GuiHttp‐Application‐configure‐from‐http‐to‐https - Xyna-Factory/xyna GitHub Wiki
The GuiHttp application deploys a http Trigger. To improve security you can change the trigger configuration to https. This guide walks you through the steps necessary to replace the default http trigger instance with https.
You need die following 3 files:
- SSL_CERTIFICATE_KEY_FILE: Path to Server PEM-encoded private key file.
- SSL_CERTIFICATE_FILE: Path to Server PEM-encoded X.509 certificate data file or token identifier.
- SSL_CA_CERTIFICATE_FILE: Path to file of concatenated PEM-encoded CA Certificates for Client Auth.
The following parameters must be set:
- SSL_CERTIFICATE_KEY_FILE: Path to Server PEM-encoded private key file.
- SSL_CERTIFICATE_FILE: Path to Server PEM-encoded X.509 certificate data file or token identifier.
- SSL_CA_CERTIFICATE_FILE: Path to file of concatenated PEM-encoded CA Certificates for Client Auth.
- PKCS12_BUNDLE_NAME: Name of the PKCS12 bundle, which have do be defined by yourself. (for example: "mypkcs12bundle")
- PKCS12_BUNDLE_FILE: Filename of the created PKCS12 bundle, which have do be defined by yourself. (file format: .p12, for example: "mypkcs12bundle.p12")
- PKCS12_BUNDLE_PASSWORD: Password of the created PKCS12 bundle, which have do be defined by yourself. for example: "mypass123")
openssl pkcs12 -export -in ${SSL_CERTIFICATE_FILE} -inkey ${SSL_CERTIFICATE_KEY_FILE} -chain -CAfile ${SSL_CA_CERTIFICATE_FILE} -name ${PKCS12_BUNDLE_NAME} -out ${PKCS12_BUNDLE_FILE} -password pass:${PKCS12_BUNDLE_PASSWORD}
The following parameters must be set:
- PKCS12_BUNDLE_FILE: Path to PKCS12 bundle file. (file format: .p12)
- PKCS12_BUNDLE_PASSWORD: Password of the PKCS12 bundle.
- KEYSTORE_PASSSWORD: Password of the created keystore, which have do be defined by yourself. (for example: "mypass123")
- KEYSTORE_FILE: Path to created keystore file, which have do be defined by yourself. (file format: .jks, for example: "mypkeystore.jks)
keytool -importkeystore -deststorepass ${KEYSTORE_PASSSWORD} -destkeystore ${KEYSTORE_FILE} -srcstorepass ${PKCS12_BUNDLE_PASSWORD} -srckeystore ${PKCS12_BUNDLE_FILE} -srcstoretype PKCS12 -noprompt
keytool -v -list -keystore ${KEYSTORE_FILE} -storepass ${KEYSTORE_PASSSWORD}
NOTE: The PKCS12 bundle file is no longer needed and can be removed.
The following parameters must be set:
- XYNA_SERVER_DIR: Path to server directory of the xyna-factory. (for example: "/opt/xyna/xyna_001/server")
- KEYSTORE_PASSSWORD: Password of the keystore.
- KEYSTORE_FILE: Path to the keystore file (file format: .jks)
- KEYSTORE_NAME: Name of the keystore in the factory, which have do be defined by yourself. (For example: "mysslkeystore")
# ssh user xyna
cd ${XYNA_SERVER_DIR}
./xynafactory.sh importkeystore -file ${KEYSTORE_FILE} -keystoretype java.security -name ${KEYSTORE_NAME} -importParameters passphrase=${KEYSTORE_PASSSWORD}
The following command list the names of the available keystores in the xyna-factory:
./xynafactory.sh listkeystores
IMPORTANT: The keystore file is still needed and must not be removed !!!
There are two possible options here:
- Option 1: Manual steps
- Option 2: Script: guihttp_app_switch_http_to_https.sh
The following parameters must be set:
- XYNA_SERVER_DIR: Path to server directory of the xyna-factory. (for example: "/opt/xyna/xyna_001/server")
- GUIHTTP_APP_VERSION: Version of the application GuiHttp. (determine this version with the command: ./xynafactory.sh listapplications -applicationName GuiHttp)
- KEYSTORE_NAME: Name of the keystore in the xyna-factory, which will be used für htts. (For example: "mysslkeystore")
- PORT: Parameter Port of the https trigger, which have do be defined by yourself. (for example: "4245")
- SSL: Parameter ssl of the https trigger, which have do be defined by yourself. (for example: "TLSv1.3")
# ssh user xyna
cd ${XYNA_SERVER_DIR}
./xynafactory.sh stopapplication -applicationName GuiHttp -versionName ${GUI_HTTP_APP_VERSION}
./xynafactory.sh deploytrigger -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION} -triggerName Http -triggerInstanceName Https -startParameters port=${PORT} https=KEY_MGMT clientauth=none keystorename=${KEYSTORENAME} ssl=${SSL}
./xynafactory.sh undeployfilter -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION} -filterInstanceName H5XdevFilterinstance
./xynafactory.sh undeployfilter -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION} -filterInstanceName HttpIni
./xynafactory.sh deployfilter -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION} -filterName GUIHTTP -filterInstanceName HttpIni -triggerInstanceName Https
./xynafactory.sh deployfilter -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION} -filterName H5XdevFilter -filterInstanceName H5XdevFilterinstance -triggerInstanceName Https
