Configuring HTTPS Communication

By default the Spectrum™ Technology Platform server uses HTTP for communication with Enterprise Designer and Management Console, as well as web service, API calls, and remote server communication. You can configure Spectrum™ Technology Platform to use HTTPS if you want to secure these network communications.

This procedure describes how to enable HTTPS communication on a single-server installation of Spectrum™ Technology Platform. If you want to use HTTPS and you are running Spectrum™ Technology Platform in a cluster, do not follow this procedure. Instead, configure the load balancer to use HTTPS for communication with clients. Communication between the load balancer and the Spectrum™ Technology Platform nodes, and between the nodes themselves, will be unencrypted because Spectrum™ Technology Platform clustering does not support HTTPS. The load balancer and the Spectrum™ Technology Platform servers in the cluster must be behind a firewall to provide a secure environment.

  1. Stop the Spectrum™ Technology Platform server.
    • To stop the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Stop Spectrum™. Alternatively, you can use the Windows Services control panel and stop the Pitney Bowes Spectrum™ Technology Platform service.
    • To stop the server on Unix or Linux, source the SpectrumLocation/server/bin/setup script then execute the SpectrumLocation/server/bin/server.stop script.
  2. Create a certificate signed by a trusted Certificate Authority (CA).
  3. Load the certificate into a JSSE keystore. For more information, see www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates.
  4. Create an XML file named spectrum-override-container-ssl.xml containing the following:
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:util="http://www.springframework.org/schema/util"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/util
           http://www.springframework.org/schema/util/spring-util-3.0.xsd">
        
        <bean id="defaultWebServerConnector" class="org.eclipse.jetty.server.ServerConnector">
            <constructor-arg ref="webServer"/>
            <constructor-arg>
                <bean class="org.eclipse.jetty.util.ssl.SslContextFactory">
                    <property name="keyStorePath" value="/SpectrumKeystore"/>
                    <property name="keyManagerPassword" value="password"/>
                    <property name="keyStorePassword" value="password"/>
                </bean>
            </constructor-arg>
            <property name="host" value="${spectrum.bind.address}"/>
            <property name="port" value="${spectrum.http.port}"/>
            <property name="idleTimeout" value="-1"/>
        </bean>
    </beans>
  5. Modify the following lines as needed to reflect your environment:
    <property name="keyStorePath" value="/SpectrumKeystore"/> Modify the value to be the full path to the Java keystore.
    <property name="keyManagerpassword" value="password"/> Modify the value to be the password to the keystore.
    <property name="keyStorePassword" value="password"/> Modify the value to be the password to the key within the keystore.
  6. Save the spectrum-override-container-ssl.xml file to SpectrumLocation/server/app/conf/spring.
  7. Using a text editor, open the file spectrum-container.properties located in SpectrumLocation/server/app/conf. Uncomment and set the following properties:

    spectrum.http.port=port
    spectrum.runtime.port=port
    spectrum.runtime.hostname=dnsname

    Where port is the network port to use for communication with the clients (for example 8443) and dnsname is the hostname of the Spectrum™ Technology Platform server. The port you specify must be the same for both spectrum.http.port and spectrum.runtime.port.

  8. If you are configuring HTTPS communication for the Location Intelligence Module and Spectrum Spatial services, you must perform additional configuration prior to restarting the Spectrum™ Technology Platform server:
    1. Modify the java.properties file (SpectrumLocation\server\modules\spatial) by changing all hostnames and ports to be exactly the same as the ones used for the Spectrum™ Technology Platform server. The hostname must match the DNS name of the server and the CN in the certificate. Set property repository.useSecureConnection to true. For example:
      images.webapp.url=https://www.spectrum.com:8443/Spatial/images
      thumbnail.location=https://www.spectrum.com:8443/Spatial/Thumbnails
      
      repository.host=www.spectrum.com
      repository.port=8443
      repository.useSecureConnection=true
    2. Modify the service configuration files in the repository by changing all repository URLs to use https and the hostname and port defined in the previous step. For example, https://www.spectrum.com:8443/RepositoryService/rmi. Also, change these URLs in the value of the elements listed for the services:
      MappingConfiguration – <AccessBaseURL>
      WFSConfiguration, WMSConfiguration - <OnlineResource>, <ResourceRoot> 
      Note: Be sure you are editing what is in the Configuration folder in the repository, not in the Configuration folder in your Spectrum™ Technology Platform installation.
  9. Start the Spectrum™ Technology Platform server.
    • To start the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Start Spectrum™. Alternatively, you can use the Windows Services control panel to start the Pitney Bowes Spectrum™ Technology Platform service.
    • To start the server on Unix or Linux, execute the SpectrumLocation/server/bin/server.start script.
  10. If you are configuring HTTPS communication for the Location Intelligence Module and Spectrum Spatial services, upload the modified files into the Repository using WebDAV (see Using WebFolders to Access Spectrum Spatial Repository Resources for instructions).