M.App Enterprise Discussions

Discuss topics with other M.App Enterprise Product pioneers and experts to get the most out of it.
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Super Contributor
Posts: 449
Registered: ‎10-12-2015

Setting up SSL for newbies

My first install of LuciadFusion and first use of java keychain to setup SSL - hopefully will help other newbies.

I setup LuciadFusion port 444 on existing MAE server (I know, highly not recomended, but it is a play pen).

 

From MAE studio, which is setup with https, clicked the Fusion Studio link and got ERR_SSL_PROTOCOL_ERROR in chrome when fusion studio also launched using https.
In the luciadfusion log found
2019-12-05 13:10:30.229 WARN 3496 --- [tp2105723478-19] org.eclipse.jetty.http.HttpParser : Illegal character 0x16 in state=START for buffer HeapByteBuffer@57cc517e[p=1,l=517,c=8192,r=516]={\x16<<<\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03w&\xDb\xA2\xFe\x14\xB5...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Bit of googling indicated that means that SSL is not configured and therefore LuciadFusion is chatting on http instead of https. Cross ref to https://community.hexagongeospatial.com/t5/M-App-Enterprise-Tutorials/Installing-Luciad-Fusion-for-M... where a brief section indicates SSL has to be manually setup.
To verify, manually changed the https to http in the fusion studio URL in the browser and Fusion Studio came up.

 

Next step - adding SSL certificate.
My next newbie mistake was I imported only my existing purchased CA SSL certificate that successfully works for IIS/MAE into the keystore. That resulted in error ERR_SSL_VERSION_OR_CIPHER_MISMATCH in chrome. LuciadFusion logs didn't show anything - it seemed happy.
After more googling discovered the problem in this scenario was you need private key, intermediate and root certificates and SSL certificate in the keystore. Importing just the SSL certificate didn't cut the mustard.

 

This next bit is fairly specific to those who have existing SSL certificate in IIS and are extracting it to keystore for use with LuciadFusion. In my case I'm running on Windows Core so using powershell for that sort of work.
powershell
#Export ssl cert along with private key and intermediate and root certs
#Get thumbnail to identify new certificate
dir cert:\localmachine\my
$mypwd = ConvertTo-SecureString -String "SuperSecretPwd" -Force -AsPlainText
#Update path below to use the correct thumbnail for SSL cert identified above
Get-ChildItem -Path cert:\localMachine\my\4C11B3B1584BBA94109649EEA2F1ED30D255425B | Export-PfxCertificate -FilePath C:\temp\mypfx.pfx -Password $mypwd -ChainOption BuildChain
So I now have .pfx with private key, intermediate & root keys and the actual SSL cert.


Next create a new keystore by importing the pfx
#Import pfx keystore into (new) keystore.p12 with dest alias tomcat
del keystore.p12
keytool -importkeystore -srckeystore mypfx.pfx -srcstoretype pkcs12 -destalias tomcat -deststoretype PKCS12 -destkeystore keystore.p12 -deststorepass SuperSecretStorePwd -srcstorepass SuperSecretPwd -srcalias tq-bac56d24-7225-4b5a-b0af-e232297f33f3
[I got srcalias by importing into into keystore without specifying any sce or dest alias, querying they keystore keytool -list -v -keystore to get the alias, then recreating keystore to change alias to tomcat. I know parts of LuciadFusion have problems with - in the .yml files, not sure if this would be one of them so decided to play safe and change the alias]

Hopefully someone can post a simple example or site ref of setting up keystore on server that is dedicated to LuciadFusion to save us newbies a bit of head scratching. 

 

Next copy keystore.p12 to c:\Program Files\Hexagon\LuciadFusion\resources
Copy keystore.p12 "c:\Program Files\Hexagon\LuciadFusion\resources"

Then edit c:\Program Files\Hexagon\LuciadFusion\resources\application-fusion.production.yml
Add following under existing server.port entry
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: SuperSecretStorePwd
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat

fusion-ssl-yml.png

Reboot server and all going well Fusion Studio will work under ssl.

Highlighted
Super Contributor
Posts: 449
Registered: ‎10-12-2015

Re: Setting up SSL for newbies

Also to reiterate suggestions by esalgadoe at https://community.hexagongeospatial.com/t5/M-App-Enterprise-Discussions/quot-Error-while-loading-des... and GS_Fritz at https://community.hexagongeospatial.com/t5/M-App-Enterprise-Discussions/Hexagon-App-Launcher-fails-t..., for the GeoProcessing and MAE servers that are internet facing, can use 

https://letsencrypt.org/ for valid, free, SSL certs. And once setup they self renew. Cool.

