Configuring HTTPS Communication

By default the Spectrum™ Technology Platform server uses HTTP for communication with Enterprise Designer, browser applications such as Management Console and Metadata Insights, as well as for handling web service requests and API calls, and for remote server communication. You can configure Spectrum™ Technology Platform to use HTTPS if you want to secure these network communications.

Note: Spectrum™ Technology Platform uses TLS 1.2 to encrypt communication. Applications that access Spectrum™ Technology Platform web services or the API must support TLS 1.2 in order to connect over HTTPS.

This procedure describes how to enable HTTPS communication on a single-server installation of Spectrum™ Technology Platform. If you want to use HTTPS and you are running Spectrum™ Technology Platform in a cluster, do not follow this procedure. Instead, configure the load balancer to use HTTPS for communication with clients. Communication between the load balancer and the Spectrum™ Technology Platform nodes, and between the nodes themselves, will be unencrypted because Spectrum™ Technology Platform clustering does not support HTTPS. The load balancer and the Spectrum™ Technology Platform servers in the cluster must be behind a firewall to provide a secure environment.

To configure HTTPS communication for a single-server installation of Spectrum™ Technology Platform:

Stop the Spectrum™ Technology Platform server.
- To stop the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Stop Spectrum™. Alternatively, you can use the Windows Services control panel and stop the Pitney Bowes Spectrum™ Technology Platform service.
- To stop the server on Unix or Linux, source the SpectrumLocation/server/bin/setup script then execute the SpectrumLocation/server/bin/server.stop script.
Create a certificate signed by a trusted Certificate Authority (CA).

Note: The certificate must meet the requirements for encryption and length for the version of Java used by Spectrum™ Technology Platform. To find out the version of Java, open Management Console and go to System > Version. For more information, see java.com/en/jre-jdk-cryptoroadmap.html.
Load the certificate into a JSSE keystore. For more information, see www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates.

Create an XML file named spectrum-override-container-ssl.xml containing the following:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/util
       http://www.springframework.org/schema/util/spring-util-3.0.xsd">
    
    <bean id="defaultWebServerConnector" class="org.eclipse.jetty.server.ServerConnector">
        <constructor-arg ref="webServer"/>
        <constructor-arg>
            <bean class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <property name="keyStorePath" value="/SpectrumKeystore"/>
                <property name="keyManagerPassword" value="password"/>
                <property name="keyStorePassword" value="password"/>
            </bean>
        </constructor-arg>
        <property name="host" value="${spectrum.bind.address}"/>
        <property name="port" value="${spectrum.http.port}"/>
        <property name="idleTimeout" value="-1"/>
    </bean>
</beans>

Modify these lines as needed to reflect your environment:

`<property name="keyStorePath" value="/SpectrumKeystore"/>`	Modify the value to be the full path to the Java keystore.
`<property name="keyManagerpassword" value="password"/>`	Modify the value to be the password to the keystore.
`<property name="keyStorePassword" value="password"/>`	Modify the value to be the password to the key within the keystore.

Save the spectrum-override-container-ssl.xml file to SpectrumLocation/server/app/conf/spring.
Using a text editor, open the file spectrum-container.properties located in SpectrumLocation/server/app/conf. Uncomment and set these properties:

spectrum.http.port=port
spectrum.runtime.port=port
spectrum.runtime.hostname=dnsname

Where port is the network port to use for communication with the clients (for example 8443) and dnsname is the hostname of the Spectrum™ Technology Platform server. The port you specify must be the same for both spectrum.http.port and spectrum.runtime.port.
If you are configuring HTTPS communication for the Location Intelligence Module and Spectrum Spatial services, you must perform additional configuration prior to restarting the Spectrum™ Technology Platform server:
1. Modify the java.properties file (SpectrumLocation\server\modules\spatial) by changing all hostnames and ports to be exactly the same as the ones used for the Spectrum™ Technology Platform server. The hostname must match the DNS name of the server and the CN in the certificate. Set property repository.useSecureConnection to true. For example,
```
repository.host=www.spectrum.com
repository.port=8443
repository.useSecureConnection=true
```
2. In Spatial Manager, change the URLs in these service configurations to use HTTPS:
  - Mapping (only necessary when accessing the Mapping Service via SOAP and when the ReturnImage parameter for a RenderMap request is False)
  - WFS
  - WMS
  - WMTS
  For instructions, see the "Spatial Manager Guide" in the Utilities section of the Spectrum Spatial Guide.
Start the Spectrum™ Technology Platform server.
- To start the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select Start Spectrum™. Alternatively, you can use the Windows Services control panel to start the Pitney Bowes Spectrum™ Technology Platform service.
- To start the server on Unix or Linux, execute the SpectrumLocation/server/bin/server.start script.