Creo Elements/Direct Model Manager Customization Guide > Creo Elements/Direct Manager Services > Web Services > Web Service Customization > Secure Sockets Layer (SSL) Support for Web Services
Secure Sockets Layer (SSL) Support for Web Services
SSL is a standard security technology that provides encrypted communication between a web server and a browser. The SSL support for Creo Elements/Direct Model Manager web services / web client ensures that all the information exchanged between the web server and the web browsers is secured and private. The web server requires an SSL certificate to generate an encrypted link (SSL link).
Setting up SSL for Creo Elements/Direct Model Manager Web client:
* 
To set up a SSL connection the web server requires a certificate, and the public and private key pair. Click Generating SSL certificate and keys with OpenSSL for more information on how to generate a certificate and the key pair.
1. Load the keys and certificates in the keystore:
* 
JDK must be installed on the machine and the JDKDIR environment variable must be set to the path.
a. Create a folder for the keystore, <Install_Dir>\etc\, for example.
b. Copy the PKCS12 file generated earlier to the <Install_Dir>\etc\ folder for keystore.
c. Load the PKCS12 file in the keystore using the following command:
\etc>keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
You must enter values for the following:
Enter the Destination keystore password, abc123, for example.
Re-enter the password, abc123, for example.
Enter the source keystore password, abc123, for example.
2. Configure the ServiceControllerConfig.xml file, located in the Creo Elements/Direct Manager Server installation location as shown below:
<Service enabled="true" java_class="com.osm.services.webservice.JettyServer" name="JettyServer">
   <SslEnabled>true</SslEnabled>
   <SslPort>8443</SslPort>
   <SslmaxIdleTime>30000</SslmaxIdleTime>
   <SslKeyStore><Install_Dir>\etc\keystore</SslKeyStore>
   <SslPassword>abc123</SslPassword>
   <SslKeyPassword>abc123</SslKeyPassword>
   <SslTrustPassword>abc123</SslTrustPassword>
</Serrvice>
3. To add the certificate:
In Internet Explorer, click Tools > Internet Options > Content > Certificates > Import.
In Mozilla Firefox, click Tools > Options > Advanced > Encryption > View Certificates > Authorities > Import.
Browse to the jetty.crt and click OK.
4. Use https://localhost:8443/mmweb/index.jsp to access the Creo Elements/Direct Model Manager browser, where localhost is the Server Name and 8443 is the SslPort number defined in the ServiceControllerConfig.xml file.
At the prompt, confirm whether the certificate from this site should be trusted. This confirmation is required when the certificate is self-signed and is not signed by a trusted certification authority like Entrust, VeriSign, and so on.
Generating SSL certificate and keys with OpenSSL
1. Click http://gnuwin32.sourceforge.net/packages/openssl.htm to download OpenSSL setup and install the binaries. For example, you can install in D:\GnuWin32.
2. Add the following environment variables to your computer:
TMP = C:\WINNT\TEMP and TMPDIR = C:\WINNT\TEMP
3. In the Command Prompt window, set the path to the OpenSSL binary folder. For example,
Set PATH=%path%;D:\GnuWin32\bin
4. Create a working directory as follows:
D:>mkdir ssl
D:>cd ssl
5. Type the following in the Command Prompt window to generate a key pair (private key and public key) in the jetty.key file:
D:\ssl>openssl genrsa -des3 -out jetty.key 1024 -config D:\GnuWin32\share\openssl.cnf
The public and private keys are used to encrypt and decrypt the information exchanged between the web server and the web browsers.
* 
Where,
genrsa generates a pair of private key and public key using the RSA algorithm. RSA stands for Rivest, Shamir, and Adleman who first publicly described this encryption and authentication algorithm.
-des encrypts the private key file, jetty.key, using the Data Encryption Standard (DES) algorithm.
-out jetty.key stores the private key in the jetty.key file.
1024 triggers Openssl to generate keys of 1024 bits length. The default length is 512 bits.
-config D:\GnuWin32\share\openssl.cnf specifies the configuration file.
At the prompt, enter a pass phrase as follows:
Enter pass phrase for jetty.key: abc123 (for example)
Verifying - Enter pass phrase for jetty.key: abc123 (for example)
6. Type the following to create a Root Certification Authority Certificate:
D:\ssl>openssl req -new -x509 -key jetty.key -out jetty.crt -days 365 -config D:\GnuWin32\share\openssl.cnf
* 
Where
req generates a Certificate Signing Request (CSR) or a self-signed certificate.
-new prompts for the content of the certificate.
-key jetty.key specifies the key file which contains the private key and the public key.
-x509 triggers req to generate a self-signed certificate.
-days 365 assigns a validity period of 365 days to the self-signed certificate.
-out jetty.crt stores the self-signed certificate in the jetty.crt file.
-config openssl.cnf specifies the configuration file.
You must enter values for the following:
Pass phrase for jetty.key, abc123, for example
Country Name (2 letter code, IN for India, for example)
State or Province Name (full name), Maharashtra, for example
Locality Name, Pune, for example
Organization Name, PTC, for example
Organizational Unit Name, Creo, for example
Common Name, <YourName>.ptc.com, for example
Email Address, [email protected], for example
7. The generated keys and the certificate must be in a single PKCS12 file to be able to load them in a new keystore. The certificate can either be self-generated or issued by a Certificate Authority (CA) in response to your CSR. You must do the following to combine the generated keys and certificate to a PKCS12 file:
a. Type the following to convert keys and certificates to a PKCS12 file:
D:\ssl>openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
b. At the prompt, enter the export password as follows:
Enter pass phrase for jetty.key: abc123, for example
Type the Export Password: abc123, for example
* 
The pass phrase and the Export password should be same as passwords provided while generating the key pair (step 5).
8. Generate Certificate Signing Request (CSR): To get the certificate signed from the trusted authorities, you must generate a CSR and send it along with other company information to the certification authorities. Type the following in the Command Prompt window to generate a CSR:
D:\ssl>openssl req -new -key jetty.key -out jetty.csr
When the certificate is signed by the trusted certification authorities you will not receive a warning message to confirm whether the site should be trusted or not.
* 
The jetty Web Server is given a password which begins with OBF to treat it as an obfuscated password. Passwords can be obfuscated by running org.mortbay.jetty.security.Password as a main class. This protects passwords from casual observation.
Was this helpful?