 

At time of writing:

Download win-acme utility for creating letsencrypt certs on IIS from https://github.com/PKISharp/win-acme/ and extract to known folder, e.g. C:\Utils\SSLGeneration\win-acme.v2.1.0.539.x64.pluggable

In IIS add hostname mypublicname.xx.xx to existing port 80 binding

site-binding-http.png

Don't create binding for 443 (app bellow will do that)

 

cd C:\Utils\SSLGeneration\win-acme.v2.1.0.539.x64.pluggable

Wacs.exe

N (for new certificate)

2 (All bindings of an IIS website)

1 (Default web site)

 

Wacs generated ssl certiciate, created IIS 443 binding for that certificate and setup an scheduled task to auto-renew the ssl certificate.

Note: The free certificates expire every 1-2 months. Wacs setup an scheduled job to auto-renew the certificates so should be truley set and forget - hopefully one less administrative hassle.

win-acme-scheduled-task.png

Hint: if you are using AWS you can't use the AWS public name ec2-xx-xx-xx-xxx.ap-xxxxxx-x.compute.amazonaws.com with letsencrypt.

 

Have not explored if same can be done for LuciadFusion keystore yet as I had an existing cert, hope so.

 

Highlighted
Staff
Posts: 1,065
Registered: ‎10-18-2015

Re: Setting up SSL for newbies

hi Shaun,

 

thank you very much for the detailed guide! It will help several folks I am sure.

 

As an alternative you can still use the SSL certificate you have in IIS and setup a reverse proxy to access LuciadFusion (as it is suggested in the Luciad documentation here).

For IIS you have to install the URL Rewrite Module and set the following rules (it assumes you are running LF on port 8080 locally):

 

<rewrite>
	<rules>
		<rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
			<match url="(.*)" />
			<action type="Rewrite" url="http://localhost:8080/{R:1}" />
		</rule>
	</rules>
	<outboundRules>
		<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
			<match filterByTags="A, Area, Base, Form, Frame, Img" pattern="^http(s)?://localhost:8080/(.*)" />
			<action type="Rewrite" value="http{R:1}://[YOURPUBLICNAME]/{R:2}" />
		</rule>
		<rule name="Anchor" preCondition="ResponseIsHtml1" enabled="true">
			<match pattern="href=(.*?)http://localhost:8080/(.*?)\s" negate="true" />
			<action type="Rewrite" value="href={R:1}https://[YOURPUBLICNAME]/{R:2}" />
		</rule>
		<preConditions>
			<preCondition name="ResponseIsHtml1">
				<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
			</preCondition>
		</preConditions>
	</outboundRules>
</rewrite>

HTH,

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Highlighted
Super Contributor
Posts: 449
Registered: ‎10-12-2015

Re: Setting up SSL for newbies

Thanks Stefano for the link to Luciad documentation. Hopefully it will help me figure out more what it is (I've seen some interesting vids) and how it fits into and enhances the M.App Enterprise story.

Highlighted
Technical Evangelist
Posts: 541
Registered: ‎09-11-2015

Re: Setting up SSL for newbies

Hi Stefano,

 

I am afraid that (sadly) the setup with reverse proxy would not work for Fusion Studio delivered with MAE. A quote from the article you pointed: "The article instructions are intended for the standalone deployment version of the LuciadFusion Platform." I tried hard to get it running with MAE but it does not work since that Studio version uses anchor (#) tag in URL for user authentication. And anchor tags are never sent to the server thus they cannot be rewritten. So I don't believe this could work, which is pity since it would certainly be the cleanest way how to setup the software.

 

But if somebody has managed to get it running through the IIS Rewrite module, please let me know the trick.

 

Pavel

Highlighted
Staff
Posts: 1,065
Registered: ‎10-18-2015

Re: Setting up SSL for newbies

Hi Pavel,

 

the rules I posted above are the ones I used in my instance. Have you tried the same?

 

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Highlighted
Technical Evangelist
Posts: 541
Registered: ‎09-11-2015

Re: Setting up SSL for newbies

Hi Stefano,

 

I tried slightly different setup with Fusion Studio installed on the same machine as MAE. Are you sure that you can start your Fusion Studio from MAE Studio using Tools > Fusion Studio? For me it does not work and I get rewrite error. However, if I replace the begining of the url by http://localhost:8080/studio and leaving everything after the anchor tag, it works. So I think the anchor tag is the issue and I cannot imagine how it would work if the Fusion is on another server.

 

Pavel

Highlighted
Staff
Posts: 1,065
Registered: ‎10-18-2015

Re: Setting up SSL for newbies

Hi Pavel,

 

in my case they are deployed on different servers. It is one of the instances we use for demos and trainings, so we regularly use it.

 

Stefano

Stefano Turcato
Presale Engineer
Hexagon Geospatial
Highlighted
Technical Evangelist
Posts: 541
Registered: ‎09-11-2015

Re: Setting up SSL for newbies

Just few words to clarify the things - in my case it was probably a mixture of several factors which prevented me to setup things successfully. One (probably the less important) was setting both software on a single machine, the second was using self-signed certificates. To set up this successfully - both the MAE server and the Luciad Fusion server have to have a valid certificate signed by an authority, otherwise it is most likely impossible to get it running (I mean over https).

 

Pavel