure to include as much information as possible:

• What cloud environment are you in?
• Are you using a load balancer or reverse proxy?