Prerequisites

To follow these instructions you'll need a working copy of Apache Rave up and running under Tomcat 6. Please see the Installing Rave page for instructions on how to get up and running.

These instructions are written assuming a Tomcat installation path of /temp/tomcat so you may want to use that path for testing while you follow these instructions.

Also note that these instructions were written and tested using Tomcat running on Windows. Tomcat on other platforms should be exaclty the same except for startup scripts (.bat vs .sh) and file locations (c:\ vs /).

Enabling SSL in Tomcat

These instructions demonstrate how to get Tomcat 6 running over SSL using a self signed certificate.

  • Copy the default cacerts file to /temp/tomcat (this allows you to not have to pollute your real cacerts file with test certs).

    cp "%JAVA_HOME%/jre/lib/security/cacerts" "/temp/tomcat/custom-cacerts"
    
  • Generate a self signed certificate that you'll use with Tomcat.

    "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -validity 365 -storepass changeit -keystore /temp/tomcat/custom-cacerts
    
    What is your first and last name?  
      [Unknown]:  rave-server.example.com  
    What is the name of your organizational unit?  
      [Unknown]:  example unit  
    What is the name of your organization?  
      [Unknown]:  example organization  
    What is the name of your City or Locality?  
      [Unknown]:  example city  
    What is the name of your State or Province?  
      [Unknown]:  example state  
    What is the two-letter country code for this unit?  
      [Unknown]:  US  
    Is CN=rave-server.example.com, OU=example unit, O=example organization, L=example city, ST=example state, C=US correct?  
      [no]:  yes
    
    Enter key password for <tomcat>  
            (RETURN if same as keystore password):
    
  • Edit Tomcats startup.bat file to get the JVM to use our alternate cacerts file. It is important for the JVM to trust our self signed certificate because Apache Rave makes HTTP requests to Shindig to fetch gadget metadata, and if those requests are over SSL then the JVM must trust the certificate being used for the SSL communication.

    (added the following line above the "call "%EXECUTABLE%" start ..." line)

    set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=c:\temp\tomcat\custom-cacerts
    
  • Edit Tomcats server.xml to enable an SSL listener on port 443 using our alternate cacerts file. By default Tomcat looks for a certificate with the alias "tomcat" which is what we used to create our self signed certificate.

    (did a search and replace of 8443 with 443)
    (uncommented the HTTPS connector and configured it to use our custom cacerts file)

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="c:\temp\tomcat\custom-cacerts" keystorePass="changeit"
               clientAuth="false" sslProtocol="TLS" />
    
  • Startup Tomcat and verify that Apache Rave still runs properly on http://localhost:8080/portal/

  • Make sure you can access the portal login page at https://rave-server.example.com/portal

    Note - if you already have an authenticated session open in your browser you'll probably need to close and re-open your browser to access the login page. Also note that the rest of Apache Rave wont work over SSL yet.

Configure Apache Rave and Shindig to run over SSL.

  • Edit the /temp/tomcat/webapps/portal/WEB-INF/classes/portal.properties file to configure Apache Rave to use SSL.

    (updated the following values at the top of the portal.properties config file with)

    portal.opensocial_engine.protocol=https
    portal.opensocial_engine.root=rave-server.example.com
    portal.opensocial_engine.gadget_path=/gadgets
    
  • Edit the /temp/tomcat/webapps/ROOT/WEB-INF/classes/rave.shindig.properties and /temp/tomcat/webapps/ROOT/WEB-INF/classes/containers/default/container.js files to configure Shindig to use SSL.

    Note - there may be other ways to get Shindig to use SSL but this method does work. Also note - the changes to container.js are a search and replace of http:// with https://

    (updated the following values at the top of the rave.shindig.properties config file with)

    shindig.host=rave-server.example.com
    shindig.port=
    shindig.contextroot=
    
  • Startup Tomcat and verify that Rave runs properly on https://rave-server.example.com/portal

Complete diff of modified files follows

diff -r tomcat-vanilla\bin\startup.bat tomcat\bin\startup.bat
56c56,57
<
---
>
> set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=c:\temp\tomcat\custom-cacerts

diff -r tomcat-vanilla\conf\server.xml tomcat\conf\server.xml
71c71
< redirectPort="8443" />
---
> redirectPort="443" />
77c77
< redirectPort="8443" />
---
> redirectPort="443" />
79c79
< <!-- Define a SSL HTTP/1.1 Connector on port 8443
---
> <!-- Define a SSL HTTP/1.1 Connector on port 443
83,84c83
< <!--
< <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
---
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
85a85
> keystoreFile="c:\temp\tomcat\custom-cacerts" keystorePass="changeit"
87d86
< -->
90c89
< <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
---
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

diff -r tomcat-vanilla\webapps\portal\WEB-INF\classes\portal.properties tomcat\webapps\portal\WEB-INF\classes\portal.properties
25,26c25,26
< portal.opensocial_engine.protocol=http
< portal.opensocial_engine.root=localhost:8080
---
> portal.opensocial_engine.protocol=https
> portal.opensocial_engine.root=rave-server.example.com

diff -r tomcat-vanilla\webapps\ROOT\WEB-INF\classes\containers\default\container.js tomcat\webapps\ROOT\WEB-INF\classes\containers\default\container.js
10c10
< * http://www.apache.org/licenses/LICENSE-2.0
---
> * https://www.apache.org/licenses/LICENSE-2.0
78c78
< "gadgets.jsUriTemplate" : "http://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
---
> "gadgets.jsUriTemplate" : "https://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
86c86
< "gadgets.uri.js.host" : "http://www.example.com/",
---
> "gadgets.uri.js.host" : "https://www.example.com/",
99c99
< "gadgets.osDataUri" : "http://%host%${CONTEXT_ROOT}/rpc",
---
> "gadgets.osDataUri" : "https://%host%${CONTEXT_ROOT}/rpc",
106,107c106,107
< //"defaultShindigTestHost": "http://${SERVER_HOST}:${SERVER_PORT}",
< "defaultShindigTestHost":"http://%authority%",
---
> //"defaultShindigTestHost": "https://${SERVER_HOST}:${SERVER_PORT}",
> "defaultShindigTestHost":"https://%authority%",
154c154
< "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
---
> "urlTemplate" : "https://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
159c159
< "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/canvas?{var}",
---
> "urlTemplate" : "https://localhost${CONTEXT_ROOT}/gadgets/canvas?{var}",
260c260
< "path" : "http://%host%${CONTEXT_ROOT}/rpc",
---
> "path" : "https://%host%${CONTEXT_ROOT}/rpc",
262c262
< "invalidatePath" : "http://%host%${CONTEXT_ROOT}/rpc",
---
> "invalidatePath" : "https://%host%${CONTEXT_ROOT}/rpc",
290c290
< "endPoints" : [ "http://%host%${CONTEXT_ROOT}/rpc" ]
---
> "endPoints" : [ "https://%host%${CONTEXT_ROOT}/rpc" ]

diff -r tomcat-vanilla\webapps\ROOT\WEB-INF\classes\rave.shindig.properties tomcat\webapps\ROOT\WEB-INF\classes\rave.shindig.properties
24,25c24,25
< shindig.host=localhost
< shindig.port=8080
---
> shindig.host=rave-server.example.com
> shindig.port=