HTTPS Setup
Using a self-signed certificate to set up an HTTPS connection for the plug-in is risky but might be acceptable in a lower-security environment.
We suggest that you use certificates that are digitally signed by a certification authority (CA) such as VeriSign, Thawte, or DigiCert. Alternatively, follow the PKI management rules at your site.
In a secure or production environment, it is never appropriate to rely on a self-signed certificate unless you fully understand all the liabilities and have the certificate appropriately validated and managed.
In a lower-security or testing environment, it might be acceptable to download and import the self-signed certificate if you know and trust the certificate originator. However, this is not a recommended practice.
The following instructions are for setting up and validating an HTTPS connection for the Endevor Eclipse plug-in using a self-signed certificate. These instructions relate specifically to the Windows operating system (OS) and the Chrome web browser but the same concepts apply to other OSes and browsers.
A self-signed certificate is a digital certificate that is not signed and validated by a publicly accepted CA. However, if certain conditions are met, a self-signed certificate can be used to configure and establish HTTPS communication.
In this case, we assume that the server portion part of the setup is complete, and that Endevor Web Services is available through the HTTPS protocol. It is possible to validate the setup by typing a URL in the following format into your web browser:
https://host:port/EndevorService/rest
If the URL is correct, your web browser should display a list of available configurations in JSON format.
This section details client-side setup involving a user workstation, where the Eclipse environment, together with an Endevor Eclipse plug-in, are available and running.
The following procedures show two different methods for exporting a self-signed certificate from the server-side trust store and storing it in a file.
Export a Certificate Using a Web Browser
-
Access Endevor Web Services by entering a URL in the following format in your browser:
https://host:port/EndevorService/restA red Not secure warning should appear alongside the browser address bar, and a Your connection is not private warning should appear in the browser window.
-
Click on the Not secure warning alongside the browser address bar.
A contextual menu appears.
-
Click on the Certificate is not valid section.
A Certificate dialog appears.
- In the Certificate dialog, click on the Details tab. In the lower part of the dialog, click on the Copy to File... button. A Certificate Export Wizard appears.
- In the Certificate Export Wizard, click Next, select DER encrypted binary X.509 (.CER) as the export file format user option, and click Next again.
-
On following page, choose the location and file name to which the the certificate will be exported.
Example:
c:\temp\expcertNote: Do not provide a file extension. The wizard automatically adds a .cer extension. -
On the final page, click Finish to export the certificate.
The certificate is exported.
- Navigate to the USS location of the keystore that is used for HTTPS setup in the Tomcat that hosts Endevor Web Services.
-
Execute a command in the following format to export the certificate from the keystore:
keytool -exportcert -v -alias alias-name -keystore keystore-name -storepass keystore-password -file file-namewhere:
- alias-name
- Specifies the alias name.
- keystore-name
- Specifies the keystore name.
- keystore-password
- Specifies the keystore password.
- file-name
- Specifies the name of the exported file.
Example:
keytool -exportcert -v -alias tomcat -keystore endevor.jks -storepass mypswd -file endevor.certNote: The keytool utility is delivered with Java Runtime and is used to manage keystores and certificates. For more information, see the keytool section of the Java documentation on the Oracle website. -
Copy the exported certificate to the PC or Workstation where the Eclipse Runtime with plug-in is running. (You can use FTP to transfer the certificate file but the file should be transferred in binary mode from a USS location to a PC.)
The certificate is exported.
To identify the correct location of the Java trust store, you must validate which Java Runtime is used to run the Eclipse environment:
- Start Eclipse Runtime then select Help from the main menu, then select the About Eclipse option. The About dialog appears.
- From the About dialog, select Installation Details to open the Eclipse Installation Details dialog.
-
Select the Configuration tab.
A list of parameters appears.
- In the list of parameters, find the java.home= parameter, which points to the Java Runtime path. Note down the name of this path and add it to your system environment variable as %JAVA_HOME%.
- Update your System environment variable PATH to include the following bin directory: %JAVA_HOME%\bin
- Validate that the keytool utility is available.
-
Navigate to the following directory in Java Runtime:
cd %JAVA_HOME%\lib\security -
Run the following command to import the previously stored certificate into the Java Runtime trust store called cacerts, which is located in the
cd %JAVA_HOME%\lib\securitydirectory:keytool -importcert -noprompt -alias endevor -keystore cacerts -storepass changeit -file c:\temp\ expcert.certNote: "changeit" is the default password for accessing the JVM trust store. If this password was changed, update this value. - Confirm and validate that the certificate was added into the truststore by restarting Eclipse Runtime and trying to connect to the Endevor repository using the HTTPS protocol.