Setting up a secure connection in Spectrum
Operating System: Windows, Linux, UNIX
Product affected: Spectrum™ Technology Platform
Versions: 8 SP3, 9 SP3, 10 SP1, 11 SP1
Product affected: Spectrum™ Technology Platform
Versions: 8 SP3, 9 SP3, 10 SP1, 11 SP1
There are three parts to setting up Secure Sockets Layer (SSL) communication in Spectrum: the Spectrum server, the client tools, and the Client API.
Server
The Spectrum Documentation Administration Guide provides instructions for configuring the Spectrum server to accept secure connections. Refer to the article How to create a keystore for Spectrum Technology Platform for how to generate a Java keystore (JKS) for Spectrum.
Client Tools
These steps are not necessary if the certificate installed on the Spectrum server is signed by a trusted certification authority (CA) like VeriSign.
Import the certificate into the Windows certificate store. This is required to test with a self-signed certificate from above.
Client API
Note: Make sure you are adding the root certificate of the certificate issuer in the Microsoft Management Console.
Server
The Spectrum Documentation Administration Guide provides instructions for configuring the Spectrum server to accept secure connections. Refer to the article How to create a keystore for Spectrum Technology Platform for how to generate a Java keystore (JKS) for Spectrum.
Client Tools
These steps are not necessary if the certificate installed on the Spectrum server is signed by a trusted certification authority (CA) like VeriSign.
Import the certificate into the Windows certificate store. This is required to test with a self-signed certificate from above.
- Open Internet Explorer and go to https://<servername>:<ssl-port> to see the Spectrum welcome page.
- Click the lock next to your web browser address bar.
- Click View Certificates.
- Click the Details tab.
- Click the Copy to File button at the bottom. Go through the wizard and choose the "DER encoded binary X.509" format.
- Click Start > Run.
- Type "mmc" and click OK.
- Click File > Add/Remove Snap-in.
- Click Add and find Certificates in the list.
- Click Add.
- Choose "Computer Account" and "Local computer"
- Click Finish.
- Then click Close and OK.
- Expand the Certificates node on the left
- Find Trusted Root Certification Authorities > Certificates.
- Right-click on Certificates and choose All Tasks > Import.
- Go through the wizard and browse to the file exported from your web browser. Make sure it's placed in the Trusted Root Certification Authorities store and finish the wizard.
Client API
Java
If the certificate is signed by a commonly trusted CA, no extra steps are needed. In the client application code, set the Server.CONNECTION_TYPE to "HTTPS" and set the correct port. However, if a self-signed certificate is being used or one that's not signed by a publicly known CA, add that certificate to the trusted CA certificates store for Java.
The default trusted CA store for Java is <JAVA_HOME>/jre/lib/security/cacerts. Either import the certificate directly into this file or make a copy of this file for testing.
To import the certificate, run a command like this:
keytool -keystore mycacerts -storepass changeit -import -alias spectrum -file myIEcert.cer
Where the -file parameter is the name of the certificate file exported from your browser earlier and the value of -keystore is the cacerts file being used. The default password for Java's cacerts store is "changeit". Java will now trust the self-signed certificate. If using a copy of the original cacerts file, add the "-Djavax.net.ssl.trustStore=<name of cacerts>" option to the java command line, like this:
java -classpath .;g1clientSDK-10.0.jar -Djavax.net.ssl.trustStore=D:\sourcecode\java\SpectrumJavaSample\mycacerts SpectrumTestClientApp
.NET
If the certificate is signed by a trusted CA, no extra steps are needed. In the client application code, set the Server.CONNECTION_TYPE to "HTTPS" and set the correct port. However, if using a self-signed certificate or one that's not signed by a known CA, follow the steps for importing the certificate into the Windows store, as described above for the Client Tools.
Web Services
There is no single process for this situation since any number of tools can use web services to communicate with Spectrum. Generally, accessing the WSDL or WADL for a web service is enough for the tool to use a secure connection. Refer to the documentation for the tool in question for details on using secured connections.
If the certificate is signed by a commonly trusted CA, no extra steps are needed. In the client application code, set the Server.CONNECTION_TYPE to "HTTPS" and set the correct port. However, if a self-signed certificate is being used or one that's not signed by a publicly known CA, add that certificate to the trusted CA certificates store for Java.
The default trusted CA store for Java is <JAVA_HOME>/jre/lib/security/cacerts. Either import the certificate directly into this file or make a copy of this file for testing.
To import the certificate, run a command like this:
keytool -keystore mycacerts -storepass changeit -import -alias spectrum -file myIEcert.cer
Where the -file parameter is the name of the certificate file exported from your browser earlier and the value of -keystore is the cacerts file being used. The default password for Java's cacerts store is "changeit". Java will now trust the self-signed certificate. If using a copy of the original cacerts file, add the "-Djavax.net.ssl.trustStore=<name of cacerts>" option to the java command line, like this:
java -classpath .;g1clientSDK-10.0.jar -Djavax.net.ssl.trustStore=D:\sourcecode\java\SpectrumJavaSample\mycacerts SpectrumTestClientApp
.NET
If the certificate is signed by a trusted CA, no extra steps are needed. In the client application code, set the Server.CONNECTION_TYPE to "HTTPS" and set the correct port. However, if using a self-signed certificate or one that's not signed by a known CA, follow the steps for importing the certificate into the Windows store, as described above for the Client Tools.
Web Services
There is no single process for this situation since any number of tools can use web services to communicate with Spectrum. Generally, accessing the WSDL or WADL for a web service is enough for the tool to use a secure connection. Refer to the documentation for the tool in question for details on using secured connections.
Note: Make sure you are adding the root certificate of the certificate issuer in the Microsoft Management Console.
UPDATED:
August 2, 2019
