Enabling HTTPS on Windows Servers
- Important:
- This procedure uses the Java
keytool
command. For details about usingkeytool
, see the Java documentation or the documentation provided by the certificate authority. - If you changed the default installation path, make sure that you replace
C:\Program Files\RICOH\Supervisor\
with the path where RICOH Supervisor Data Collector is installed everywhere in the procedure. - Save copies of these files in a safe location in case you need to restore them in
the future:
C:\Program Files\RICOH\Supervisor\apache-tomcat\conf\server.xml
C:\Program Files\RICOH\Supervisor\apache-tomcat\conf\web.xml
C:\Program Files\RICOH\Supervisor\config.json
- Obtain the digital certificate and store it on the computer where RICOH Supervisor Data Collector is installed.
- To use a certificate signed by a certificate authority:
- Follow the instructions provided by the certificate authority for obtaining a signed certificate and importing it into a keystore file.
- Copy the keystore file to the computer where RICOH Supervisor Data Collector is installed. Make sure that you know the password for the keystore file.
- Open a Command Prompt window as an administrator.
- Go to the folder that contains the Java keytool:
cd "C:\Program Files\RICOH\Supervisor\jre\bin"
- Import the keystore file into the Java trusted certificates store used by RICOH Supervisor Data Collector:
keytool -importkeystore -srckeystore "keystore_path" -destkeystore "C:\Program Files\RICOH\Supervisor\jre\lib\security\cacerts" -srcstorepass keystore_password -deststorepass changeit
Replace keystore_path with the path to your keystore file. Leave the quotation marks.
Replace keystore_password with the password for your keystore file.
- To create a self-signed certificate:
- On the computer where RICOH Supervisor Data Collector is installed, open a Command Prompt window as an administrator.
- Go to the folder that contains the Java keytool:
cd "C:\Program Files\RICOH\Supervisor\jre\bin"
- Generate a local keystore file and a self-signed certificate:
keytool -genkey -keyalg RSA -alias ricohsupervisor -keypass keystore_password -keystore "C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks" -storepass keystore_password -validity certificate_validity -keysize 2048 -ext san=dns:localhost
Replace keystore_password with the password that you want to set for the keystore file.
Replace certificate_validity with the number of valid days for the certificate. For example, enter
90
for 90 days. - Import the generated keystore file into the Java trusted certificates store used by
RICOH Supervisor Data Collector:
keytool -importkeystore -srckeystore "C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks" -destkeystore "C:\Program Files\RICOH\Supervisor\jre\lib\security\cacerts" -srcstorepass keystore_password -deststorepass changeit
Replace keystore_password with the password that you set for the keystore file.
- To use a certificate signed by a certificate authority:
- Stop the RICOH Supervisor Data Collector service:
- Go to Services. and double-click
- In the list of services, right-click RICOH Supervisor Web Server and select Stop.
- Enable HTTPS:
- Go to
C:\Program Files\RICOH\Supervisor\apache-tomcat\conf
and edit theserver.xml
file as an administrator. - Find this code:
<!-- <Connector executor="tomcatThreadPool" port="19280" URIEncoding="UTF-8" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> -->
- Insert this code below it:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore_path" keystorePass="keystore_password" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />
- Replace keystore_path with the path to your keystore file. Leave the quotation marks.If you generated a self-signed certificate, use
"C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks"
. - Replace keystore_password with the password for your keystore file. Leave the quotation marks.
- Save and close the file.
- Go to
- Redirect HTTP requests to HTTPS:
- Go to
C:\Program Files\RICOH\Supervisor\apache-tomcat\conf
and edit theweb.xml
file as an administrator. - Go to the last line in the file,
</web-app>
. - Insert this code right before the last line:
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you require authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Save and close the file.
- Go to
- Change the internal server address:
- Go to
C:\Program Files\RICOH\Supervisor
and edit theconfig.json
file as an administrator. - Replace the line
"webAddress": "http://localhost:19280",
with"webAddress": "https://localhost:8443",
. - Save and close the file.
- Go to
- Start the RICOH Supervisor Data Collector service:
- Go to Services. and double-click
- In the list of services, right-click RICOH Supervisor Web Server and select Start.
- Verify that requests are forwarded to the secure connection:
- Open a supported web browser window.
- Enter this URL in the address bar:
http://server_address:port_number/DataCollector
where server_address is the host name or the IP address of the computer where RICOH Supervisor Data Collector is installed and port_number is the web server port.
When the page loads, the address should change to
https://server_address:port_number/DataCollector
.
When users access the system, they are redirected to the secure protocol without having to take any action themselves. However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the web browser issues a warning that the certificate is not trusted.
Make sure that you repeat the procedure for enabling HTTPS whenever the certificate is about to expire. You must also repeat this procedure each time you run the installation process to reinstall, upgrade, or repair RICOH Supervisor Data Collector.
After you repair RICOH Supervisor Data Collector, if you no longer want to enable HTTPS, you must change the internal server address back to HTTP:
- Go to
C:\Program Files\RICOH\Supervisor
and edit theconfig.json
file as an administrator. - Replace the line
"webAddress": "https://localhost:8443",
with"webAddress": "http://localhost:19280",
. - Save and close the file.
- Restart the RICOH Supervisor Data Collector service.