Configuring Jetty 8.1.3 to run in HTTPS/SSL mode

Complete these steps to configure Jetty to run in the HTTPS/SSL mode.

Procedure

  1. Generate the keystore.

    From the JRE_HOME/bin directory, run this command:

    keytool -genkey -keystore "$JETTY_HOME/etc/rc.keystore" -alias angler -keyalg RSA

    This command requires information about the certificate and passwords to protect both the keystore and the keys within it. You must provide the hostname from the IBM® Rational® Change server URL. By default, Rational Change 5.2 and later is set up to use the IP address of the machine for the hostname in the generated URLs. If the generated links use 192.168.10.10, enter this value at the "first and last name" prompt. Doing so ensures that the key is issued to the URL of the website, which stops browsers from displaying an error message that the key and site name do not match.

    For example:

    Enter keystore password: choose a password
    What is your first and last name?
    [Unknown]: 192.168.10.10
    What is the name of your organizational unit?
    [Unknown]: Development
    What is the name of your organization?
    [Unknown]: Rational
    What is the name of your City or Locality?
    [Unknown]:
    What is the name of your State or Province?
    [Unknown]:
    What is the two-letter country code for this unit?
    [Unknown]:
    Is CN=192.168.10.10, OU=Development, O=Rational, L=Unknown,
    ST=Unknown, C=Unknown correct?
    [no]: yes
    
    Enter key password for
    (RETURN if same as keystore password): choose a password
  2. Open the jetty.xml and jetty-ssl.xml files, which are in the JETTY_HOME/etc directory.
  3. In the jetty.xml file, comment out or delete these lines.

    You must use SslSelectChannelConnector instead of SelectChannelConnector in the jetty.xml file.

    <Call name="addConnector">
    <Arg>
    <New class="org.eclipse.jetty.server.nio.SelectChannelConnector>
    <Set name="host"><Property name="jetty.host" /></Set>
    <Set name="port"><Property name="jetty.port" default="1111"/></Set>
    <Set name="maxIdleTime">300000</Set>
    <Set name="Acceptors"></Set>
    <Set name="statsOn">false</Set>
    <Set name="confidentialPort">8443</Set>
    <Set name="lowResourcesConnections">20000</Set>
    <Set name="lowResourcesMaxIdleTime">5000</Set>
    </New>
    </Arg>
    </Call>
  4. In the jetty-ssl.xml file, locate the lines that are similar to these lines, and then paste these lines into the jetty.xml file.
    <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="KeyStorePassword">OBF:1xxx1so1x6e1ppp1yu61x2g1z6u1op9</Set>
    <Set name="KeyManagerPassword">OBF:1x2u1nnl5z1c5s7g1ggl1u9t</Set>
    <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="TrustStorePassword">OBF:3uus1elo8x3e1kle1gs34x8t1z4u1lp8</Set>
    </New>
    
    <Call name="addConnector">
    <Arg>
    <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
    <Arg><Ref id="sslContextFactory" /></Arg>
    <Set name="Port">8443</Set>
    <Set name="maxIdleTime">30000</Set>
    <Set name="Acceptors">2</Set>
    <Set name="AcceptQueueSize">100</Set>
    </New>
    </Arg>
    </Call>
    Attention:

    Ensure that you provide the correct values to the attributes KeyStore, KeyStorePassword, KeyManagerPassword, TrustStore, TrustStorePassword, and Port.

    Do not use the property <Property name="jetty.home" default="." />. You must provide the absolute path of JETTY_HOME.

  5. For Rational Change 5.3.1 or later, to support SP800-131A requirements, in the jetty.xml file, add the <Set name="protocol">TLSv1.2</Set> tag.
    <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
    <Set name="KeyStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="KeyStorePassword">OBF:1xxx1so1x6e1ohp1yu61x5g2z6u1op8</Set>
    <Set name="KeyManagerPassword">OBF:1x4u1nnl6z1c5t7g1ffl1u9t</Set>
    <Set name="TrustStore"><Property name="jetty.home" default="." />/etc/keystore</Set>
    <Set name="TrustStorePassword">OBF:3uuk1wlo5x3e4kle1gs35x8t4z4r1lp8</Set>
    <Set name="protocol">TLSv1.2</Set>
    </New>
  6. Open the web.xml file in the JETTY_HOME/webapps/context/WEB-INF/ directory.

    Change http to https, and, if necessary, change the port number.

    <context-param>
    <param-name>protocol</param-name>
    <param-value>http</param-value>
    </context-param>
    <context-param>
    <param-name>port</param-name>
    <param-value>8600</param-value>
    </context-param>
  7. Start a Rational Change Admin session and go to the System Administration > General tab to ensure that https is in the Help Server URL field.
  8. If you are using a central-to-remote configuration, configure your system to use HTTPS between servers in Central Server mode.
  9. For Solaris, add the following line to the beginning of the jetty.sh file in the JETTY_HOME/bin/ directory:

    JAVA_OPTIONS="-Djetty.home=$JETTY_HOME -Djetty.log=$JETTY_LOG -Djava.protocol.handler.pkgs=com.ibm.net.ssl.www2.protocol -Xms128m -Xmx512m -server $JAVA_OPTIONS"

  10. For Rational Change 5.3.1 or later, you can obfuscate a password to convert it to an unreadable format. Follow these steps to obfuscate a password:
    1. Change the directory to <$CHANGE_HOME>/jetty/lib and run this command:
      <SYNERGY_HOME>\jre\bin\java -cp jetty-util-8.1.3.v20120416.jar org.eclipse.jetty.util.security.Password <password>
      The command prints three lines of data.
      password
      OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v
      MD5:5f4dcc3b5aa765d61d8327deb882cf99
    2. Copy the entire line starting with OBF and then replace the password in the jetty.xml file with the password that you just obfuscated.

Feedback