Configuring FME Flow for HTTPS: Using a Self Signed Certificate

Introduction

Use the following steps to create and apply a self-signed certificate FME Flow (formerly FME Server). Self-signed certificates are a great way to test SSL configuration on testing and dev environments. However, if you want to enable FME Flow for HTTPS on a production environment, you should consider a certificate issued by a Certified Authority.

FME Flow 2022.0 Linux
As of 2022.0, Linux FME Flows now includes Nginx as a reverse proxy. This makes SSL configuration easier to manage. Please follow the documentation for the steps. If you have an older installation, please follow the Windows steps below. 

Video

Key References

<FMEFlowDir> refers to the location of the FME Flow installation folder specified during installation. By default, this is C:\Program Files\FMEFlow on a Windows machine and /opt/fmeflow on a Linux machine.

<FMESharedResourceDir> refers to the location of the FME Flow System Share, specified during installation. By default, this is C:\ProgramData\Safe Software\FME Flow on a Windows machine and /opt/fmeflow on a Linux machine.

Step-by-step Instructions 

1. Create a Keystore Generation Script Open a text editor and copy the example script below.  Replace the italicised text highlighted in red with your own values, note, the storepass and keypass must be the same and at least 6 characters. For more information on the keytool arguments, please see Appendix A  at the bottom of this article.

keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12 

2. Run Keystore Generation Script

a. Open the command prompt as administrator and navigate to the FME Flow installation Java bin directory:

cd <FMEFlowDir>\Utilities\jre\bin\ 

b. Execute the command you have created in step 1.

Note: <FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation.

3. Import the keystore into FME Flows trusted certs

In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 1.

keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass <password>

Note: Ignore the warning the destination type needs to default to jks.
  

4. Make a backup of the Tomcat XML configuration files

Go to <FMEFlowDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml

5. Configure Server.xml

a. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf. b. Locate the SSLEngine setting in the <Listener> element, including className="org.apache.catalina.core.AprLifecycleListener" and change the "on" value to "off".

In FME Flow version 2024.2.3 and newer, this setting has been removed and therefore this SSLEngine setting can be ignored.  

c. Locate the <Connector> element that contains:

protocol="org.apache.coyote.http11.Http11NioProtocol"

and replace the entire element with:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
port="443" 
minSpareThreads="5" 
enableLookups="true" 
disableUploadTimeout="true" 
acceptCount="100" 
maxThreads="200" 
maxHttpHeaderSize="16384" 
maxParameterCount="1000" 
scheme="https" 
secure="true"
SSLEnabled="true"
keystoreFile="<FMEFlowDir>\Utilities\jre\bin\tomcat.keystore"
keystorePass="password1"
clientAuth="false" sslEnabledProtocols="TLSv1.1,TLSv1.2" 
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" 
ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA" 
URIEncoding="UTF8" />

<Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>

Make sure to update the keystoreFile and keystorePass parameters to that of the keystore location and password set to that of step 1, similar to this server.xml reference. 

Note: TLS 1.1 can be disabled by removing the reference from sslEnabledProtocols.
The list of ciphers is not exhaustive. If your certificate was generated with a different algorithm, it must be added. Any algorithms not in use can also be safely removed from this list. For a full list of ciphers supported by Tomcat, see Cipher (Apache Tomcat 9.0.69 API Documentation ​​​​​​).
 

(Optional) To change the port for HTTPS communication, change 443 to the desired port, for both the port and redirectPort directives.

e. Save and close the server.xml file.  

6. Configure web.xml

a. Open web.xml, located in <FMEFlowDir>\Utilities\tomcat\conf. b. Add the following code block to the end of the file, just before the closing </web-app> element:

<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

c. Save and close the web.xml file.

7. Configure context.xml

a. Open context.xml, located in <FMEFlowDir>\Utilities\tomcat\conf. b. Add the following to the end of the file, just before the closing </context> element:

<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />

c. Save and close the context.xml file.
 

