Enabling HTTPS in the Embedded Apache Tomcat

The Denodo Platform embeds the Apache Tomcat web container to host its web applications and web services. The communications between clients and the web applications running in the Apache Tomcat embedded in the Denodo Platform can be secured with HTTPS. The applications running in this web container are:

  • Aracne Administration Tool
  • ITPilot Administration Tool
  • Scheduler Administration Tool
  • Web Services published using Virtual DataPort
  • Information Self Service Tool
  • Diagnostic & Monitoring Tool

To enable HTTPS, do the following:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties, uncomment the following properties and set their value:

    • com.denodo.tomcat.https.port = the port listening to HTTPS connections. Check that this port is free in the host where the Virtual DataPort server is running.

      If you want clients to access the HTTPs interface without having to put the port in the URL, set this to 443 instead of 9443. That way, the user will be able to access the HTTPs interface with a URL like https://denodo-server/denodo-restfulws instead of https://denodo-server:9443/denodo-restfulws.

      Note that in Linux, processes that are not started by the root user cannot listen on ports under 1024. However, it is possible, using iptables, to redirect the data to port 443 to the port 9443.

    • com.denodo.security.ssl.keyStore = Path to the KeyStore that contains the certificate for the Denodo Platform servers. For example, com.denodo.security.ssl.keyStore=C:/denodo/denodo_server_key_store.jks.

      Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

    • com.denodo.security.ssl.keyStorePassword = Password of the KeyStore that contains the certificate for the Denodo Platform servers.

    • It is possible to configure the Denodo web container to use a TrustStore that is not the default one (the default TrustStore is at <DENODO_HOME>/jre/lib/security/cacerts). However, we do not recommend doing so because it makes the management of the Denodo servers harder because you have to maintain a new TrustStore file.

      To use a different TrustStore, uncomment these properties:

      • com.denodo.security.ssl.trustStore = Path to the TrustStore.

        For example, com.denodo.security.ssl.trustStore=c:/denodo/custom_cacerts

        Even if the Denodo servers run on Windows, the path separator has to be the forward slash (/).

      • com.denodo.security.ssl.trustStorePassword = Password of the TrustStore. The default password of a TrustStore is changeit.

    If you want to secure with HTTPS the connections established with Tomcat, but do not want to secure the connections between Tomcat and the Denodo Platform servers, leave the property com.denodo.security.ssl.enabled commented.

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/server.xml
    1. Uncomment the SSL connector. I.e. Search the “Connector” element that starts with <Connector port=”${com.denodo.tomcat.https.port}” and remove the <-- and --> characters that surround it.
    2. To disable the access through HTTP and only allow HTTPs connections, comment the “Connector” element that starts with <Connector port=”${com.denodo.tomcat.http.port}” with <-- and -->. For example,
   <Connector port="${com.denodo.tomcat.http.port}"
      maxThreads="150" minSpareThreads="25"
Check the documentation of Apache Tomcat to know how to change the default SSL/TLS settings of the web container: to limit the ciphers, enable client authentication, etc.
  1. To apply these changes, stop all the Denodo Platform servers and once they are all stopped, start them again.

    It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started the web container will not shut down and the changes in the file tomcat.properties will not take effect.

  2. To check that HTTPs was enabled successfully, open the URL https://localhost:9443/denodo-restfulws (9443 is the default value of the property com.denodo.tomcat.https.port).