SSL and encryption

SSL communication between the CLC Server and client software connecting to it can be configured. This is particularly relevant for setups where the CLC Server is accessible over the internet as well as on a local network.

The default configuration of the server does not use SSL.

Logging in to an SSL enabled CLC Server from a CLC Workbench is described in Logging in using SSL from the Workbench. Logging in using the CLC Server Command Line Tools is described in Logging in using SSL from the CLC Server Command Line Tools.

Enabling SSL on the server

A server certificate is required before SSL can be enabled on the CLC Server. This is usually obtained from a Certificate Authority (CA) like Thawte or Verisign (see http://en.wikipedia.org/wiki/Certificate_authorities).

A signed certificate in a pkcs12 keystore file is also needed. The keystore file is either provided by the CA or it can be generated from the private key used to request the certificate and the signed-certificate file from the CA (see Creating a PKCS12 keystore file).

Copy the keystore file to the conf subdirectory of the CLC Server installation folder.

Next, the server.xml file in the conf subdirectory of the CLC Server installation folder has to be edited to enable SSL-connections. Add text like the following text to the server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="conf/keystore.pkcs12" keystorePass="tomcat"
               keystoreType="PKCS12"
/>
Replace keystore.pkcs12 with the name of your keystore file, and replace tomcat with the password for your keystore.

The above settings make SSL available on port 8443. The standard (non-SSL) port would still be 7777, or whatever port number you have configured it to.

Self-signed certificates can be generated if only connection encryption is needed. See http://www.akadia.com/services/ssh_test_certificate.html for further details.

Creating a PKCS12 keystore file

If the certificate is not supplied in a pkcs12 keystore file, it can be put into one by combining the private key and the signed certificate obtained from the CA by using openssl:

openssl pkcs12 -export -out keystore.pkcs12 -inkey private.key -in certificate.crt -name "tomcat"

This will take the private key from the file private.key and the signed certificate from certificate.crt and generate a pkcs12-store in the keystore.pkcs12 file.