running servoy 4.1.0 build 651. on Centos 5.
All running fine as default install, that is running on port 8080.
Webclient and rich client are working and I have created and sucessfully loaded real SSLcertificate using keystore.
I now want to modify the configuration so that everything runs theough port 443 (SSL).
I have checked out the forums but there seems to be a lot of conflicting information for different versions.
Can anyone confirm definatively what I need to change to run http tunnel on 443? Or point my at a HOWTO that applies to 4.1?
I tried:
a) edit server.xml to add a connector for 443.
b) modify existing connector to be protocol = “org.apache…” etc on Port 80. change redirectPort to be 443.
c) edit web.xml to add the section at the end.
d) restart servoy
needless to say it didnt work
Have I missed something? am I on completely the wrong track?
Thanks
Al
Ok
Found the information on setting up and HTTP tunnel on page 314 of the 4.0 admin manual. Setup tunnel according to these instructions and…it worked…for http.
So I have been able turn off RMI at the firewall and everything (servoy webclient and rich client) continues to work through port 8080. Great.
Now I want to make it all run through port 443 (ssl). Found the forum topic 10488 ‘how do I configure SSL when using the http tunnel?’ and configured it following those instructions. Already had an SSL cert installed and operational so made the following changes to server.xml:
(changed redirectPort and added a 443 connector definition)
rich client WONT download or run from the standard https page - I see the servoy logo but browser reports an error trying to download the java applet…also if I try and run the existing (previously downloaded) java applet rich client it opens but cant contact the database any more.
Any ideas what I have done wrong?
Should the <Connector port =“443” definition added to server.xml have a protocol= line?
It doesnt have one in the HOWTO article - but is that a typo?
Hmm,
I wish I could
What happens is that if I try to go to http://server:8080/ and run the servoy rich client everything works just fine.
If I try to go to https://server/ I can see the servoy logo but when I click on it the browser barfs with ‘cannot download client from server’ (wording changes dependant on browser but the effect is the same’.
Problem is they dont produce the result that you indicate at the end of 10488 - ie able to start Servoy rich client from an https home page. The download of the java client fails. To summarize, following the setup instructions above I have the following working functionality:
a) Servoy rich client using real ssl certificate (if started from http://server:8080/)
b) servoy webclient starting from https://server/servoy-webclient url
c) servoy admin starting from https://server/servoy-admin url
however to get the rich client to download and/or start I still have to start from the page http://server:8080/
It wont work if I start from https://server/ (ie just on port 443.) This means I still have to keep port 8080 open. It also means I’ll have problems dealing with customers that arent able to open non-standard ports on their corporate firewalls.
Your HOWTO page indicates at the bottom that it should allow the client to be started from an SSL protected page (to prevent tampering with the webstart url).
BTW can anyone tell me what the redirectPort in the server.xml file does?
I have changed it to a pile of different values and it doesnt seem to make any difference
whats the relationship between the port and the redirectPort directives?
“redirectPort: Names the TCP/IP port number to which a request should be redirected, if it comes in on a non-SSL port, and is subject to a security constraint with a transport guarantee that requires SSL”
but I still can’t work out why the rish client wont work on port 443.
Any more ideas
Al
I have downloaded the smart client from the mentioned url in the other thread (viewtopic.php?f=5&t=11807&p=59140#p59140) but it works just fine here.
I could download and run a smart client without any issue…
? It doesnt for me
but it does from other non-SSL URLs. If it works for you I’ll investigate further at the bowser end rather than the server end.
Thanks
Al
AARGH!!!
Thanks for that
Just downloaded firefox onto the same workstation, accessed the URL and it works perfectly…so it something is screwed in the IE7 configuration settings. I just post here to:
a) Show I’m an idiot and
b) save someone else going through the same pain
Seems like I have been chasging a local browser error for several days now
I still dont know what it is as IE is quite happy to open the java client from the 8080 (non SSL) port - just wont do it from SSL (8443)
At least I know my server config is ok, and I can go ahead with getting it onto port 443.
Now I have vented my frustration at IE I have one last item to achieve beofre our servoy instance is fully installed.
Thats to get it running behind apache on port 443 (ie apache handling the SSL on 443 and proxying through to 8443).
Problem is, whilst I have a totally happy and working certificate inside a keystore file - thats not the way apache wants to see it.
It wants a crt cert file and a pem private key file
anyone know a quick/simple/easy way to produce that combination out of a keystore file?
I thought it would just be a case of ‘export’ - but nothing is that simple.
Ok
Seems there is a lot of info about a bug in IE that causes it to choke when it tries to download files over SSL if the server is sending back a no-cache response in its host headers. needless to say the default servoy +tomcat is doing this; which is why the smart client wont work with IE. (This IE issue famously breaks both jnlp and pdf file downloads over SSL - but many (most) of our clients are liable to try to use IE to run our app, so we have to address it).
The fix is to stop Tomcat ruturning:
pragma: no-cache
cache-control: no-cache
…and apparently this can be turned off by adding:
somewhere in the Tomcat config. Problem is I cant work out where to put it. I am not a TomCat expert. I tried putting it in server.xml but it just broke tomcat entirely. Can anyone point out where this should go?