Introduction

The TLS protection of Soffid IAM Console is applied through the configuration of the Apache TomEE embedded in the installation.

This solution is running under java technology therefore we need a jks file (Java Key Store) with the information of your certificate.

If you can not export your certificate in jks format you will have to search a related command to achieve it.

Once you have the Console installed and your certificate in jks format you can follow this steps to configure it the first time or for an update.

Mind that sometimes, the network encryption algorithm is named as SSL, in fact, the configuration file still displays the word SSL. Furthermore, SSL protocol is now outdatad, and TLSv1.2 is used instead.

Configuration

This is the file where there the TLS configuration must be placed.

/opt/soffid/iam-console-2/conf/server.xml


The TLS configuration is inclued in the following XML entity.

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150"
           SSLEnabled="true">
   <SSLHostConfig>
      <Certificate certificateKeystoreFile="conf/yourdomain.jks"
                   certificateKeystorePassword="123456"
                   certificateKeyAlias="yourdomain"
                   type="RSA"
                   xpoweredBy="false"
                   server="Apache TomEE" />
   </SSLHostConfig>
</Connector>


These are the attributes that you have to configure.

AttributeComment
portYou can choose the standard 443 or another custom port
certificateKeystoreFileThe source by default starts from /opt/soffid/iam-console-2/ (the installation directory)
certificateKeystorePasswordThe password used to encrypt the jks file
certificateKeyAliasThe alias to identify your key and certificate


Copy or replace your jks file into this directory.

/opt/soffid/iam-console-2/conf/yourdomain.jks


After that, you have to restart the iam-console services.

sudo service soffid-iamconsole stop
sudo service soffid-iamconsole start


If you have some configuration error, you can search more information in the Console log (the current day log):

/opt/soffid/iam-console-2/logs/soffid-YYYY-MM-DD.log


Load a PKCS#12 (.PFX) file

There are many standard ways to store and transfer private keys and certificates, but the most common one is the PKCS#12 format. Its main advantage is that it contains, in a single file, both the private key and the public certificate.

To transform the .PFX file to a java key store (.JKS), ane can use next command (you have to adapt it to your system):

keytool -v -importkeystore -srckeystore <YOUR_FILE.PFX> -srcstoretype PKCS12 -destkeystore /opt/soffid/iam-console-2/conf/yourdomain.jks -destalias yourdomain -deststoretype JKS

Next, you will be asked for the PFX encryption password. It must be provided to you along the PFX file.

Next, you will be asked (probably twice) for the password to be used to encrypt the .JKS file.  This password must be written down in the server.xml file. At the sample SSL configuration file placed at the top of this page, the sample password is 123456.