Search

Configuring FME Flow for HTTPS Using the Windows Certificate Store

Toyosi Akinselure
Toyosi Akinselure
  • Updated

Introduction

This document provides comprehensive instructions for configuring FME Flow to use HTTPS and the Windows Certificate Store.

FME Flow on Linux incorporates Nginx as a reverse proxy. This implementation simplifies SSL configuration management. Please consult the Linux-specific documentation for the relevant procedures. For installations of prior versions, please refer to the Windows procedures detailed below.

Key References

  • <FMEFlowDir> – Denotes the location of the FME Flow installation directory, as specified during installation. Default: C:\Program Files\FME Flow (Windows) or /opt/fmeflow (Linux).
  • <FMESharedResourceDir> – Represents the FME Flow System Share location, as specified during installation. Default: C:\ProgramData\Safe Software\FME Flow (Windows) or /opt/fmeflow (Linux).

Step-by-Step Instructions

1. Make a Backup of the Tomcat XML Configuration Files

Go to <FMEFlowDir>\Utilities\tomcat\conf and make backups of server.xml, web.xml, and context.xml. This ensures you can revert your changes if necessary.

2. Configure server.xml for the Windows Certificate Store

After importing the certificate, update the Connector> element in server.xml to use the Windows Certificate Store by modifying the keystore-related attributes:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="443"
    minSpareThreads="5"
    enableLookups="true"
    disableUploadTimeout="true"
    acceptCount="100"
    maxThreads="200"
    maxParameterCount="1000"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    URIEncoding="UTF-8">

    <SSLHostConfig
        protocols="TLSv1.2+TLSv1.3"
        certificateVerification="none"
        ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-SHA256">

        <Certificate
            certificateKeystoreType="Windows-My"
            certificateKeystoreProvider="SunMSCAPI"
            certificateKeystoreFile=""
            certificateKeystorePassword=""
            certificateKeyAlias="fmeflow"
            type="RSA" />

    </SSLHostConfig>

</Connector>

<Connector port="80" protocol="HTTP/1.1" redirectPort="443"/>

Key Points:

  • keystoreProvider="SunMSCAPI" tells Tomcat to use the Windows Cryptographic API.
  • keystoreType="Windows-My" directs it to the current user’s certificate store.
  • The keyAlias (e.g., fmeflow) should match the alias of the imported certificate.

It is recommended to store your certificate in the Tomcat directory (<FMEFlowDir>\Utilities\tomcat). If your password contains XML invalid characters, replace them with appropriate escape sequences.

You can optionally change the HTTPS Port. To use a port other than 443, update the port and redirectPort directives.

After checking the file for invalid characters, save and close the server.xml file.

3. Configure web.xml

Open web.xml located in <FMEFlowDir>\Utilities\tomcat\conf to insert the security constraints.

Add the following code block just before the closing </web-app> element:

<security-constraint>

  <web-resource-collection>

    <web-resource-name>HTTPSOnly</web-resource-name>

    <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <user-data-constraint>

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>

  </user-data-constraint>

</security-constraint>

Save and close the web.xml file.

4. Configure context.xml

Open context.xml Located in <FMEFlowDir>\Utilities\tomcat\conf. Add the following line of code before the closing </context> element to add the SSL authenticator value.

<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" disableProxyCaching="false" />

Save and close the context.xml file.

5. Update the FME Flow Web URL to Use HTTPS

Open fmeFlowConfig.txt located in <FMEFlowDir>\Server\ using an administrator-level text editor.

Modify the FME_SERVER_WEB_URL directive. Change the URL from HTTP to HTTPS, and if the port number was changed in step 2, update it to match the HTTPS port. Ensure the Fully Qualified Domain Name (FQDN) is used.

Save and close the file.

6. Prepare the Service Account and Certificate Alias

Run FME Services as a Service Account. Ensure FME Flow services run under a dedicated service account or user. This account will be used for certificate operations.

Manage the Certificate Alias (Optional):

If you need to modify the alias of the certificate stored in a Java keystore, use the following commands:

Change Alias:

keytool -changealias -alias old-alias -destalias new-alias -keystore mykeystore.jks -storepass <keystore-password>
List Aliases:

keytool -list -keystore mykeystore.jks -storepass <keystore-password>

Use these commands to confirm or adjust the alias to match your intended configuration (for example, fmeflow).

7. Import the PFX Certificate into the Windows Certificate Store 

You have two options to import the certificate:

  • Logged on as the Service Account: Log on to the machine using the service account credentials, then import the PFX certificate using the Certificate Import Wizard.
  • Using Elevated Permissions with runas: Open an elevated command prompt and execute the following command
runas /user:DOMAIN\username mmc.exe

Replace DOMAIN\username with the appropriate service account details. This should open mmc.exe

To add the Certificates Snap-in, navigate to File > Add/Remove Snap-ins.

Click Certificates, then click Add > Click ok

Under Console, Click Certificates> Personal

Right click certificate > All Tasks > Import > Next

Click Browse and navigate to the certificate file location

8. Verify HTTPS Configuration

First, restart FME Flow. 

Open a browser and navigate to your FME Flow's fully qualified domain name. For example, https://myfmeflow.com. Certificates are issued for a domain, so if you go to localhost (without providing a top-level domain like .com), then your browser will display a security warning. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://myfmeflow.com:<port>).

You should see the FME Flow login page in a secure format.
 

9. Modify Service URLs to Use HTTPS

To be able to submit jobs on FME Flow via HTTPS, you must enable SSL for the service.

  • In the FME Flow Web User Interface, open the Services page under Admin > System Configuration> Network & Email
  • Click "Change All Hosts" and in the URL Pattern field, change HTTP to HTTPS. FME Flow may have picked up this change; in that case, select OK. If required, modify the port number; typically, SSL is configured on ports 8443 or 443.
  • Run a Sample workspace with Data download and Job Submitter services to confirm your FME Flow is working with HTTPS.

Your FME Flow is now configured to work via HTTPS.

Troubleshooting

If you are experiencing issues, please consult our FME Flow Troubleshooting: Configuring for HTTPS/SSL. If this does not resolve your problem, then contact Safe Software Support.

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.