Trifork Application Server supports HTTPS if it has been activated in the
Management Console. You can access the console via the URL
http://meinTriforkServer:8090/console
. The default user name
is administrator
and the password is
trifork
. After logging in, enable the HTTPS option in the
HTTP, DEFAULT_ENDPOINT section and specify the desired port.
After this change, the Trifork server needs to be restarted. Your server can then be reached via HTTPS.
As a default, the Trifork server uses a supplied key pair and a
corresponding SSL certificate. However, you can also generate your own key
pairs and certificates. For this, you require Sun Microsystems'
keytool
program which is supplied with the Trifork server. This
program can be found below the installation directory, in
javaDir/bin
where javaDir
is the
directory of the JDK used, for example in
trifork-4.1.26/jdk-1.5.0/bin
.
Key pairs are stored in a so-called keystore. Since several servers can be operated using one Trifork server, the keystore to be used can be selected by means of the Management Console. See the HTTP section mentioned above.
When creating a key pair, an alias needs to be specified for it. The alias is an identifier that can be used to refer to the key pair later on. Furthermore, you can specify a so-called keystore. If the keystore is not specified, the key pair is stored in the default keystore. If a nonexistent keystore is supplied, it will be created automatically. Details about this and the explanations given in the following can be found in Sun's JDK documentation:
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
Use the following syntax to create a key pair with the alias
alias-name
and to store it in the specified keystore.
For accessing the key pair as well as the keystore, passwords can be
specified.
keytool -genkey -alias alias-name -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
By default, the supplied keystore, keystore.jks
, is protected
with the password changeit
. Enter the password in the Management
Console in the section mentioned above (HTTP, DEFAULT_ENDPOINT) so that the
Trifork server can access the keystore.
A key pair for the secure communication between a server and the clients is considered trustworthy if it has been certified. It has become the task of certificate authorities such as VeriSign, Thawte etc. to do this. If a browser comes across a certificate that has been certified by such an authority, it is automatically considered trustworthy provided that the browser has been configured correspondingly.
In many environments it is sufficient to use a self-signed certificate. In this case, the website owner acts as the issuer of the certificate. Therefore, when his website is accessed for the first time, the browser will ask the user whether he trusts the certificate. If he does, the browser stores the certificate in the pool for trustworthy certificates. Thus, the next time the user visits this website, the browser does not need not ask again.
For this to work, a certificate for the key pair concerned needs to be
exported from the keystore. This certificate is then imported into the
so-called truststore. Here is an example for the two steps applied to the
alias-name
key pair and the exported certificate named
name.cer
. As the keystore and the truststore,
keystore.jks
and cacerts.jks
, respectively, are
used.
keytool -export -alias alias-name -storepass changeit -file name.cer -keystore keystore.jks keytool -import -v -trustcacerts -alias alias-name -file name.cer -keystore cacerts.jks \ -keypass changeit -storepass changeit
In total, three files, keystore.jks
,
cacerts.jks
, and name.cer
, were created in
the bin
directory of the Java JDK. To make these files known to
the Trifork server, please move them to the
installDir/domains/default/servers/default/config
directory. Before doing this, make a backup of the existing files
keystore.jks
and cacerts.jks
. Using the Management
Console, section Security, SSL, you can check whether the Trifork server
recognizes the new certificate.
For converting existing certificates (*.pem
;
*.der
; *.p12
) to the Java keystore format, free
tools available on the internet can be used. Individual certificate
containers can be converted to other formats by means of OpenSSL
(http://www.openssl.org/support/faq.html).