Configuring FME Flow for HTTPS: Updating an expired Certificate

Introduction

To configure your FME Flow (formerly FME Server) for HTTPS you must import a certificate that has been provided by a certificate authority. All certificates have an expiration date and once this has passed you will still be able to access FME Flow via HTTPS however you will not be able to submit jobs to run via the Web UI. Instead, the response will be: 

There was an error submitting the job 

To confirm this error is due to an expired certificate view the certificate details through the Web UI: 



In the localhost.log in Resources > Logs > tomcat there will also be a SEVERE error related to the certificate date: 

SEVERE [https-jsse-nio-443-exec-1] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [JobRunnerForm] in context with path [/fmeserver] threw exception
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Wed Dec 16 15:42:11 PST 2020

To resolve this error you’ll need to renew your certificate and import the updated certificate into FME Flow. Instructions will vary depending on the certificate type you are using so please make sure you are following the correct instructions. 

Step-by-Step Instructions

Updating a CA Certificate

You'll need to repeat a part of the process used to configure HTTPS for the first time which includes generating a new tomcat keystore, generating and importing the new certificate and importing the tomcat keystore into FME Flows Trusted certs. 

1. Move or rename the current tomcat keystore

The tomcat keystore has been created specifically for the old certificate, we no longer want FME Flow to pick up this certificate so move or rename this tomcat.keystore.

2. Create a Keystore Generation Script

keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12 

3.  Run Keystore Generation Script

cd <FMEFlowDir>\Utilities\jre\bin\ 

4. Generate a certificate signing request (CSR)

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.keystore -ext san="dns:fmeflow.example.org,dns:fmeflow"

Specify the certificate signing request path and filename and update the alias and san values to match that set in step 1.

5. Obtain a Certificate

6. Import the certificate into the keystore 

If you have multiple certificates, install them in the following order, be sure to update the alias and certificate path for each.

Import root certificate (If you don't have one ignore this step):

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Import intermediate certificate (If you don't have one ignore this step):

keytool -import -alias intermediate -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Import certificate:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <path/certificate_filename>

Note: You must use the same alias that was specified in step 1 to import the primary certificate. 

7. Import the keystore into FME Flows trusted certs

In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 1.

keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -deststorepass changeit -srcstorepass password1

Notes: 
A) Ignore the warning the destination type needs to default to jks.
B) Distributed Web Applications such as Tomcat typically use a different Java installation than FME and the cacerts file within that Java must be used instead of the FME Flow Java. 

8. Verify HTTPS Configuration

   1. Restart FME Flow

   2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).

   3. You should see the FME Flow login page in a secured format.

   4. Log in and check you can run a job. 

You have now successfully updated your CA certificate. 

Updating a PFX Certificate

You should have your new PFX certificate in hand before following these instructions, you'll need to replace the reference to the existing .pfx certificate to point to the new one in the tomcat configuration file. 

1. Update the server.xml
   1. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf and locate the <Connector> element that contains:

      protocol="org.apache.coyote.http11.Http11NioProtocol"

   2. Update the keystoreFile parameter to point to your new .pfx certificate. We recommend storing your PFX certificate in FME Flow's tomcat directory <FMEFlowDir>\Utilities\tomcat\. 
   3. Update the keystorePass value to the password of your new .pfx certificate.
   4. If your keystoreFile previously pointed to a tomcat.keystore file, add a new parameter under keystorePass

      keystoreType="PKCS12"

2. Import the keystore into FME Flows trusted certs 

   Note: this step is only required if your certificate wasn't obtained from a Trusted Certificate Authority.

   1. Restart the FME Flow Application Server service. Note: If a 1067 error pops up when attempting to start the service likely the configuration files contain incorrect XML syntax, including invalid characters in the password.
   2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
   3. View the certificate from the browser. Note: Instructions were written for Chrome and may differ slightly if you are using another browser.
      
   4. Export as a Base64-encoded ASCII, single certificate (CRT) file to local disk (e.g. <certpath>\<certname>.crt)
      
      
   5. Run the following command from (<FMEFlowDir>\Utilities\jre\bin\) to import the keystore into FME’s trusted certs. Make sure the alias name matches the alias used when importing the previous certificate to overwrite it. 

      keytool -import -trustcacerts -keystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -storepass changeit -noprompt -alias tomcat -file <certpath>\<certname>.crt

3. Verify HTTPS Configuration
   1. Restart FME Flow.
   2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
   3. You should see the FME Flow login page in a secured format.
   4. Log in and make sure you can run a job. 

You have now successfully updated your PFX certificate. 
 

Updating a Self-signed Certificate

To work with a self-signed certificate you must remove reference to the old keystore and generate a new one. Note, the use of self-signed certificates is not recommended for a production environment.

1. Move or rename the current tomcat keystore
   The tomcat keystore has been created specifically for the old certificate, we no longer want FME Flow to pick up this certificate so move or rename this tomcat.keystore.
2. Create a Keystore Generation Script
   Open a text editor and copy the example script below.  Replace the italicized text highlighted in red with your own values, note, the storepass and keypass must be the same and at least 6 characters. 

   keytool -genkey -noprompt -keyalg RSA -keystore tomcat.keystore -alias tomcat -dname "CN=fmeflow.example.org, OU=support, O=SafeSoftware, L=Surrey, S=BC, C=CA" -storepass password1 -keypass password1 -ext san="dns:fmeflow.example.org,dns:fmeflow" -deststoretype pkcs12

3. Run Keystore Generation Script
   Open command prompt as administrator and navigate to the FME Flow installation Java bin directory:

   cd <FMEFlowDir>\Utilities\jre\bin\ 

   Execute the command you have created in step 2
   Note: <FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation.
4. Import the keystore into FME Flows trusted certs
   In command prompt (from <FMEFlowDir>\Utilities\jre\bin\) import the keystore into FME’s trusted certs. Using the following command, first replacing the srcstorepass argument with the password from step 2.

   keytool -importkeystore -noprompt -srckeystore tomcat.keystore -destkeystore "<FMEFlowDir>\Utilities\jre\lib\security\cacerts" -alias tomcat -deststorepass changeit -srcstorepass <password> 

   Note: Ignore the warning the destination type needs to default to jks.
5. Update password in server.xml
   [OPTIONAL] If you used a different password than for the original certificate you’ll need to update this in the server.xml configuration file. 
   1. Run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
   2. Locate the keystorePass parameter in the <Connector protocol="org.apache.coyote.http11.Http11NioProtocol element and update the value to your new password. 
6. Verify HTTPS Configuration
   1. Restart FME Flow.
   2. Open a browser and navigate to https://localhost/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
   3. You should see the FME Flow login page in a secured format.
   4. Log in and make sure you can run a job. 

You have successfully updated your self-signed certificate. 

Troubleshooting

If you are experiencing issues please consult our FME Flow and HTTPS troubleshooting guide, if this does not resolve your problem then contact Safe Software Support.