Enabling HTTPS on Linux Servers

This procedure provides the steps for enabling HTTPS on Red Hat Enterprise Linux. There might be minor differences in other Linux distributions.
To enable HTTPS, you need a digital certificate. You can use a certificate signed by a certificate authority (CA) or a self-signed certificate.
    Important:
  • This procedure uses the Java keytool command. For details about using keytool, see the Java documentation or the documentation provided by the certificate authority.
  • Save copies of these files in a safe location in case you need to restore them in the future:
    • /opt/RICOH/DataCollector/apache-tomcat/conf/server.xml
    • /opt/RICOH/DataCollector/apache-tomcat/conf/web.xml
    • /opt/RICOH/DataCollector/config.json
  1. Obtain the digital certificate and store it on the computer where RICOH Supervisor Data Collector is installed.
    • To use a certificate signed by a certificate authority:
      1. Follow the instructions provided by the certificate authority for obtaining a signed certificate and importing it into a keystore file.
      2. Copy the keystore file to the computer where RICOH Supervisor Data Collector is installed. Make sure that you know the password for the keystore file.
      3. Open a terminal window as the root user.
      4. Go to the folder that contains the Java keytool:
        cd /opt/RICOH/DataCollector/jre/bin
      5. Import the keystore file into the Java trusted certificates store used by RICOH Supervisor Data Collector:
        keytool -importkeystore -srckeystore "keystore_path" -destkeystore "/opt/RICOH/DataCollector/jre/lib/security/cacerts" -srcstorepass keystore_password -deststorepass changeit

        Replace keystore_path with the path to your keystore file. Leave the quotation marks.

        Replace keystore_password with the password for your keystore file.

    • To create a self-signed certificate:
      1. On the computer where RICOH Supervisor Data Collector is installed, open a terminal window as the root user.
      2. Go to the folder that contains the Java keytool:
        cd /opt/RICOH/DataCollector/jre/bin
      3. Generate a local keystore file and a self-signed certificate:
        keytool -genkey -keyalg RSA -alias ricohsupervisor -keypass keystore_password -keystore "/opt/RICOH/DataCollector/ricohsupervisor-localkeystore.jks" -storepass keystore_password -validity certificate_validity -keysize 2048 -ext san=dns:localhost

        Replace keystore_password with the password that you want to set for the keystore file.

        Replace certificate_validity with the number of valid days for the certificate. For example, enter 90 for 90 days.

      4. Import the generated keystore file into the Java trusted certificates store used by RICOH Supervisor Data Collector:
        keytool -importkeystore -srckeystore "/opt/RICOH/DataCollector/ricohsupervisor-localkeystore.jks" -destkeystore "/opt/RICOH/DataCollector/jre/lib/security/cacerts" -srcstorepass keystore_password -deststorepass changeit

        Replace keystore_password with the password that you set for the keystore file.

  2. Stop the RICOH Supervisor Data Collector service:
    sudo systemctl stop RicohSupervisorDataCollector
  3. Enable HTTPS:
    1. Go to /opt/RICOH/DataCollector/apache-tomcat/conf and edit the server.xml file as the root user:
      sudo gedit /opt/RICOH/DataCollector/apache-tomcat/conf/server.xml
    2. Find this code:
      <!--
      <Connector executor="tomcatThreadPool"
       	port="19280"  URIEncoding="UTF-8" protocol="HTTP/1.1"
      	connectionTimeout="20000"
       	redirectPort="8443" />
      -->
    3. Insert this code below it:
      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
      	port="8443" maxThreads="200" scheme="https" secure="true" 
      	SSLEnabled="true" keystoreFile="keystore_path" 
      	keystorePass="keystore_password" clientAuth="false" 
      	sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />
    4. Replace keystore_path with the path to your keystore file. Leave the quotation marks.
      If you generated a self-signed certificate, use "/opt/RICOH/DataCollector/ricohsupervisor-localkeystore.jks".
    5. Replace keystore_password with the password for your keystore file. Leave the quotation marks.
    6. Save and close the file.
  4. Redirect HTTP requests to HTTPS:
    1. Go to /opt/RICOH/DataCollector/apache-tomcat/conf and edit the web.xml file as the root user:
      sudo gedit /opt/RICOH/DataCollector/apache-tomcat/conf/web.xml
    2. Go to the last line in the file, </web-app>.
    3. Insert this code right before the last line:
      <security-constraint>
      	<web-resource-collection>
      		<web-resource-name>Entire Application</web-resource-name>
      		<url-pattern>/*</url-pattern>
      	</web-resource-collection>
      	<!-- auth-constraint goes here if you require authentication -->
      	<user-data-constraint>
      		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
      	</user-data-constraint>
      </security-constraint>
    4. Save and close the file.
  5. Change the internal server address:
    1. Go to /opt/RICOH/DataCollector and edit the config.json file as the root user:
      sudo gedit /opt/RICOH/DataCollector/config.json
    2. Replace the line "webAddress": "http://localhost:19280", with "webAddress": "https://localhost:8443",.
    3. Save and close the file.
  6. Start the RICOH Supervisor Data Collector service:
    sudo systemctl start RicohSupervisorDataCollector
  7. Verify that requests are forwarded to the secure connection:
    1. Open a supported web browser window.
    2. Enter this URL in the address bar:

      http://server_address:port_number/DataCollector

      where server_address is the host name or the IP address of the computer where RICOH Supervisor Data Collector is installed and port_number is the web server port.

      When the page loads, the address should change to https://server_address:port_number/DataCollector.

When users access the system, they are redirected to the secure protocol without having to take any action themselves. However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the web browser issues a warning that the certificate is not trusted.

Make sure that you repeat the procedure for enabling HTTPS whenever the certificate is about to expire. You must also repeat this procedure each time you run the installation process to reinstall, upgrade, or repair RICOH Supervisor Data Collector.

After you repair RICOH Supervisor Data Collector, if you no longer want to enable HTTPS, you must change the internal server address back to HTTP:

  1. Go to /opt/RICOH/DataCollector and edit the config.json file as the root user:
    sudo gedit /opt/RICOH/DataCollector/config.json
  2. Replace the line "webAddress": "https://localhost:8443", with "webAddress": "http://localhost:19280",.
  3. Save and close the file.
  4. Restart the RICOH Supervisor Data Collector service.