Configuring TotalFlow BatchBuilder to use HTTPS protocol
This is the procedure for enabling HTTPS on Windows 10. There might be minor differences in other versions of Windows.
To enable HTTPS, you need a digital certificate. You can use a certificate signed by a certificate authority (CA) or a self-signed certificate.
- Important:
- This procedure uses the Java
keytool
command. For details about usingkeytool
, see the Java documentation or the documentation provided by the certificate authority. - If you changed the default installation path, make sure that you replace
C:\Program Files\RICOH\TotalFlow BatchBuilder\
with the path where TotalFlow BatchBuilder is installed everywhere in the procedure. - Save copies of these files in a safe location in case you need to restore them in
the future:
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\server.xml
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\web.xml
C:\Program Files\RICOH\TotalFlow BatchBuilder\conf.properties
- Obtain the digital certificate and store it on the computer where TotalFlow BatchBuilder is installed.
- To use a certificate signed by a certificate authority, follow the instructions provided by the certificate authority for obtaining a signed certificate and importing it into a keystore file.
- To create a self-signed certificate:
- On the computer where TotalFlow BatchBuilder is installed, open a Command Prompt window as an administrator.
- Go to the folder that contains the Java keytool, using this command:
cd "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin"
- Generate a local keystore file and a self-signed certificate using this command:
keytool.exe -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity certificate_validity -keysize 2048 -ext san=dns:localhost
Replace storepass password with the password that you want to set for the keystore file.
Replace certificate_validity with the number of valid days for the certificate. For example, enter
90
for 90 days.For Java certificate to acknowledge non HTTPS components add the necessary information to the "-ext san: ..." parameter. For example:
- Variants for localhost covering home address for IPv4 and IPv6: ip:127.0.0.1,ip:::1
- Variants for hostname: dns:USER
- IPv4 and/or IPv6 addresses of the computer using the IP format: ip:User_IPv4,User_IPv6
- Export and import the generated keystore file into Java security certificate by running
these two commands:
keytool -export -alias selfsigned -keystore "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\keystore.jks" -storepass password -file "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\selfsigned.crt"
keytool -import -alias selfsigned -keystore "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\lib\security\cacerts" -storepass "changeit" -file "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\selfsigned.crt"
Replace storepass password with the password that you set for the keystore file.
- Configure the XML and .properties files
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\server.xml
file as follows:- Change the lines
<Connector port="19080" URIEncoding="UTF-8" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="19080"/>
into<Connector port="19080" URIEncoding="UTF-8" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="19443"/>
- Add the following section after the paragraph modified at the above step 1):
<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="true" maxThreads="150" scheme="https" secure="true" keystoreFile="LOCATION_OF_KEYSTORE_FILE" keystorePass="KEYSTORE_PASSWORD" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
- Change the lines
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\web.xml
file as follows:Add the following section before </web app> (which is at the end of the file):<security-constraint> <web-resource-collection> <web-resource-name>Secured</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\conf.properties
file as follows:- replace
http
withhttps
- replace
19080
with19443
- replace
- Modify the
- Restart the TotalFlow BatchBuilder service.
- Verify that requests are forwarded to the secure connection:
- Open a supported web browser window.
- Enter this URL in the address bar:
http://server_address:port_number/BatchBuilder
where server_address is the hostname or the IP address of the computer where Ricoh TotalFlow BatchBuilder is installed and port_number is the web service port.
When the page loads, the address should change to
https://server_address:19443/BatchBuilder
.
Make sure that you repeat the procedure for enabling HTTPS whenever the certificate is about to expire. You must also repeat this procedure each time you run the installation process to reinstall, upgrade, or repair TotalFlow BatchBuilder.
After you repair TotalFlow BatchBuilder, if you no longer want to enable HTTPS, you must change the internal server address back to HTTP:
- Go to
C:\Program Files\RICOH\TotalFlow BatchBuilder
and edit theconf.properties
file as an administrator. - Replace the line
"web.address": "https://server_address:19443/BatchBuilder"
with"webAddress": "http://server_address:19080/BatchBuilder"
. - Save and close the file.
- Restart the TotalFlow BatchBuilder service.
- Note:
- When dealing with other products some functions, such as status tracking, might not work and would require to either have a valid CA approved certificate for both or to import the certificate files of the products inside their respective "cacerts" files if both are served over HTTPS.
- When users access the system, they are redirected to the secure protocol without having to take any action themselves. However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the web browser issues a warning that the certificate is not trusted.