By default the Spectrum™ Technology Platform server uses HTTP for communication
with Enterprise Designer, browser applications such as Management Console and Metadata
Insights, as well as for handling web service requests and API calls.
You can configure Spectrum™ Technology Platform to use HTTPS if you want to secure
these network communications.Note: Spectrum™ Technology Platform uses TLS 1.2 to
encrypt communication. Applications that access Spectrum™ Technology Platform web
services or the API must support TLS 1.2 in order to connect over HTTPS.
This
procedure describes how to enable HTTPS communication on a single-server installation of
Spectrum™ Technology Platform. If you want to use HTTPS and you are running Spectrum™ Technology Platform in a cluster, do not follow this procedure. Instead, configure
the load balancer to use HTTPS for communication with clients. Communication between the
load balancer and the Spectrum™ Technology Platform nodes, and between the nodes
themselves, will be unencrypted because Spectrum™ Technology Platform clustering does
not support HTTPS. The load balancer and the Spectrum™ Technology Platform servers in
the cluster must be behind a firewall to provide a secure environment.
To
configure HTTPS communication for a single-server installation of Spectrum™ Technology Platform:
-
Stop the Spectrum™ Technology Platform server.
- To stop the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select
Stop Spectrum™. Alternatively, you can use the Windows
Services control panel and stop the Pitney Bowes Spectrum™ Technology Platform service.
- To stop the server on Unix or Linux, source the
SpectrumDirectory/server/bin/setup
script then execute the
SpectrumDirectory/server/bin/server.stop
script.
-
Create a certificate signed by a trusted Certificate Authority (CA).
Note: The certificate must meet the requirements for encryption and length for
the version of Java used by
Spectrum™ Technology Platform. To find out the
version of Java, open Management Console and go to . For more information, see
java.com/en/jre-jdk-cryptoroadmap.html.
-
Load the certificate into a JSSE keystore. For more information, see Loading Keys and Certificates (jetty://).
-
Using a text editor, open the file spectrum-container.properties located in SpectrumDirectory/server/conf. Set these
properties:
spectrum.http.default.protocol=https
spectrum.https.enabled=true
spectrum.https.port=8443
spectrum.encryption.validateCerts=false
spectrum.encryption.trustAllHosts=true
spectrum.encryption.selfSignedCert=true
Important: Set spectrum.encryption.selfSignedCert=true only
for a self-signed certificate that does not use a signing authority.
-
Import your self-signed certificates. For example:
keytool -importkeystore -srckeystore "C:\Pitney
Bowes\Spectrum\server\conf\certs\keystore.p12" -destkeystore "C:\Pitney
Bowes\Spectrum\server\conf\certs\truststore.p12" -deststoretype
pkcs12For more information, see Implementing self-signed certificates.
-
If you are configuring HTTPS communication for the Spectrum Spatial Module
and services, you must perform an additional configuration prior
to restarting the Spectrum™ Technology Platform server.
In Spectrum Spatial™ Manager, change the URLs in these service
configurations to use HTTPS:
- Mapping (only necessary when accessing the Mapping Service via
SOAP and when the ReturnImage parameter for a RenderMap request
is False)
- WFS
- WMS
- WMTS
For instructions, see Spectrum Spatial™ Manager under the Managing Spatial section of the Spectrum Spatial Guide.
-
Start the Spectrum™ Technology Platform server.
- To start the server on Windows, right-click the Spectrum™ Technology Platform icon in the Windows system tray and select
Start Spectrum™. Alternatively, you can use the Windows
Services control panel to start the Pitney Bowes Spectrum™ Technology Platform service.
- To start the server on Unix or Linux, execute the
SpectrumDirectory/server/bin/server.start
script.