PureEngage On-Premises

Expand all | Collapse all

Enable GMS for https

  • 1.  Enable GMS for https

    Posted 12-06-2018 09:55
    We have a customer who wants to access the GMS for Chat through https and not http. I know we can set the http.ssl-trus-all parameter to true. And then we don't need a certificate.

    But if we don't set this parameter do we need a certificate? And what kind of certificate do we need? If we supposed to generate a CSR file on the server is it specific paramater we need to add?

    Eystein Kylland
    Sopra Steria AS Norway

  • 2.  RE: Enable GMS for https

    Posted 12-08-2018 07:06
    Hi Eystein,

    The customer should provide .key and .crt files related to GMS server in which .crt is signed by any third party SSL verifier.

    After you obtain the .crt and .key file Please follow below steps

    1. Download openssl library
    2. Extract attached rar package to directory openssl
    3. Open Command Prompt with admin privileges
    4. Navigate to openssl>bin
    5. type below command
    openssl pkcs12 -export -name servercert -in <Certificate Name.crt> -inkey <Certificate Key.key> -out keystore.p12 -- It will ask for password, enter any password

    6. Open the SSL configuration file, GMS/server/etc/jetty-ssl.xml, in a text editor.
    7. Find the element and update all paths and passwords then Save your changes

     <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">

    Note: You can run Jetty's password utility to obfuscate your passwords. See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

    8. Open the Jetty SSL module configuration file, GMS/server/modules/ssl.mod, in a text editor.
    9. Comment out all properties settings after the line that says etc/jetty-ssl.xml except for lines containing below then Save your changes.
    • [files]
    • [ini-template]
    10 . You can now start Jetty the normal way (make sure that jcert.jarjnet.jar and jsse.jar are on your classpath)

    Mohammed Adel
    IST Networks - Saudi Arabia

  • 3.  RE: Enable GMS for https

    Posted 12-10-2018 11:57

    One thing I've done in the past is to use a web server like Apache or Nginx and implement a reverse proxy.  The web server can be hardened and implement all of the latest SSL/TLS security, then any requests that it receives are then proxied through the DMZ into your GMS server(s) running on your LAN.  This way you don't need to concern yourself with hardening Jetty.

    Good luck,

    Jim Crespino
    Director, Developer Enablement

  • 4.  RE: Enable GMS for https

    Posted 12-10-2018 13:51
    Another option is to use a Load Balancer or similar appliance in your DMZ. This is a similar concept as what Jim mentioned. But you can use something like an F5 Load balancer and configure https secured connection over the internet, while it forwards the data unencrypted on the internal network to the GMS server.

    Daniel Hilaire