SSL Support for ThingWorx
SSL protection for communication between ThingWorx Analytics and the ThingWorx server has been available since integration with ThingWorx became possible. The option to use SSL is available during both Analytics Server and Platform Analytics installations.
In order to connect ThingWorx Analytics to a ThingWorx server running on SSL, the following tasks must be completed as part of your ThingWorx installation and setup:
• You have generated a Keystore that contains a signed ThingWorx SSL certificate.
• You have configured Apache Tomcat for SSL use.
If you are using an SSL certificate from a trusted Certificate Authority, the necessary certificate is already located in the Truststore (cacerts) when Java is installed. If you are using a self-signed SSL certificate, it must be imported to the Java Truststore.
Import a Self-signed SSL Certificate Automatically During Installation
 |
This automatic import option is available only for the Analytics Server installer. For the Platform Analytics installer, use the manual process.
|
The simplest way to ensure that your self-signed ThingWorx SSL certificate is properly imported is to allow the Analytics Server installer to do it automatically. If you want the installer to import the certificate automatically, select the following option on the ThingWorx Foundation Connection Information screen during installation: Upload a Self-signed ThingWorx SSL Certificate.
You will be prompted to provide certain information from your ThingWorx authentication certificate. Be prepared to provide the following:
• Location of the SSL certificate (a PEM or CER file)
• Unique Alias Name that will be assigned to the certificate in the Java Truststore
• Password assigned to the Java Truststore
When the installation runs, the ThingWorx SSL certificate is imported automatically.
Import a Self-signed SSL Certificate Manually
If you need to import the ThingWorx SSL certificate manually, follow the steps below. This process must be completed before installing the Analytics Server or Platform Analytics.
1. Use the command below to extract the certificate from the Keystore into a separate certificate file. The extraction will not change the Keystore but will make the certificate available for import in a separate file.
keytool -keystore <path to the java keystore>.jks -alias<alias name> -export-file<path to the certificate file>.csr
 |
Sample command:
keytool -keystore ~/apache-tomcat-8.5.33/conf/keystore.jks -aliasthingworx -export-file~/apache-tomcat-8.5.33/conf/thingworx.csr
|
2. Use the command below to import the certificate into the Java Truststore. If you have multiple Java installations running, ensure that you provide the Truststore for the Java that is running your Analytics Server or Platform Analytics. When prompted, enter the Truststore password.
keytool -keystore<path to Java truststore>-alias<alias name> -import-trustcacerts -file<Path to the certificate file>.csr
|
|
Sample command:
keytool -keystore/etc/ssl/certs/java/cacerts-aliasthingworx -import-trustcacerts -file~/apache-tomcat-8.5.33/conf/thingworx.csr
Note: If you have post-installation trouble connecting to ThingWorx using SSL, check the twas-twx-adapter.log file. If you find an error that the Truststore path is not valid, you might have selected the wrong Java Truststore. To import the certificate to a different Truststore, follow the procedure in the second half of article CS279983, entitled ThingWorx Analytics.
|