23 August 2013

1. HTTP/HTTPS Support

1.1. Configure HTTP Support

The place where to configure the core HTTP settings are in the ${TIF_ROOT}/etc/tif.custom.properties file.

Below is a list of properties TIF support today.

# Setting port < 1 disables HTTP support
http.port = 8181
http.maxIdleTime = 30000
http.requestHeaderSize = 8192

1.2. Configure HTTPS Support

The place where to configure the core HTTPS settings are in the ${TIF_ROOT}/etc/tif.custom.properties file.

By default the HTTPS support is disabled since the default value of https.port is set to -1. To enable it, you need to specify the port (probably use port 443), a keystore and its password and alias.

Below is a list of all parameters that can be set.

#https.port=-1
#https.keyStore.path=<path to keystore, example: etc/keystore>
#https.keyStore.password=secret
#https.keyStore.type=
#https.keyStore.provider=
#https.keyManager.password=
#https.trustStore.path=<path to the trust-store, example: etc/keystore>
#https.trustStore.password=secret
#https.trustStore.type=
#https.trustStore.provider=
#https.certAlias=
#https.includeCipherSuites=<comma separated list>
#https.excludeCipherSuites=<comma separated list>
#https.maxIdleTime=30000

For further details around SSL/TLS please refer to this page.

1.2.1. SSL Enabling Example

Assuming that you have a valid certificate including a private key, available in the files

  • server.crt

  • server.key

Then you need to create a Java keystore from these files.

First, you need to convert the certificate into PKCS12 format. Below is an example how to do so with openssl. Note that you will be asked for passwords that you will have to remember.

openssl pkcs12 \
  -export \
  -in server.crt \
  -inkey server.key \
  -out server.p12 \
  -name tif

The next step is to use keytool from the Java installation in order to import the PKCS12 certificate into a Java keystore. Below is an example showing how to do so. Note that the password secret should be changed.

keytool \
  -importkeystore \
  -deststorepass secret \
  -destkeypass secret \
  -destkeystore keystore \
  -deststoretype PKCS12 \
  -srckeystore server.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass secret \
  -alias tif

Then, copy the keystore file into the directory ${TIF_HOME}/etc/.

Finally, add into ${TIF_HOME}/etc/tif.custom.properties these properties.

https.port=443
https.keyStore.path=etc/keystore
https.keyStore.password=secret
https.certAlias=tif

Start TIF and ensure that it works correctly with HTTPS on port 443 (which is the default port for HTTPS).

1.2.2. Configure Self Signed Certificate

Simply setting up TIF with a self signed certificate is simple and useful for testing. Just follow these steps:

  • Use keytool to create the keystore

    cd $TIF_HOME/etc
    keytool -keystore keystore -alias tif -genkey -keyalg RSA -sigalg SHA256withRSA

    Then you will be asked for some information like shown below.

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:
    What is the name of your organizational unit?
      [Unknown]:
    What is the name of your organization?
      [Unknown]:
    What is the name of your City or Locality?
      [Unknown]:
    What is the name of your State or Province?
      [Unknown]:
    What is the two-letter country code for this unit?
      [Unknown]:
    Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]:  yes
    Enter key password for <tif>
            (RETURN if same as keystore password):
  • Modify ${TIF_HOME}/etc/tif.custom.properties

    https.port=443
    https.keyStore.path=etc/keystore
    https.keyStore.password=password
    https.certAlias=tif

Done

2. HTTP/HTTPS Client

TIF is also used as a HTTP/HTTPS client in case you have integrations that will communicate via HTTP.

There are some global settings you may need to adjust for this client discussed in the sub-chapters below.

2.1. Proxy Configuration

To configure using proxy servers when creating outbound HTTP calls from TIF, you can set this from ${TIF_HOME}/etc/tif.custom.properties

There are two properties to use, e.g

http.proxy

Defines proxy server for plain HTTP calls.

https.proxy

Defines proxy server for secure HTTP calls.