Configuring SSL

This step is not needed to run TextChart Series 7 if you will only be accessing the system using the non-secure HTTP protocol. However, if you wish to enable more secure communications between any TextChart Series 7 clients and the TextChart server, or between the TextChart server and its Worker nodes, then follow the instructions in this section, which describe how to create a self-signed certificate for use with the system.

Enabling SSL for TextChart Series 7 involves the following basic steps:

  1. Create a certificate keystore file.

  2. Set keystore and keystore manager passwords

  3. Enable SSL functionality using the TextChart Series 7 Manager admin UI, and optionally enabling SSL functionality on some or all of the Worker nodes.

To enable SSL functionality with a self-signed certificate, perform the following steps:

  1. Use the keytool program provided with the Java JDK to create a new keystore:

    keytool -keystore keystore -alias jetty -genkey -keyalg RSA

    Answer the prompts as required for your site. Make note of the password you enter for the key/cert generation process.

    When this program completes, it will have generated a keystore file in the directory.

    Note: On Microsoft Windows, you may need to add the JDK binary directory to your path in order to run the keytool command. If you cannot run the keytool program from the command line, then add the bin directory of your JDK installation to the path using a command like:

    set PATH=%PATH%;"c:\Program Files\Java\jdk1.8.0_65\bin"

    Adjust the path and version number to match your JDK installation.

  2. Copy the keystore file to the Manager system, preferably in the conf sub-directory of the Manager installation directory.

  3. Use the TextChart Series 7 Manager admin UI to set the values for the fields:

    • Key Store Path: the full absolute path to the keystore file.

    • Key Store Password: the password entered when creating the keystore.

    • Key Manager Password: the manager password entered when creating the keystore. If this password is the same as the Key Store Password, leave the field blank.

  4. Determine whether you wish to use SSL for client-to-Manager communication, admin-to-Manager communication, or Manager-to-Worker communication. One can enable SSL on any combination of these three:

    • To use SSL for client-to-Manager communication, enter "0" for the Client Service (http) field, and enter a valid port number for the Client Service (https) field.

    • To use SSL for admin-to-Manager communication, enter "0" for the Admin Service (http) field, and enter a valid port number for the Admin Service (https) field.

    • To use SSL for Manager-to-Worker communication, enter "0" for the Worker Service (http) field, and enter a valid port number for the Worker Service (https) field.

    Save these values in the Manager admin UI. You will need to restart the Manager server, either via the UI or by restarting the service on the Manager node.

  5. For SSL Manager-to-Worker communication, copy the keystore file to the Worker installation directory on each Worker node.

  6. For SSL Manager-to-Worker communication, edit the worker.properties file in the Worker installation directory on each Worker node and add the following properties:

    secure=true
keyStorePassword=<password>
keyManagerPassword=<manager_password>

    The keyManagerPassword property only needs to be set if the manager password differs from the keystore password.

Any change to admin- or client-to-Manager communication requires a restart of the Manager server. Any change to Worker-to-Manager communication requires a restart of the Manager and all affected Workers.

If you access the Manager UI or the client UI via SSL with a self-signed certificate, it is likely that the browser will complain, and you will have to explicitly allow the browser to navigate to the page. This problem can be alleviated by having your certificate signed by a valid CA.

Similarly, if you attempt to use the REST API over SSL via most common communications libraries (the TextChart Series 7 Client Tools included), you will likely also have problems with a self-signed certificate. If you wish to use a self-signed certificate, then you should install the certificate in the client Java system as a trusted cert so that the communication can succeed without error.