-
Notifications
You must be signed in to change notification settings - Fork 617
SSL setup
When running as a normal user, prepend sudo
to the commands where elevated permissions are needed.
We will use Certbot to create an SSL certificate. Certbot is a free, easy-to-use tool that works with Let's Encrypt, a widely trusted certificate authority, to issue the certificate.
The domain opensourcebim.org
is used as an example below. The certbot will use the domain name for directory names. Replace it with your domain name when executing the commands.
user@local:~$ man snap # check if snap is installed
user@local:~$ snap install --classic certbot # install certbot
user@local:~$ certbot certonly --standalone # generate SSL certificate (interactively enter required information)
user@local:~$ systemctl list-timers # check automatic renewal
user@local:~$ chgrp tomcat /etc/letsencrypt/live/opensourcebim.org/privkey.pem # own private key by group tomcat
user@local:~$ chmod g+r /etc/letsencrypt/live/opensourcebim.org/privkey.pem # allow group to read private key
By default, read-access to the private key is restricted to root only which is not sufficient for Tomcat, as it does not allow for a dedicated startup phase with elevated permissions for sensible operations. Certbot picks up any modified permissions upon renewal.
Configure SSL in server.xml
:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000">
<SSLHostConfig>
<Certificate certificateKeyFile="/etc/letsencrypt/live/opensourcebim.org/privkey.pem"
certificateFile="/etc/letsencrypt/live/opensourcebim.org/cert.pem"
certificateChainFile="/etc/letsencrypt/live/opensourcebim.org/chain.pem"
type="EC" />
</SSLHostConfig>
</Connector>
Force redirection to SSL via configuration in web.xml
:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Get Started
- Quick Guide
- Requirements Version 1.2
- Requirements Version 1.3
- Requirements Version 1.4
- Requirements Version 1.4 > 2015-09-12
- Requirements Version 1.5
- Download
- JAR Starter
- Setup
Deployment
- Ubuntu installation
- Windows installation
- Security
- Memory Usage
- More memory
- Performance statistics
- Large databases
Developers
- Service Interfaces
- Common functions
- Data Model
- Low Level Calls
- Endpoints
Clients
BIMServer Developers
- Plugins in 1.5
- Plugin Development
- Eclipse
- Eclipse Modeling Framework
- Embedding
- Terminology
- Database/Versioning
- IFC STEP Encoding
- Communication
- Global changes in 1.5
- Writing a service
- Services/Notifications
- BIMserver 1.5 Developers
- Extended data
- Extended data schema
- Object IDM
New developments
- New remote service interface
- Plugins new
- Deprecated
- New query language
- Visual query language
- Reorganizing BIMserver JavaScript API
General