Configuring SSL for i2 TextChart Server

To enable more secure communications between any i2 TextChart clients and the manager server, or between the manager and its worker nodes, the instructions in this topic describe how to create a self-signed certificate for use with the system.

About this task

Enabling SSL for i2 TextChart Server involves the following sequence of actions:

  1. Create a certificate keystore file.

  2. Set keystore and keystore manager passwords

  3. Enable SSL through the i2 TextChart Server management UI, and optionally on some or all of the worker nodes.

The procedure below describes this sequence in more detail.

Procedure

To enable SSL functionality with a self-signed certificate, perform the following steps:

  1. Use the keytool command provided with the Java JDK to create a new keystore:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

    Answer the prompts as required for your site, and make a note of the password that you provided.

    When the command finishes, it generates a keystore file in the directory that you ran it from.

    Note: On Microsoft Windows, you might need to add the JDK binary directory to your path in order to run the keytool command:

    set PATH=%PATH%;"c:\Program Files\Java\jdk1.8.0_65\bin"

    Adjust the path and version number to match your JDK installation.

  2. Copy the keystore file to the manager, preferably in the conf subdirectory of the i2 TextChart Server installation directory.

  3. In the i2 TextChart Server management UI, set the values of the following fields:

    • Key Store Path: The absolute path to the keystore file.

    • Key Store Password: The password that you entered when you created the keystore.

    • Key Manager Password: The manager password that you entered when you created the keystore. If this password is the same as the Key Store Password, leave the field blank.

  4. Decide whether you wish to use SSL for client-to-manager, admin-to-manager, or manager-to-worker communication. You can enable SSL for any combination of these three:

    • To use SSL for client-to-manager communication, enter 0 for the Client Service (http) field, and a valid port number for the Client Service (https) field.

    • To use SSL for admin-to-manager communication, enter 0 for the Admin Service (http) field, and a valid port number for the Admin Service (https) field.

    • To use SSL for manager-to-worker communication, enter 0 for the Worker Service (http) field, and a valid port number for the Worker Service (https) field.

  5. For SSL manager-to-worker communication, copy the keystore file to the installation directory on every worker node, and edit the worker.properties file to add the following properties:

    secure=true
    keyStorePassword=<password>
    keyManagerPassword=<manager_password>
    keyStorePath=/opt/RosokaExtractionWorker/conf/keystore

    Note: Set keyManagerPassword only if the manager password is different from the keystore password.

Any change to client- or admin-to-manager communication requires a restart of the manager server. Any change to manager-to-worker communication requires a restart of the manager and all affected workers.

If you access the manager UI or the client UI via SSL with a self-signed certificate, it is likely that the browser display a warning, and you will have to allow the browser to navigate to the page. To remove the warning, use a certificate that's signed by a valid certification authority.

Similarly, a self-signed certificate will cause problems if you use the REST API over SSL through most common communications libraries (including the i2 TextChart Server client tools).

To use a self-signed certificate without error in this context, install it as a trusted certificate in the client Java system.