./xynafactory.sh startapplication -applicationName GuiHttp -versionName ${GUIHTTP_APP_VERSION}
The script guihttp_app_switch_http_to_https.sh can be found:
- In the deliver-Item: XynaFactory_VERSION_TIMESTAMP_bundle/XynaFactory_VERSION_TIMESTAMP/scripts
- Online at https://github.com/Xyna-Factory/xyna-factory/tree/main/installation/scripts
- Step 1: Stop the GuiHttp application
- Step 2: Deploy a new https trigger instance
- Step 3: Remove the old filter instance H5XdevFilterinstance connected to the http trigger
- Step 4: Remove the old filter instance HttpIni connected to the http trigger
- Step 5: Deploy new filter instance HttpIni connected to the https trigger
- Step 6: Deploy new filter instance H5XdevFilterinstance connected to the https trigger
- Step 7: Start the GuiHttp application
The following command show the usage of the script:
# ssh user xyna
cd XynaFactory_${VERSION}_${TIMESTAMP}_bundle/XynaFactory_${VERSION}_${TIMESTAMP}/scripts
./guihttp_app_switch_http_to_https.sh -h
Usage: ./guihttp_app_switch_http_to_https.sh
-h : print this help
-d : Dry run, whih print the commands to be executed
-i INSTANCE : Instance of the xyna-factory
Default value: 001
-v GUIHTTP_APP_VERSION : Version of the GuiHttp Application
Default value: the version is determined with the command: 'xynafactory.sh listapplications -applicationName GuiHttp'
-k KEYSTORENAME : Name of the keystore in the xyna-factoy
Default value: the keystore name is determined with the command: 'xynafactory.sh listkeystores'
-p PORT : Parameter Port of the https trigger
Default value: 4245
-s SSL : Parameter ssl of the https trigger
Default value: TLSv1.3
The following command shows a dry run of the script:
# ssh user xyna
cd XynaFactory_${VERSION}_${TIMESTAMP}_bundle/XynaFactory_${VERSION}_${TIMESTAMP}/scripts
./guihttp_app_switch_http_to_https.sh -d
# Date: Fr 28. Feb 11:13:00 UTC 2025
# Configuration
# Dry run : yes
# INSTANCE : 001
# GUIHTTP_APP_VERSION : 1.3.13
# KEYSTORENAME : sslkeystore
# PORT : 4245
# SSL : TLSv1.3)
# Step 1: Stop the GuiHttp application
/opt/xyna/xyna_001/server/xynafactory.sh stopapplication -applicationName GuiHttp -versionName 1.3.13
# Step 2: Deploy a new https trigger instance
/opt/xyna/xyna_001/server/xynafactory.sh deploytrigger -applicationName GuiHttp -versionName 1.3.13 -triggerName Http -triggerInstanceName Https -startParameters port=4245 https=KEY_MGMT clientauth=none keystorename=sslkeystore ssl=TLSv1.3
# Step 3: Remove the old filter instance H5XdevFilterinstance connected to the http trigger
/opt/xyna/xyna_001/server/xynafactory.sh undeployfilter -applicationName GuiHttp -versionName 1.3.13 -filterInstanceName H5XdevFilterinstance
# Step 4: Remove the old filter instance HttpIni connected to the http trigger
/opt/xyna/xyna_001/server/xynafactory.sh undeployfilter -applicationName GuiHttp -versionName 1.3.13 -filterInstanceName HttpIni
# Step 5: Deploy new filter instance HttpIni connected to the https trigger
/opt/xyna/xyna_001/server/xynafactory.sh deployfilter -applicationName GuiHttp -versionName 1.3.13 -filterName GUIHTTP -filterInstanceName HttpIni -triggerInstanceName Https
# Step 6: Deploy new filter instance H5XdevFilterinstance connected to the https trigger
/opt/xyna/xyna_001/server/xynafactory.sh deployfilter -applicationName GuiHttp -versionName 1.3.13 -filterName H5XdevFilter -filterInstanceName H5XdevFilterinstance -triggerInstanceName Https
# Step 7: Start the GuiHttp application
/opt/xyna/xyna_001/server/xynafactory.sh startapplication -applicationName GuiHttp -versionName 1.3.13
The following parameters must be set:
- XYNA_SERVER_DIR: Path to server directory of the xyna-factory. (for example: "/opt/xyna/xyna_001/server")
- GUI_HTTP_APP_VERSION: Version of the application GuiHttp. (determine this version with the command: ./xynafactory.sh listapplications -applicationName GuiHttp)
# ssh user xyna
cd ${XYNA_SERVER_DIR}
./xynafactory.sh stopapplication -applicationName GuiHttp -versionName ${GUI_HTTP_APP_VERSION}
./xynafactory.sh removeapplication -applicationName GuiHttp -versionName ${GUI_HTTP_APP_VERSION}
cd XynaFactory_${VERSION}_${TIMESTAMP}_bundle/XynaFactory_${VERSION}_${TIMESTAMP}
./install_black_edition.sh -x GuiHttp
The following parameters must be set:
- PORT: Listing Port of the https trigger. (for example: 4245)
/etc/apache2/sites-available/default-ssl.conf
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyEngine on
<Directory "/var/www/html">
...
RewriteRule "^modeller-api/(.*)$" "https://localhost:${PORT}/$1" [P]
...
</directory>
Restart httpd
# ssh user root systemctl restart httpd systemctl status httpd