Set Up ThingWorx Navigate with SSL
The information in this topic will help you prepare the KeyStore and TrustStore files you need to install and configure ThingWorx Navigate. Read through the topic before you start installing, and then refer back to it as needed during the installation process.
Introduction to configuring SSL
PTC recommends using Secure Sockets Layer (SSL) protocol for a production environment. ThingWorx Navigate can use SSL to both mutually authenticate the servers to each other and protect the communication itself.
Configurations for HTTPS require the use of a certificate of authority. ThingWorx Navigate requires that the certificate be trusted by Java. If you elect to use a certificate that is not trusted by Java, then you must configure Java to trust this certificate. Certificates provided by third-party vendors such as Verisign and Thawte, for example, are Java-trusted certificates of authority.
SSL configurations vary considerably and we won’t attempt to describe all options available in an SSL configuration. The instructions provided here should require a minimum of effort to implement HTTPS for your installation.
ThingWorx Navigate supports various configurations and authentication methods. As a result, you’ll need various certificates, KeyStore, and TrustStore files created and handy before you use the ThingWorx Navigate Setup installation tool and the ThingWorx Navigate Configuration tool.
In the sections below, you’ll find generic steps for generating KeyStore and TrustStore files using the keytool utility of Java. The installation and configuration procedures have information on exactly which KeyStore or TrustStore files you need at each step of the way. Refer back to this topic for the general instructions on generating the files.
|
|
• When you set passwords for your TrustStore and KeyStore files, make sure they include only letters and numbers. Special characters are not supported.
• Research the various options available on the market for generating these files in secure ways. PTC does not take responsibility for the security of the certificates and the KeyStore and TrustStore files you generate.
|
Generate a KeyStore file to accept SSL-based connections using a self-signed certificate
Before you begin, make sure you have the Java keytool utility in your path. Then, follow the steps below to create a new KeyStore file with a public/private Key Pair inside.
|
|
For the steps below, make sure to run the command prompt as an Administrator. Otherwise, you are likely to receive this error:
keytool error: java.io.FileNotFoundException: tomcat.keystore (Access is denied)
|
1. Choose a directory for the KeyStore and save it in that directory. For example, D:\Certificates.
2. Open a command prompt and use this command to navigate to the Java installation folder:
cd %JAVA_HOME%/bin
3. Run the command below to generate the KeyStore with a private key for the certificate.
keytool -genkey -alias testKeyStore -keyalg rsa -dname "CN=<transport cert, application cert, or client authentication>" -keystore KeyStore.jks -storetype JKS
You will be prompted to create a password for the KeyStore file and a password for the private key. Use the same password in both places.
|
|
Change the value of the -dname argument according to your environment.
Provide the value for CN according to the type of certificate you’re using:
• Transport Layer—Provide your fully-qualified host name. For example, <hostname.domain.com>
• Application Layer or Client Authentication—Provide any appropriate name. For example, ThingWorx
|
4. Generate a self-signed certificate for the key using the command below. When you are prompted for the KeyStore password, enter the password you created in Step 3.
keytool -selfcert -alias testKeyStore -validity 1825 -keystore KeyStore.jks -storetype JKS
5. Export the public key for your new certificate using this command:
keytool -export -alias testKeyStore -file testKeyStore.cer -rfc -keystore KeyStore.jks -storetype JKS
The KeyStore file you generated has a private key associated with it.
Generate a TrustStore file
Use the command below to create a new TrustStore and to import the server certificate into it:
keytool -import -alias testtrustStore -file server.cer -keystore TrustStore.jks -storetype JKS
When you are asked whether you want to trust the certificate, type yes.
For more information, this technical support
article can also help you set up your SSL.
