SSL and encryption

CLC Server client software (CLC Workbenches, CLC Server Command Line Tools, web client) can communicate with theCLC Server over SSL. This is particularly relevant for setups where the CLC Server is accessible to client software over the internet as well as on a local network. To establish encrypted communication, SSL must be enabled on the CLC Server, and the server certificate must be trusted by the client software.

Enabling SSL on the CLC Server involves obtaining and installing a certificate, and then configuring Tomcat, bundled with the CLC Server software, to support SSL connections. These aspects are described further below.

Logging in to an SSL-enabled CLC Server using a CLC Workbench is described in Logging in using SSL from the Workbench. Logging in to an SSL-enabled CLC Server using the CLC Server Command Line Tools is described in Logging in using SSL from the CLC Server Command Line Tools. The web client for an SSL-enabled CLC Server can be accessed using HTTPS, using the relevant port, e.g. https://<hostname>:8443. If the certificate is not already trusted, the web browser will prompt you to confirm that it is trusted before connecting.

Important notes:

Obtaining and installing a certificate

A server certificate is required before SSL can be enabled on the CLC Server. This is usually obtained from a Certificate Authority (CA) like Thawte or Verisign (see https://en.wikipedia.org/wiki/Certificate_authorities). Self-signed certificates can also be used.

The signed certificate must be placed in a location accessible to the CLC Server process, for example in the conf directory located under the CLC Server installation folder.

Configuring Tomcat for SSL

To enable SSL connections using port 8443, add a Connector to the Tomcat configuration file, located under the CLC Server installation folder at conf/server.xml. The CLC Server must be restarted after changes are made for the changes to take effect.

An example Connector configuration, which refers to a PKCS12 keystore file in the conf directory of the CLC Server, is:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="conf/keystore.pkcs12" keystorePass="keystorepasswd"
     keystoreType="PKCS12"
     connectionTimeout="600000"
     maxParameterCount="1000"
     compression="off"
   />

where keystoreFile and keystorePass are assigned values relevant for the server:

Adding SSL connectors does not disable the standard (non-SSL) port, which is 7777 by default.



Subsections