Enabling HTTPS

Following configuration is required to enable https :

  1. Browse to SmartUnifierManager/conf folder

  2. Open application.conf for editing

  3. Comment out (using #) following lines

1
2
play.server.http.port = 9000
play.server.http.address = "0.0.0.0"
  1. Uncomment following lines and replace path_to_keystore and keystore_password with valid data

1
2
3
4
5
 play.server.http.port=disabled
 play.server.https.port=9443

 play.server.https.keyStore.path="path_to_keystore"
 play.server.https.keyStore.password="keystore_password"
  1. Save and close

By default, keystore type is JKS. PEM. PKCS12 format is supported. In order to change the keystore type you need to add following configuration: play.server.https.keyStore.type=PEM

Generating a keystore is done using the following command:

1
 keytool -keysize 2048 -genkey -alias unifier -keyalg RSA -keystore unifier.keystore
  • keysize 2048 sets the keystore size in bytes. The larger the storage, the more difficult it is to decipher an SSL key. Setting the keystore size to 2048 bytes is sufficient for high-level security.

  • genkeypair generates a public key and an associated private key.

  • alias unifier sets the alias for the SSL key; use this alias to reference keystore later, when configuring the application.

  • keyalg RSA sets the encryption type for storage, which is RSA.

  • keystore unifier.keystore, sets the name for the file into which the generated key will be written

Next, you will “fill in a questionnaire”. The data you provide is stored in the SSL key.

Once the keystore is created, you can generate a public SSL key. Recall the keystore password and run the following command (the terminal asks you to provide the correct password):

1
 keytool -certreq -alias unifier -file unifier_csr.txt -keystore unifier.keystore
  • certreq generates a public SSL key (which has also the name Certificate Signing Request).-alias unifier sets the alias to refer to the key.

  • file unifier_csr.txt creates a unifier_csr.txt file to store the key (this is different from the keystore).

  • keystore unifier.keystore sets the key storage file.

You can skip this section if you are going to only test the HTTPS connection. However, if you are going to use the generated SSL key for production, you need to send it to a Certificate Authority.

Copy the SSL key that you can find in the home/johndoe/csr.txt file. Note that you must copy the entire contents of the file including the delimiters —-BEGIN NEW CERTIFICATE REQUEST—- and —-END NEW CERTIFICATE REQUEST—-. Without the delimiters, your key is not valid.

The SSL provider gives you two certificates in exchange for the key — the root and the intermediary certificates. (These certificates are called primary and secondary.) Add them both into the keystore.

Use the following command to add the intermediary certificate to the keystore:

1
keytool -importcert -alias secondary -keystore unifier.keystore -file <path_to_secondary_certificate>.<ext>
  • importcert tells the keytool library to import the certificates into storage.

  • alias secondary sets the alias for the intermediary certificate.

  • keystore unifier.keystore sets the necessary keystore for the certificate.

  • file <path_to_intermediary_certificate>.<ext> sets the path to the file with the intermediary certificate.Remember to replace the <path_to_secondary_certificate> with the actual path; and also use the proper file extension instead of <ext>.

Similarly, you can add the root certificate to your storage, in this case you need to use a different command:

1
 keytool -importcert -alias unifier -keystore unifier.keystore -trustcacerts -file <path_to_root_certificate>.<ext>