SSL and encryption

SSL communication can be configured for communication between the CLC Server and client software connecting to it (CLC Workbenches, CLC Server Command Line Tools, and the web client). This is particularly relevant for setups where the CLC Server is accessible to client software over the internet as well as on a local network.

Logging in to an SSL enabled CLC Server from a CLC Workbench is described in Logging in using SSL from the Workbench. Logging in using the CLC Server Command Line Tools is described in Logging in using SSL from the CLC Server Command Line Tools. The web

Important notes:

Enabling SSL on the CLC Server

A server certificate is required before SSL can be enabled on the CLC Server. This is usually obtained from a Certificate Authority (CA) like Thawte or Verisign (see http://en.wikipedia.org/wiki/Certificate_authorities).

A signed certificate in a pkcs12 keystore file is also needed. The keystore file is either provided by the CA or it can be generated from the private key used to request the certificate and the signed-certificate file from the CA (see Creating a PKCS12 keystore file).

Copy the keystore file to the conf subdirectory of the CLC Server installation folder.

Next, the server.xml file in the conf subdirectory of the CLC Server installation folder has to be edited to enable SSL-connections. Add text like the following text to the server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="conf/keystore.pkcs12" keystorePass="tomcat"
               keystoreType="PKCS12"
/>
Replace keystore.pkcs12 with the name of your keystore file, and replace tomcat with the password for your keystore.

The above settings make SSL available on port 8443. The standard (non-SSL) port would still be 7777, or whatever port number you have configured it to.

Self-signed certificates can be generated if only connection encryption is needed. See http://www.akadia.com/services/ssh_test_certificate.html for further details.

Creating a PKCS12 keystore file

If the certificate is not supplied in a pkcs12 keystore file, it can be put into one by combining the private key and the signed certificate obtained from the CA by using openssl:

openssl pkcs12 -export -out keystore.pkcs12 -inkey private.key -in certificate.crt -name "tomcat"

This will take the private key from the file private.key and the signed certificate from certificate.crt and generate a pkcs12-store in the keystore.pkcs12 file.