Configuring FME Flow for HTTPS: Using a CA Certificate

Richard Mosley
Richard Mosley
  • Updated

Introduction

Follow these step-by-step instructions to configure your FME Flow (formerly FME Server) for HTTPS using a .crt or .cer certificate obtained from a Certificate Authority (CA). If the certificate you have obtained uses the .pfx extension, follow the Using a PFX or P12 certificate instructions instead.

FME Flow 2022.0 Linux
As of 2022.0, Linux FME Flows now include Nginx as a reverse proxy. This makes SSL configuration easier to manage. Please follow the documentation for the steps. If you have an older installation, please follow the Windows steps below. 

 

Key References

<FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation. By default, this is C:\Program Files\FMEFlow on a windows machine and /opt/fmeflow on a Linux machine.

<FMESharedResourceDir> refers to the location of the FME Flow System Share, specified during installation. By default, this is C:\ProgramData\Safe Software\FME Flow on a windows machine and /opt/fmeflow on a Linux machine.

 

Step-by-step Instructions 

1. Create a Keystore Generation Script

Open a text editor and copy the example script below.  Replace the italicised text highlighted in red with your own values, note, the storepass and keypass must be the same and at least 6 characters. For more information on the keytool arguments please see Appendix A at the bottom of this article. Please make sure that the CN value ["fmeflow.example.org" in the example below ] is also added as one of the san values [i.e. dns:fmeflow.example.org].

keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12 

 

2. Run Keystore Generation Script

a. Open command prompt as administrator and navigate to the FME Flow installation Java bin directory:

cd <FMEFlowDir>\Utilities\jre\bin\ 

b. Execute the command you have created in step 1.

Note: <FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation.

  

3. Generate a certificate signing request (CSR)

In command prompt remain in <FMEFlowDir>\Utilities\jre\bin\ and run

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore -ext san="dns:fmeflow.example.org,dns:fmeflow"

Specify the certificate signing request path and filename and update the alias and san values to match that set in step 1.

 

4. Obtain a Certificate

Submit the CSR (certreq.scr) generated in step 3 to your CA to obtain a certificate, according to your CA's instructions.

 

5. Import the certificate into the keystore 

If you have multiple certificates, install them in the following order, be sure to update the alias and certificate path for each.

Import root certificate (If you don't have one ignore this step):

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>


Import intermediate certificate (If you don't have one ignore this step):

keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>


Import certificate:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>


Note: You must use the same alias that was specified in step 1 to import the primary certificate. 
 

6. Import the keystore into FME Flows trusted certs

In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 1.

keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass password1

Notes: 
A) 
Ignore the warning the destination type needs to default to jks.
B) Distributed Web Applications such as Tomcat typically use a different Java installation than FME and the cacerts file within that Java must be used instead of the FME Flow Java. 

 

7. Make a backup of the tomcat XML configuration files

Go to <FMEFlowDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml. This is recommended so that you can easily revert the configuration at any point if necessary.

 

8. Configure Server.xml

a. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.

b. Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and verify the value is "off".

c. Locate the <Connector> element that contains:

protocol="org.apache.coyote.http11.Http11NioProtocol"

and replace the entire element with:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
port="443" 
minSpareThreads="5" 
enableLookups="true" 
disableUploadTimeout="true" 
acceptCount="100" 
maxThreads="200" 
maxHttpHeaderSize="16384" 
maxParameterCount="1000" 
scheme="https" 
secure="true"
SSLEnabled="true"
keystoreFile="<FMEFlowDir>\Utilities\jre\bin\tomcat.keystore"
keystorePass="password1"
clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2" 
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" 
ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA" 
URIEncoding="UTF8" />

<Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>

Make sure to update the keystoreFile and keystorePass parameters to that of the keystore location and password set to that of step 1, similar to this server.xml reference.
Note: If the password contains invalid XML characters these should be replaced with escape characters

TLS 1.1 can be disabled by removing the reference from sslEnabledProtocols.


Note: The list of ciphers is not exhaustive. If your certificate was generated with a different algorithm, it must be added. Any algorithms not in use can also be safely removed from this list. For a full list of ciphers supported by Tomcat, see Cipher (Apache Tomcat 9.0.69 API Documentation).
 

d. (Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.

e. Save and close the server.xml file.

 

9. Configure web.xml

a. Open web.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.

b. Add the following code block to the end of the file, just before the closing </web-app> element:

<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

c. Save and close the web.xml file.

 

10. Configure context.xml

a. Open context.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.

b. Add the following to the end of the file, just before the closing </context> element:

<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />

c. Save and close the context.xml file.
 

