Configuring SSL for i2 TextChart Server

i2 recommends using SSL to secure communications between TextChart clients and the manager server, and between the manager and its worker nodes. The instructions in this topic describe how to create a self-signed certificate for use with the system.

About this task

Enabling SSL for i2 TextChart Server involves the following sequence of actions:

  1. Create a certificate keystore file.

  2. Set keystore and keystore manager passwords.

  3. Enable SSL through the i2 TextChart Server management UI, and on the worker nodes.

The procedure below describes this sequence in more detail.

Procedure

To enable SSL functionality with a self-signed certificate, perform the following steps:

  1. Use the keytool command provided with the Java JDK to create a new keystore:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

    Answer the prompts as required for your site, and make a note of the password that you provided.

    When the command finishes, it generates a keystore file in the directory that you ran it from.

    Note: On Microsoft Windows, you might need to add the JDK binary directory to your path in order to run the keytool command:

    set PATH=%PATH%;"c:\Program Files\Java\jdk1.8.0_65\bin"

    Adjust the path and version number to match your JDK installation.

  2. Copy the keystore file to the manager server, and place it in the conf subdirectory of the i2 TextChart Server installation directory.

  3. In the i2 TextChart Server management UI, set the values of the following fields:

    • Key Store Path: The absolute path to the keystore file.

    • Key Store Password: The password that you entered when you created the keystore.

    • Key Manager Password: The manager password that you entered when you created the keystore. If this password is the same as the Key Store Password, leave the field blank.

  4. You can enable SSL separately for three different areas of communication:

    • To use SSL for client-to-manager communication, enter a valid port number in the Client Service (https) field.

    • To use SSL for admin-to-manager communication, enter a valid port number in the Admin Service (https) field.

    • To use SSL for manager-to-worker communication, enter a valid port number in the Worker Service (https) field.

    In all three cases, you can disable unsecure communication by setting the corresponding http field to 0.

  5. For SSL manager-to-worker communication, you also need to copy the keystore file to the installation directory on every worker node, and edit the worker.properties file to add the following properties:

    secure=true
keyStorePassword=<password>
keyManagerPassword=<manager_password>
keyStorePath=/opt/RosokaExtractionWorker/conf/keystore

    Note: Set keyManagerPassword only if the manager password is different from the keystore password.

Any change to client- or admin-to-manager communication requires a restart of the manager server. Any change to manager-to-worker communication requires a restart of the manager and all workers.

If you access the manager UI or the client UI via SSL with a self-signed certificate, it is likely that the browser display a warning, and you will have to allow the browser to navigate to the page. To remove the warning, use a certificate that's signed by a valid certification authority.

Similarly, a self-signed certificate will generate warnings if you use the REST API over SSL through most common communications libraries (including the i2 TextChart Server client tools). To use a self-signed certificate without error in this context, install it as a trusted certificate in the client Java system.