Configuring FME Flow for HTTPS: Updating an expired Certificate

Liz Sanderson
Liz Sanderson
  • Updated

Introduction

To configure your FME Flow (formerly FME Server) for HTTPS you must import a certificate that has been provided by a certificate authority. All certificates have an expiration date and once this has passed you will still be able to access FME Flow via HTTPS however you will not be able to submit jobs to run via the Web UI. Instead, the response will be: 

There was an error submitting the job 

To confirm this error is due to an expired certificate view the certificate details through the Web UI: 



In the localhost.log in Resources > Logs > tomcat there will also be a SEVERE error related to the certificate date: 

SEVERE [https-jsse-nio-443-exec-1] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [JobRunnerForm] in context with path [/fmeserver] threw exception
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Wed Dec 16 15:42:11 PST 2020

To resolve this error you’ll need to renew your certificate and import the updated certificate into FME Flow. Instructions will vary depending on the certificate type you are using so please make sure you are following the correct instructions. 

 

Step-by-Step Instructions

Updating a CA Certificate

You'll need to repeat a part of the process used to configure HTTPS for the first time which includes generating a new tomcat keystore, generating and importing the new certificate and importing the tomcat keystore into FME Flows Trusted certs. 

  1. Move or rename the current tomcat keystore

The tomcat keystore has been created specifically for the old certificate, we no longer want FME Flow to pick up this certificate so move or rename this tomcat.keystore.

  1. Create a Keystore Generation Script

Open a text editor and copy the example script below.  Replace the italicised text highlighted in red with your own values, note, the storepass and keypass must be the same and at least 6 characters. For more information on the keytool arguments please see Appendix A at the bottom of this article.
keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12 
  1.  Run Keystore Generation Script

a. Open command prompt as administrator and navigate to the FME Flow installation Java bin directory:
cd <FMEFlowDir>\Utilities\jre\bin\ 
b. Execute the command you have created in step 1.

Note: <FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation .
  1. Generate a certificate signing request (CSR)

In command prompt remain in <FMEFlowDir>\Utilities\jre\bin\ and run
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore -ext san="dns:fmeflow.example.org,dns:fmeflow"

Specify the certificate signing request path and filename and update the alias and san values to match that set in step 1.

  1. Obtain a Certificate

Submit the CSR (certreq.scr) generated in step 3 to your CA to obtain a certificate, according to your CA's instructions.
  1. Import the certificate into the keystore 

If you have multiple certificates, install them in the following order, be sure to update the alias and certificate path for each.

Import root certificate (If you don't have one ignore this step):

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Import intermediate certificate (If you don't have one ignore this step):

keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Import certificate:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Note: You must use the same alias that was specified in step 1 to import the primary certificate. 

  1. Import the keystore into FME Flows trusted certs

In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 1.

keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass password1

Notes: 
A) Ignore the warning the destination type needs to default to jks.
B) Distributed Web Applications such as Tomcat typically use a different Java installation than FME and the cacerts file within that Java must be used instead of the FME Flow Java. 

  1. Verify HTTPS Configuration

    1. Restart FME Flow

    2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).

    3. You should see the FME Flow login page in a secured format.

    4. Log in and check you can run a job. 

You have now successfully updated your CA certificate. 

 

Updating a PFX Certificate

You should have your new PFX certificate in hand before following these instructions, you'll need to replace the reference to the existing .pfx certificate to point to the new one in the tomcat configuration file. 

  1. Update the server.xml
    1. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf and locate the <Connector> element that contains:
      protocol="org.apache.coyote.http11.Http11NioProtocol"
    2. Update the keystoreFile parameter to point to your new .pfx certificate. We recommend storing your PFX certificate in FME Flow's tomcat directory <FMEFlowDir>\Utilities\tomcat\. 
    3. Update the keystorePass value to the password of your new .pfx certificate.
    4. If your keystoreFile previously pointed to a tomcat.keystore file, add a new parameter under keystorePass
      keystoreType="PKCS12"
  2. Import the keystore into FME Flows trusted certs 
    Note: this step is only required if your certificate wasn't obtained from a Trusted Certificate Authority.
    1. Restart the FME Flow Application Server service. Note: If a 1067 error pops up when attempting to start the service likely the configuration files contain incorrect XML syntax, including invalid characters in the password.
    2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
    3. View the certificate from the browser. Note: Instructions were written for Chrome and may differ slightly if you are using another browser.
      View Certificate
    4. Export as a Base64-encoded ASCII, single certificate (CRT) file to local disk (e.g. <certpath>\<certname>.crt)
      Export as base64
      Save Exported Base64 Cert
    5. Run the following command from (<FMEFlowDir>\Utilities\jre\bin\) to import the keystore into FME’s trusted certs. Make sure the alias name matches the alias used when importing the previous certificate to overwrite it. 
      keytool -import -trustcacerts -keystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -storepass changeit -noprompt -alias tomcat -file <certpath>\<certname>.crt
  3. Verify HTTPS Configuration
    1. Restart FME Flow.
    2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
    3. You should see the FME Flow login page in a secured format.
    4. Log in and make sure you can run a job. 

You have now successfully updated your PFX certificate. 
 

Updating a Self-signed Certificate

To work with a self-signed certificate you must remove reference to the old keystore and generate a new one. Note, the use of self-signed certificates is not recommended for a production environment.

  1. Move or rename the current tomcat keystore
    The tomcat keystore has been created specifically for the old certificate, we no longer want FME Flow to pick up this certificate so move or rename this tomcat.keystore.
  2. Create a Keystore Generation Script
    Open a text editor and copy the example script below.  Replace the italicized text highlighted in red with your own values, note, the storepass and keypass must be the same and at least 6 characters. 
    keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12
  3. Run Keystore Generation Script
    Open command prompt as administrator and navigate to the FME Flow installation Java bin directory:
    cd <FMEFlowDir>\Utilities\jre\bin\ 
    Execute the command you have created in step 2
    Note: <FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation.
  4. Import the keystore into FME Flows trusted certs
    In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 2.
    keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -alias tomcat -deststorepass changeit -srcstorepass <password> 
    Note: Ignore the warning the destination type needs to default to jks.
  5. Update password in server.xml
    [OPTIONAL] If you used a different password than for the original certificate you’ll need to update this in the server.xml configuration file. 
    1. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
    2. Locate the keystorePass parameter in the <Connector protocol="org.apache.coyote.http11.Http11NioProtocol element and update the value to your new password. 
  6. Verify HTTPS Configuration
    1. Restart FME Flow.
    2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
    3. You should see the FME Flow login page in a secured format.
    4. Log in and make sure you can run a job. 

You have successfully updated your self-signed certificate. 

 

Troubleshooting

If you are experiencing issues please consult our FME Flow and HTTPS troubleshooting guide, if this does not resolve your problem then contact Safe Software Support.  

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.