11. Update the FME Flow Web URL to Use HTTPS

a. Run a text editor as an administrator and open fmeServerConfig.txt, located at <FMEFlowDir>\Server\.

b. Update the FME_SERVER_WEB_URL directive by changing http to https and change the port to the same one specified in step 8. Please ensure that the Fully Qualified Domain Name [FQDN] of the host is provided in the FME_SERVER_WEB_URL directive.

c. Save and close the file.

 

12. Verify HTTPS Configuration

a. Restart FME Flow Application Server Service.
Note: If a 1067 error pops up when attempting to start the service likely the configuration files contain incorrect XML syntax, including invalid characters in the password. 

b. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>;).

c. You should see the FME Flow login page in a secured format.
 

13. Modify Service URLs to Use HTTPS

To be able to submit jobs on FME Flow via https you must enable SSL for a service.

a. In the FME Flow Web User Interface open the Services page under Admin > System Configuration> Network & Email

b. Click "Change All Hosts" and in the URL Pattern field change HTTP to HTTPS, FME Flow may have picked up this change in which case select OK. If required also modify the port number, typically SSL is configured on either port 8443 or 443.

c. Run a Sample workspace with Data download and Job Submitter services to confirm your FME Flow is working with HTTPS.

Your FME Flow is now configured to work via HTTPS. However, if you are using Websockets or SSO some additional steps are required.
 

 
Optional: The following steps are only applicable if you want to use the WebSocket Server or want to use the legacy Topic Monitoring.

 

14. Enable SSL on the WebSocket Server

a. Run a text editor as an administrator and open the fmeWebSocketConfig.txt, located in <FMEFlowDir>\Server\.

b. Set WEBSOCKET_ENABLE_SSL=true

c. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you have set in the Server.xml in step 8, however, this time use forward slashes.

d. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to use the keystore file password you have set in the server.xml in step 8.

For example:

WEBSOCKET_ENABLE_SSL=true
WEBSOCKET_KEYSTORE_FILE_PATH=<FMEFlowDir>/Utilities/tomcat/tomcat.keystore
WEBSOCKET_KEYSTORE_FILE_PASSWORD=password1


Important Notes: 

a. Do not enclose the password or path in quotes.
b. The slashes need to be forward slashes and may be the opposite of your Server.xml path. 

 

15. Enable SSL on the Websocket Subscriber and Publisher

Repeat step 11 in the following files,  specifying the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives:

  • <FMEFlowDir>\Server\config\subscribers\websocket.properties

  • <FMEFlowDir>\Server\config\publishers\websocket.properties

 

16. Update the Websocket Protocol 

In the following files, update the protocol in the value property of the PROPERTY directive from "ws:" to "wss:"

  • <FMESharedResourceDir>\localization\publishers\websocket\publisherProperties.xml

  • <FMESharedResourceDir>\localization\subscribers\websocket\subscriberProperties.xml

Note: <FMESharedResourceDir> refers to the location of the FME Flow System Share, specified during installation.

 

17. Apply the changes to the Publisher and Subscriber and verify configuration

a. Run the following .bat files, located in <FMEFlowDir>\Clients\utilities:

  • addPublishers.bat

  • addSubscribers.bat

b. Restart FME Flow to apply the changes made in steps 14-17.  

c. Test the configuration is complete by running jobs and viewing Topic Monitoring

 

Optional: The following steps are only applicable if you want to use the Single-Sign-On to access the FME Flow Web Interface.

 

 18. Update the SSO Authentication URL to use HTTPS

a. Run a text editor as an administrator and open the propertiesFile.properties, located in <FMEFlowDir>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\

b. Locate the SINGLE_SIGN_ON_AUTH_URL parameter, and update the host name and port portion of the URL to match the host name through which the FME Flow Web User Interface is accessed.

For example:

SINGLE_SIGN_ON_AUTH_URL=https://<MyFMEFlowHost>:443/fmetoken/sso/generate

 

 Appendix A

Keytool arguments used to generate a keystore.

Arguments Definition
genkey The keytool program command to generate a new keystore.
noprompt Using this argument in the command will remove any interaction with the user.
keyalg Specifies the algorithm to be used to generate private/public key pair.
keystore The keystore file name.
deststoretype Keystore type, this can pkcs12 or optionally jks.
dname The CN name as well as the Organization Unit, Organization, Location(city), State, and two letter country code. The distinguished name is a set of values used to create the certificate and should be entered as you would like them to be presented to FME Flow users and visitors. 
storepass and keypass This is the password of the key and keystore. The value must be a minimum of six characters and the same for both pass parameters
ext san The subject alternative name is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate. 
alias The name of the key inside the keystore being created.

 

Troubleshooting

If you are experiencing issues please consult our FME Flow and HTTPS troubleshooting Guide, if this does not resolve your problem then contact Safe Software Support.  

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.