You can configure the Synthetic Server to use SSL to secure network connections. Follow the steps below to configure the Synthetic Server to use a signed certificate and its password.
-
server:
...
applicationConnectors:
- type: https
port: <port>
keyStorePath: <path to JKS files>
keyStorePassword: <jks file password>
validateCerts: false
If you don't already have a signed certificate, see Create and Sign an RSA Security Certificate.
-
Edit the Synthetic Shepherd configuration file at <installation directory>/conf/synthetic-shepherd
server:
...
applicationConnectors:
- type: https
port: <port>
keyStorePath: <path to jks file>
keyStorePassword: <jks file password>
validateCerts: false
- Restart the Synthetic Server.
- Verify the connection to the HTTPS port.
Create and Sign an RSA Security Certificate
The following sections describe and show an example of how to create a custom RSA security certificate, generate a new JKS keystore, and sign the certificate.
- Install the Prerequisite Libraries
-
Create a Certificate and Keystore
-
Sign and Install the Signed Certificate
Install Prerequisite Libraries
Make sure the following libraries are installed:
Create a Certificate and Keystore
Use the keytool command to create a keystore that uses RSA encryption then generate a certificate signing request (CSR).
The following steps show you an example of how to do both.
-
At a command prompt, navigate to the root directory of the Synthetic Server:
cd <synthetic_server_root>
-
Create a new keystore with a new unique key pair that uses RSA encryption:
<path_to_jre>/jre/bin/keytool -genkey -keyalg RSA -validity <validity_in_days> -alias 'synthetic-server' -keystore ./mycustom.keystore
This creates a new public-private key pair with an alias of "synthetic-server". You can use any value you like for the alias. The "first and last name" required during the installation process becomes the common name (CN) of the certificate. Use the name of the server.
- Configure the keystore by entering the information requested at the command prompt.
- Specify a password for the keystore. You need to configure this password in the Synthetic Server configuration file later.
-
Generate a certificate signing request (CSR):
<path_to_jre>/jre/bin/keytool -certreq -keystore ./mycustom.keystore -file /tmp/synthetic-server.csr -alias 'synthetic-server'
This generates a certificate signing request based on the contents of the alias; in the example, it is "synthetic-server".
Sign and Install the Signed Certificate
Once you have a CSR, you request a Certificate Authority to sign it and then install the signed certificate.
The following steps are a continuation of the process from Create a Certificate and Keystore:
-
Send the output file from the last step (/tmp/synthetic-server.csr in this example) to a Certificate Authority for signing.
-
Install the certificate for the Certificate Authority used to sign the .csr file:
<path_to_jre>/jre/bin/keytool -import -trustcacerts -alias myorg-rootca -keystore ./mycustom.keystore -file /path/to/<CA-root-cert>
This command imports your CA's root certificate into the keystore and stores it in an alias called "myorg-rootca".
-
Install the signed server certificate as follows:
<path_to_jre>/jre/bin/keytool -import -keystore ./mycustom.keystore -file /path/to/<signed-cert> -alias 'synthetic-server'
This command imports your signed certificate over the top of the self-signed certificate in the existing alias; in the example, it is "synthetic-server".
- Import the root certificate to the other platform components connecting to the Synthetic Server through HTTPS:
keytool -import -trustcacerts -alias <alias_name> -file mycert.cer -keystore <complete_path_to_cacerts.jks>
