Configuring TotalFlow BatchBuilder to use the HTTPS protocol
This is the procedure for enabling HTTPS on Windows 10. There might be minor differences in other versions of Windows.
To enable HTTPS, you need a digital certificate. You can use a certificate signed by a certificate authority (CA) or a self-signed certificate.
- Important:
- This procedure uses the Java
keytool
command. For details about usingkeytool
, see the Java documentation or the documentation provided by the certificate authority. - If you changed the default installation path, make sure that you replace
C:\Program Files\RICOH\TotalFlow BatchBuilder\
with the path where TotalFlow BatchBuilder is installed everywhere in the procedure. - Save copies of these files in a safe location in case you need to restore them in
the future:
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\server.xml
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\web.xml
C:\Program Files\RICOH\TotalFlow BatchBuilder\conf.properties
- Obtain the digital certificate and store it on the computer where TotalFlow BatchBuilder is installed.
- To use a certificate signed by a certificate authority, follow the instructions provided by the certificate authority for obtaining a signed certificate and importing it into a keystore file.
- To create a self-signed certificate:
- On the computer where TotalFlow BatchBuilder is installed, open a Command Prompt window as an administrator.
- Generate a local keystore file and a self-signed certificate using this command:
"C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\keytool" -genkey -keyalg RSA -alias selfsigned -keystore "C:\Program Files\RICOH\TotalFlow BatchBuilder\keystore.jks" -storepass password -validity certificate_validity -keysize 2048 -ext san=dns:localhost
Replace password with the password that you want to set for the keystore file.
Replace certificate_validity with the number of valid days for the certificate. For example, enter
90
for 90 days.For the Java certificate to acknowledge non-HTTPS components, add the necessary information to the "-ext san: ..." parameter. For example:
- Variants for localhost covering home address for IPv4 and IPv6: ip:127.0.0.1,ip:::1
- Variants for host name: dns:USER
- IPv4 and/or IPv6 addresses of the computer using the IP format: ip:User_IPv4,User_IPv6
- Export and import the generated keystore file into the Java security certificate by
running these two commands:
"C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\keytool" -export -alias selfsigned -keystore "C:\Program Files\RICOH\TotalFlow BatchBuilder\keystore.jks" -storepass password -file "C:\Program Files\RICOH\TotalFlow BatchBuilder\selfsigned.crt"
Replace password with the password that you set for the keystore file.
"C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\bin\keytool" -import -alias selfsigned -keystore "C:\Program Files\RICOH\TotalFlow BatchBuilder\jre\lib\security\cacerts" -storepass "changeit" -file "C:\Program Files\RICOH\TotalFlow BatchBuilder\selfsigned.crt"
- Configure the XML and .properties files.
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\server.xml
file as follows:- Change the lines
<Connector port="19080" URIEncoding="UTF-8" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" maxParameterCount="1000"/>
into<Connector port="19080" URIEncoding="UTF-8" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="19443"/>
- Add the following section after the paragraph modified in the previous step:
<Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="true" maxThreads="150" scheme="https" secure="true" keystoreFile="LOCATION_OF_KEYSTORE_FILE" keystorePass="KEYSTORE_PASSWORD" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
Replace
LOCATION_OF_KEYSTORE_FILE
with the path for the keystore file andKEYSTORE_PASSWORD
with the password that you set for the keystore file. - Change the lines
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\apache-tomcat\conf\web.xml
file as follows:Add the following section before </web-app> (which is at the end of the file):<security-constraint> <web-resource-collection> <web-resource-name>Secured</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Modify the
C:\Program Files\RICOH\TotalFlow BatchBuilder\conf.properties
file as follows:- replace
http
withhttps
- replace
19080
with19443
- replace
- Modify the
- Restart the TotalFlow BatchBuilder service.
- Verify that requests are forwarded to the secure connection:
- Open a supported web browser window.
- Clear the web browser cache.
- Enter this URL in the address bar:
http://server_address:port_number/BatchBuilder
where server_address is the host name or the IP address of the computer whereTotalFlow BatchBuilder is installed and port_number is the web service port.
When the page loads, the address should change to
https://server_address:19443/BatchBuilder
.
However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the web browser displays a warning that the certificate is not trusted. To solve the issue, you can import the certificate to the trusted certificate storage of Windows:
- Go to the TotalFlow BatchBuilder installation folder.
- Right-click the certificate and select Install Certificate.
The Certificate Import Wizard starts.
- On the Welcome to the Certificate Import Wizard screen, click Next.
- On the Certificate Store screen, select the Place all certificates in the following store option and click Browse.
- In the Select Certificate Store dialog, select the Trusted Root Certification Authorities store and click OK.
- Click Next.
- On the Completing the Certificate Import Wizard screen, click Finish.
Make sure that you repeat the procedure for enabling HTTPS whenever the certificate is about to expire.
After you repair TotalFlow BatchBuilder, if you no longer want to enable HTTPS, you must change the internal server address back to HTTP:
- Go to
C:\Program Files\RICOH\TotalFlow BatchBuilder
and edit theconf.properties
file as an administrator. - Replace the line
"web.address": "https://server_address:19443/BatchBuilder"
with"webAddress": "http://server_address:19080/BatchBuilder"
. - Save and close the file.
- Restart the TotalFlow BatchBuilder service.
- Clear the web browser cache.