Is it possible to use SSL with webclient and if so can you tell what needs to be done to do so.
Thanks in advance for your help
Good question, I have a requirement for this also…
I guess you should edit Tomcat settings for SSL but a nice HowTo from the Servoy team would be really appreciated…
I would llike to repost this issue. Is there anyone out there that has experience with using SSL and Webclient. I could really use some help!
You need to add the following to <servoy_dir>/server/conf/server.xml:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" >
</Connector>
Secondly, you need to create a keystore: run the following in the bin-directory of your java directory, while connected to the system under the same user Servoy runs under:
keytool -genkey -alias tomcat -keyalg RSA
Now restart Servoy Server and you should be up and running under HTTPS.
Offcourse, you most likely want to use a third party certificate, but this should get you going.
Paul
Thank you very mauch Paul. I owe you
BTW: full details on SLL config within Tomcat 6 (used by Servoy 3.5) can be found here:Apache Tomcat 6.0 (6.0.53) - SSL Configuration HOW-TO
Paul
You may also need to add in the path to the keystore file.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/Users/admin/Documents/ssl_certs/servoy.ks" keystorePass="myPass" />
where keystoreFile=… is the path to your keystore. and keystorePass=… is the password for that keystore.
Paul hint is ok for Servoy developer but if you are configuring Servoy Server on Windows keep in mind that Windows run service as the Default User and so you have to place your keystore in /Users and Settings/Default User or specify the location in the tomcat config file otherwise it won’t work.
Sorry, this is a very late addition to this post.
If using the Sebster tunnel, would you then need to install the ssl on apache and then add an apache prox to forward the https port to the tomcat server https defines port?
or could you just forward port 80 to the ssl port defined in tomcat?
David
You don’t need to use apache to use the tunnel.
For the tunnel you have 2 options:
1- Use plain http but turn on SSL in the servoy admin pages. This will use SSL over port 80. This is not 100% secure because somebody could use DNS spoofing to make you start the client from a different server.
2- Use tomcat to provide SSL and start the client via HTTPS. Turn off SSL in the admin pages. Now the tunnel just works over https and this is secure.
If you are using an apache proxy, or want to use an apache proxy for whatever reason, that is perfectly fine. In that case apache should provide the SSL (SSL termination) and send the requests to the backend tomcat server on the regular http port.
Thanks Seb,
I am using the apache proxy as I have multiple instances of servoy server running you cannot forget it!! Anyway it has been working great!
So I will just proxy the SSL port to the same port and i guess I leave the AJP as it it, just configure a proxy but on the SSL port instead of 80.
Thanks
David
Yes, everything is exactly the same except you create a virtual host on port 443 with ssl enabled.
Thanks Seb,
Its odd I have the proxy working on https, but which take to me webclient solution chooser in https,
as soon as I click on the solution then it reverts back to http.
ProxyPreserveHost On
ProxyPass /tunnel ajp://localhost:8014/tunnel flushpackets=on
ProxyPass / http://localhost:8085/
ProxyPassReverse / http://localhost:8085/
So could that be i need to change the servoy.jnlpCodebaseOverride from http to https?
I assume what I am saying in the proxy is take the packets from https and forward them to http 8045 and then back again to http 8045 and then back through the https port to my user.
Hence that looks OK and servoy itself doesnt need to be secured as apache is doing the https.
So is it that line in the server settings, which reverts traffic back to the http port?
Thanks
David
You need to change the jnlp codebase override to https, that should be all. That’s the URL the client uses to connect.
webclient loading doesn’t have anything to do with jnlp codebase override thats pure for the smart client (same for the /tunnel thats also only smart client)
So i have forwarded port 443 on apache to 8085 and reverse proxy, which brings me to the webclient solution selection screen, which appears as https
when i click the solution that then takes me back onto and http rather than https url?
Maybe there is some change i need to make in the server.conf?
<Connector port="8085"
protocol="HTTP/1.1"
maxThreads="500" connectionTimeout="60000"
redirectPort="8443" useBodyEncodingForURI="true" />
is it as simple as adding an S to HTTP/1.1 ???
David
No, you don’t have to change the tomcat configuration. You have the following configuration:
internet – HTTPS:443 → apache – HTTP:8085 → servoy tomcat
What you have to do is change the jnlp codebase url in the servoy.properties to point to the external url, which in this case is httpS://your.server.com.
Hi, I didn’t read the post properly, sorry about that. You’re talking about webclient, I was talking about smartclient with tunnel.
For webclient it means the urls generated by the webclient must be incorrect if they take you back to http. I will discuss this with Johan. It should use the same protocol as the request. I (or Johan) will get back to you on this.
After Many months, I am back looking at this!! (Sorry
I have put up a new virtual server with SSL and i am successfully running https on port 443 and proxying through to servoy.
The issue I have is that when i clicking on my solution in the web client home page, it reverts to http. If i add the S, to the url it then goes back into Servoy and runs fine from then.
the link is a relative one in your servoy solution picker, but it obviously then reverts to http some how.
I think this must be a servoy setting, but I cannot think where it is?
you can try it if you like: