QAD QAD QXtend 1.8.8 > Install Guide > Post-Installation, Upgrade, and Migration Tasks > Post-installation > Enable SSL
  
Enable SSL
You can use SSL with QAD QXtend to encrypt all HTTP messages between the client and server. To use SSL, configure Tomcat to provide an SSL connection to the QAD QXtend server WebApp.
To complete the configuration, you must:
Modify server.xml.
Modify catalina.bat or catalina.sh.
Create Trusted Security Certificates in Java.
Modify server.xml
Define an SSL HTTP/1.1 connector on port 8443 in <TOMCAT_HOME>\conf\server.xml. The first section of the following file content appears in the default server.xml. Add the Connector definition following the end of the comment marker (-->) as shown in the following example.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<Connector
className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443"
scheme="https"
secure="true"
useURIValidationHack="false"
disableUploadTimeout="true">
</Connector>
See the Tomcat documentation for further information.
To define SSL on AIX Java 5, set the sslProtocol attribute to sslProtocol=”SSL” and add the attribute algorithm=”IbmX509” as follows:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL"
algorithm="IbmX509" />
-->
For more information, see the Tomcat SSL documentation.
Modify catalina.bat or catalina.sh
This section describes the tasks to perform for Tomcat versions before 5.5.
For the QAD QXtend servlets to work with the HTTPS connector, set the properties in TOMCAT_HOME/bin/catalina.bat for Windows and TOMCAT_HOME\bin\catalina.sh for UNIX. The QAD QXtend servlets properties are:
-Djavax.net.ssl.trustStore=<Location of the keystore>
-Djavax.net.ssl.trustStorePassword=<keystore password>
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
Enter these lines into the file after each instance of RUNJDB or RUNJAVA. One entry is shown in the following code as an example. However, you typically make this code change in seven or eight locations.
exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \
-Djavax.net.ssl.trustStore=<Location of the keystore> \
-Djavax.net.ssl.trustStorePassword=<keystore password> \
-Djava.protocol.handler.pkgs=\com.sun.net.ssl.internal.www.protocol \
-Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
-sourcepath "$CATALINA_HOME"/../../jakarta-tomcat-4.0/catalina/src/share \
-Djava.security.manager \
-Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-Dcatalina.base="$CATALINA_BASE" \
-Dcatalina.home="$CATALINA_HOME" \
-Djava.io.tmpdir="$CATALINA_TMPDIR" \
org.apache.catalina.startup.Bootstrap "$@" start
else
exec "$_RUNJDB" $JAVA_OPTS $CATALINA_OPTS \
-Djavax.net.ssl.trustStore=<The location of the keystore> \
...
Create Trusted Security Certificates
The machine on which Tomcat is running requires a trusted security certificate. If the HTTPS client cannot find a trusted security certificate on the QAD QXtend server, it can issue a warning or refuse to work with an HTTPS connection to the server. This behavior can cause a fault on the client side.
Generate a self-signed server certificate using the Java keytool. This task is done as follows:
1 In a command window, navigate to a temporary directory such as c:\temp and enter the following command:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore c:\temp\.keystore
2 The system prompts you to enter the keystore password. The default SSL password for Tomcat is changeit. If you change the password, place it in server.xml and catalina.bat.
You are prompted to enter your first and last name.
3 Enter the name of the host where the QXI WebApp is installed; for example, corp_pc01. It must be the same host specified in qxtendconfig.xml for MessageReceiverServlet. This prompt and all subsequent prompts use the format:
[Unknown]: <Enter_data_value_here.>
4 The system prompts you for the following information:
The name of your organizational unit
The name of your organization
The name of your city or locality
The name of your state or province
The two-letter country code for this unit
Enter the appropriate values for your implementation.
5 The system prompts you to confirm the following information:
Is CN=corp_pc01, OU=QAD, O=QAD, L=Summerland, ST=California, C=US correct?
[no]: y
The common name (CN) must be the correct QXI WebApp host or the web service call reports the validation error “HTTPS hostname wrong.”
6 The system prompts you to enter the key password for <tomcat>.
Press Enter if the key password for Tomcat is the same as the keystore password. Do not attempt this task unless you are an experienced HTTPS user.
See the Java tools documentation for details.