Page History
After importing the signed certificates in addition to the Hub CA and HTTPS certificate, configure your Tomcat server.xml file to use the correct certificate to serve SHRINE https requests. Tomcat normally uses port 6443 to serve SHRINE.
To serve SSL find this section and change it to use the right keystore password and key alias to serve https from tomcat. Although you can use the same keyAlias to sign shrine queries and to support TLS for https most sites choose to use their own cert signed by a CA in a public cert tree. This prevents dire warnings from browsers. Follow standard procedures for serving https via TLS from tomcat. Find the example in shrine-setup/server.xml .
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/shrine/shrine.keystore"
keystorePass="password"
keyAlias="<name_of_keystore_PrivateKeyEntry>" />
|
The URLs to the SHRINE webclient, steward, and changed in SHRINE 2.0.0. If you would like to add redirects to the old URLs, add a RewriteValve to the server.xml file and copy the shrine-setup/rewrite.config file to /opt/shrine/tomcat/conf/Catalina/localhost.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
........ |
Here's a sample server.xml file (note the 'Connector port = "6443"' section):
...
language | bash |
---|---|
theme | RDark |
title | server.xml |
...
Always use encrypted communication for all http connections in SHRINE networks. SHRINE carries login information in http headers. I2b2 carries similar information in http request bodies.
Standard TLS-based https is sufficient.
Setting up SHRINE's Keystore in versions 3.2 and earlier was much more complex. Now SHRINE uses Tomcat's TLS-based https the way almost all other applications do. Tomcat's own documentation is insufficient but these instructions were clear .