Enabling HTTPS in Trifork T4

Trifork Application Server supports HTTPS if it has been activated in the Management Console. You can access the console via the URL http://meinTriforkServer:8090/console. The default user name is administrator and the password is trifork. After logging in, enable the HTTPS option in the HTTP, DEFAULT_ENDPOINT section and specify the desired port.

After this change, the Trifork server needs to be restarted. Your server can then be reached via HTTPS.

As a default, the Trifork server uses a supplied key pair and a corresponding SSL certificate. However, you can also generate your own key pairs and certificates. For this, you require Sun Microsystems' keytool program which is supplied with the Trifork server. This program can be found below the installation directory, in javaDir/bin where javaDir is the directory of the JDK used, for example in trifork-4.1.26/jdk-1.5.0/bin.

Generating Key Pairs

Key pairs are stored in a so-called keystore. Since several servers can be operated using one Trifork server, the keystore to be used can be selected by means of the Management Console. See the HTTP section mentioned above.

When creating a key pair, an alias needs to be specified for it. The alias is an identifier that can be used to refer to the key pair later on. Furthermore, you can specify a so-called keystore. If the keystore is not specified, the key pair is stored in the default keystore. If a nonexistent keystore is supplied, it will be created automatically. Details about this and the explanations given in the following can be found in Sun's JDK documentation:

http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

Use the following syntax to create a key pair with the alias alias-name and to store it in the specified keystore. For accessing the key pair as well as the keystore, passwords can be specified.

keytool -genkey -alias alias-name -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

By default, the supplied keystore, keystore.jks, is protected with the password changeit. Enter the password in the Management Console in the section mentioned above (HTTP, DEFAULT_ENDPOINT) so that the Trifork server can access the keystore.

Certifying a Key Pair in the Keystore

A key pair for the secure communication between a server and the clients is considered trustworthy if it has been certified. It has become the task of certificate authorities such as VeriSign, Thawte etc. to do this. If a browser comes across a certificate that has been certified by such an authority, it is automatically considered trustworthy provided that the browser has been configured correspondingly.

In many environments it is sufficient to use a self-signed certificate. In this case, the website owner acts as the issuer of the certificate. Therefore, when his website is accessed for the first time, the browser will ask the user whether he trusts the certificate. If he does, the browser stores the certificate in the pool for trustworthy certificates. Thus, the next time the user visits this website, the browser does not need not ask again.

For this to work, a certificate for the key pair concerned needs to be exported from the keystore. This certificate is then imported into the so-called truststore. Here is an example for the two steps applied to the alias-name key pair and the exported certificate named name.cer. As the keystore and the truststore, keystore.jks and cacerts.jks, respectively, are used.

keytool -export -alias alias-name -storepass changeit -file name.cer -keystore keystore.jks
keytool -import -v -trustcacerts -alias alias-name -file name.cer -keystore cacerts.jks \
  -keypass changeit -storepass changeit

In total, three files, keystore.jks, cacerts.jks, and name.cer, were created in the bin directory of the Java JDK. To make these files known to the Trifork server, please move them to the installDir/domains/default/servers/default/config directory. Before doing this, make a backup of the existing files keystore.jks and cacerts.jks. Using the Management Console, section Security, SSL, you can check whether the Trifork server recognizes the new certificate.

For converting existing certificates (*.pem; *.der; *.p12) to the Java keystore format, free tools available on the internet can be used. Individual certificate containers can be converted to other formats by means of OpenSSL (http://www.openssl.org/support/faq.html).