Versions Compared

Old Version 1

changes.mady.by.user David Walend

Saved on

compared with

New Version Current

changes.mady.by.user David Walend

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After importing the signed certificates in addition to the Hub CA and HTTPS certificate, configure your Tomcat server.xml file to use the correct certificate to serve SHRINE https requests. Tomcat normally uses port 6443 to serve SHRINE. 

To serve SSL find this section and change it to use the right keystore password and key alias to serve https from tomcat. Although you can use the same keyAlias to sign shrine queries and to support TLS for https most sites choose to use their own cert signed by a CA in a public cert tree. This prevents dire warnings from browsers. Follow standard procedures for serving https via TLS from tomcat. Find the example in shrine-setup/server.xml .

Code Block
languagebash
themerdark
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

    <Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/shrine/shrine.keystore"
               keystorePass="password"
               keyAlias="<name_of_keystore_PrivateKeyEntry>" />

The URLs to the SHRINE webclient, steward, and changed in SHRINE 2.0.0. If you would like to add redirects to the old URLs, add a RewriteValve to the server.xml file and copy the shrine-setup/rewrite.config file to /opt/shrine/tomcat/conf/Catalina/localhost.    

Code Block
languagebash
themeRDark
titleserver.xml
<Host name="localhost"  appBase="webapps" unpackWARs="true" autoDeploy="true">

    <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
........

Here's a sample server.xml file (note the 'Connector port = "6443"' section):

...

languagebash
themeRDark
titleserver.xml

...

Always use encrypted communication for all http connections in SHRINE networks. SHRINE carries login information in http headers. I2b2 carries similar information in http request bodies.

Standard TLS-based https is sufficient.

Setting up SHRINE's Keystore in versions 3.2 and earlier was much more complex. Now SHRINE uses Tomcat's TLS-based https the way almost all other applications do. Tomcat's own documentation is insufficient but these instructions were clear .