Enabling HTTPS on Windows Servers

This procedure provides the steps for enabling HTTPS on Windows 10. There might be minor differences in other versions of Windows.
To enable HTTPS, you need a digital certificate. You can use a certificate signed by a certificate authority (CA) or a self-signed certificate.
    Important:
  • This procedure uses the Java keytool command. For details about using keytool, see the Java documentation or the documentation provided by the certificate authority.
  • If you changed the default installation path, make sure that you replace C:\Program Files\RICOH\Supervisor\ with the path where Ricoh Supervisor Data Collector is installed everywhere in the procedure.
  • Save copies of these files in a safe location in case you need to restore them in the future:
    • C:\Program Files\RICOH\Supervisor\apache-tomcat\conf\server.xml
    • C:\Program Files\RICOH\Supervisor\apache-tomcat\conf\web.xml
    • C:\Program Files\RICOH\Supervisor\config.json
  1. Obtain the digital certificate and store it on the computer where Ricoh Supervisor Data Collector is installed.
    • To use a certificate signed by a certificate authority:
      1. Follow the instructions provided by the certificate authority for obtaining a signed certificate and importing it into a keystore file.
      2. Copy the keystore file to the computer where Ricoh Supervisor Data Collector is installed. Make sure that you know the password for the keystore file.
      3. Open a Command Prompt window as an administrator.
      4. Go to the folder that contains the Java keytool:
        cd "C:\Program Files\RICOH\Supervisor\jre\bin"
      5. Import the keystore file into the Java trusted certificates store used by Ricoh Supervisor Data Collector:
        keytool -importkeystore -srckeystore "keystore_path" -destkeystore "C:\Program Files\RICOH\Supervisor\jre\lib\security\cacerts" -srcstorepass keystore_password -deststorepass changeit

        Replace keystore_path with the path to your keystore file. Leave the quotation marks.

        Replace keystore_password with the password for your keystore file.

    • To create a self-signed certificate:
      1. On the computer where Ricoh Supervisor Data Collector is installed, open a Command Prompt window as an administrator.
      2. Go to the folder that contains the Java keytool:
        cd "C:\Program Files\RICOH\Supervisor\jre\bin"
      3. Generate a local keystore file and a self-signed certificate:
        keytool -genkey -keyalg RSA -alias ricohsupervisor -keypass keystore_password -keystore "C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks" -storepass keystore_password -validity certificate_validity -keysize 2048 -ext san=dns:localhost

        Replace keystore_password with the password that you want to set for the keystore file.

        Replace certificate_validity with the number of valid days for the certificate. For example, enter 90 for 90 days.

      4. Import the generated keystore file into the Java trusted certificates store used by Ricoh Supervisor Data Collector:
        keytool -importkeystore -srckeystore "C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks" -destkeystore "C:\Program Files\RICOH\Supervisor\jre\lib\security\cacerts" -srcstorepass keystore_password -deststorepass changeit

        Replace keystore_password with the password that you set for the keystore file.

  2. Stop the Ricoh Supervisor Data Collector service:
    1. Go to Control PanelAdministrative Tools and double-click Services.
    2. In the list of services, right-click RICOH Supervisor Web Server and select Stop.
  3. Enable HTTPS:
    1. Go to C:\Program Files\RICOH\Supervisor\apache-tomcat\conf and edit the server.xml file as an administrator.
    2. Find this code:
      <!--
      <Connector executor="tomcatThreadPool"
       	port="19280"  URIEncoding="UTF-8" protocol="HTTP/1.1"
      	connectionTimeout="20000"
       	redirectPort="8443" />
      -->
    3. Insert this code below it:
      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
      	port="8443" maxThreads="200" scheme="https" secure="true" 
      	SSLEnabled="true" keystoreFile="keystore_path" 
      	keystorePass="keystore_password" clientAuth="false" 
      	sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />
    4. Replace keystore_path with the path to your keystore file. Leave the quotation marks.
      If you generated a self-signed certificate, use "C:\Program Files\RICOH\Supervisor\ricohsupervisor-localkeystore.jks".
    5. Replace keystore_password with the password for your keystore file. Leave the quotation marks.
    6. Save and close the file.
  4. Redirect HTTP requests to HTTPS:
    1. Go to C:\Program Files\RICOH\Supervisor\apache-tomcat\conf and edit the web.xml file as an administrator.
    2. Go to the last line in the file, </web-app>.
    3. Insert this code right before the last line:
      <security-constraint>
      	<web-resource-collection>
      		<web-resource-name>Entire Application</web-resource-name>
      		<url-pattern>/*</url-pattern>
      	</web-resource-collection>
      	<!-- auth-constraint goes here if you require authentication -->
      	<user-data-constraint>
      		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
      	</user-data-constraint>
      </security-constraint>
    4. Save and close the file.
  5. Change the internal server address:
    1. Go to C:\Program Files\RICOH\Supervisor and edit the config.json file as an administrator.
    2. Replace the line "webAddress": "http://localhost:19280", with "webAddress": "https://localhost:8443",.
    3. Save and close the file.
  6. Start the Ricoh Supervisor Data Collector service:
    1. Go to Control PanelAdministrative Tools and double-click Services.
    2. In the list of services, right-click RICOH Supervisor Web Server and select Start.
  7. Verify that requests are forwarded to the secure connection:
    1. Open a supported web browser window.
    2. Enter this URL in the address bar:

      http://server_address:port_number/DataCollector

      where server_address is the hostname or the IP address of the computer where Ricoh Supervisor Data Collector is installed and port_number is the web service port.

      When the page loads, the address should change to https://server_address:port_number/DataCollector.

When users access the system, they are redirected to the secure protocol without having to take any action themselves. However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the web browser issues a warning that the certificate is not trusted.

Make sure that you repeat the procedure for enabling HTTPS whenever the certificate is about to expire. You must also repeat this procedure each time you run the installation process to reinstall, upgrade, or repair Ricoh Supervisor Data Collector.

After you repair Ricoh Supervisor Data Collector, if you no longer want to enable HTTPS, you must change the internal server address back to HTTP:

  1. Go to C:\Program Files\RICOH\Supervisor and edit the config.json file as an administrator.
  2. Replace the line "webAddress": "https://localhost:8443", with "webAddress": "http://localhost:19280",.
  3. Save and close the file.
  4. Restart the Ricoh Supervisor Data Collector service.