8. Update the FME Flow Web URL to Use HTTPS

a. Run a text editor as an administrator and open fmeServerConfig.txt, located at <FMEFlowDir>\Server\. b. Update the FME_SERVER_WEB_URL directive by changing http to https and change the port to the same one specified in step 8. Please ensure that the Fully Qualified Domain Name [FQDN] of the host is provided in the FME_SERVER_WEB_URL directive. c. Save and close the file.
  9. Verify HTTPS Configuration a. Restart FME Flow. b. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>;). c. You should see the FME Flow login page in a secured format.
 

10. Modify Service URLs to Use HTTPS

To be able to submit jobs on FME Flow via https you must enable SSL for a service.

a. In the FME Flow Web User Interface, open the Services page under Admin > System Configuration> Network & Email

b. Click "Change All Hosts" and in the URL Pattern field change HTTP to HTTPS, FME Flow may have picked up this change in which case select OK. If required also modify the port number, typically SSL is configured on either port 8443 or 443. c. Run a Sample workspace with Data download and Job Submitter services to confirm your FME Flow is working with HTTPS.

Your FME Flow is now configured to work via HTTPS. However, if you are using Websockets or SSO some additional steps are required.

The following steps are only applicable if you want to use the WebSocket Server or want to use the legacy Topic Monitoring.

11. Enable SSL on the WebSocket Server

a. Run a text editor as an administrator and open the fmeWebSocketConfig.txt, located in <FMEFlowDir>\Server\. b. Set WEBSOCKET_ENABLE_SSL=true c. Uncomment the WEBSOCKET_KEYSTORE_FILE_PATH directive and set it to reference the keystore file you have set in the Server.xml in step 5. However, this time use forward slashes. d. Uncomment the WEBSOCKET_KEYSTORE_FILE_PASSWORD directive and set it to use the keystore file password you have set in the server.xml in step 5. For example:

WEBSOCKET_ENABLE_SSL=true
WEBSOCKET_KEYSTORE_FILE_PATH=<FMEFlowDir>/Utilities/jre/bin/tomcat.keystore
WEBSOCKET_KEYSTORE_FILE_PASSWORD=password1

Important Notes:  a. Do not enclose the password or path in quotes.
b. The slashes need to be forward slashes and may be the opposite of your Server.xml path. 
 

12. Enable SSL on the Websocket Subscriber and Publisher

Repeat step 11 in the following files,  specifying the same settings for the WEBSOCKET_ENABLE_SSL, WEBSOCKET_KEYSTORE_FILE_PATH, and WEBSOCKET_KEYSTORE_FILE_PASSWORD directives:

• <FMEFlowDir>\Server\config\subscribers\websocket.properties
• <FMEFlowDir>\Server\config\publishers\websocket.properties
   

13. Update the Websocket Protocol 

In the following files, update the protocol in the value property of the PROPERTY directive from "ws:" to "wss:"

• <FMESharedResourceDir>\localization\publishers\websocket\publisherProperties.xml
• <FMESharedResourceDir>\localization\subscribers\websocket\subscriberProperties.xml

Note: <FMESharedResourceDir> refers to the location of the FME Flow System Share, specified during installation.
  14. Apply the changes to the Publisher and Subscriber and verify configuration a. Run the following .bat files, located in <FMEFlowDir>\Clients\utilities:

• addPublishers.bat
• addSubscribers.bat

b. Restart FME Flow to apply the changes made in steps 11-15.   c. Test the configuration is complete by running jobs and viewing Topic Monitoring. 
 

The following steps are only applicable if you want to use the Single-Sign-On to access the FME Flow Web Interface.

 
15. Update the SSO Authentication URL to use HTTPS

a. Run a text editor as an administrator and open the propertiesFile.properties, located in <FMEFlowDir>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\ b. Locate the SINGLE_SIGN_ON_AUTH_URL parameter, and update the host name and port portion of the URL to match the host name through which the FME Flow Web User Interface is accessed. For example:

SINGLE_SIGN_ON_AUTH_URL=https://MyFMEFlowHost:443/fmetoken/sso/generate

Appendix A

Keytool arguments used to generate a keystore.

Troubleshooting

If you are experiencing issues please consult our FME Flow and HTTPS troubleshooting Guide , if this does not resolve your problem then contact Safe Software Support.