I'm trying to enable ssl for my rest api. But I'm getting an error.
Situation:
It seems when I change AppserviceProtocol (in runtime.props) to AppServerS, Tomcat no longer works correct. I get an error for every call I try to make and the appserver is never reached.
Any ideas?
The error (summarized):
2015-03-14 00:18:50,512 6480 [http-bio-443-exec-6] ERROR org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver onMessage - Error occurred during error handling, give up!
org.apache.cxf.interceptor.Fault: null while invoking public void _adres.ppserv_prg_Adress_GET(java.lang.String,java.lang.String,java.lang.String) with params [com.progress.adapters.rest.message.impl.RestRequestMessageImpl@c88966].
Bit off-topic: it really is a pain in th a** to find anything usefull in the documentation or an example
There are two steps to enable SSL for a REST Service
1. Configure the runtime.props to AppserverS or AppserverDCS(which you already did)
2. Now when we enabled our REST Service to work as a secured client, we should also provide the client certificate for it to proceed with the handshake. To do that, you need to uncomment the below code in your REST Service web.xml file(webapps/$RESTService/WEB-INF/web.xml).
<!-- Certificate jar location -->
<!--
<context-param>
<param-name>certlocation</param-name>
<param-value>WEB-INF/adapters/psccerts.jar</param-value>
</context-param>
-->
This section is pointed to the default certificate "psccerts.jar" which is been shipped by default with OpenEdge. If you are using your own certificate then you have to point the certificate jar file in the <param-value> section. In-case if you are using the default certificate that comes with the installation then you might need to enable "nohostverify" property by changing its value to "1" in the runtime.props(webapps/$RESTService/WEB-INF/adapters/runtime.props)
You can find this information in the OpenEdge documentation if you follow below link
That did the trick! Thx.
Still don't get why exactly though.
In the tomcat config 'web.xml' I had to uncomment the ssl connector and use als self-created keystore.
Also,the appserver has its own ssl config.
So why this extra section ?
Tomcat can be configured as a generic application server/web server where you could deploy your OpenEdge as well as any other Java web applications. In order to just access the applications deployed inside the tomcat server through HTTPS then just modifying the web.xml to enable SSL connector should be sufficient.
But in the case of REST Adapter, the web application which is a REST Service here acts a client and for it to communicate with the OpenEdge Appserver over a AppserverDC/AppserverDCS protocol it has to have the ability to configure a client certificate that could do a secure connection with the OpenEdge Appserver.
FYI..you might not need to configure these extra steps if you are going to use PAS for OE. Just configuring your certificate information in your PAS for OE instance "server.xml" should be sufficient for performing a HTTPS connection at the server
FYI: PAS for OE comes pre-configured to support HTTPS, using a test server certificate found in conf/tomcat-keystore.p12. That test certificate, of course, should be replaced with a real one for actual production operations. Normally setting up a production configuration would entail:
1) replacing the server certificate using the Java keytool utility
2) tcman config psc.as.https.keyalias=<new-server-cert-name>