Securing Openbravo Apache Tomcat using sefl signed SSL

Openbravo ERP is rarely used on stand alone computer. Integrated and complex nature often make it run in a network system. Therefore security of data sent over the network it is absolutely necessary. This article tells of my experience when activate SSL on Tomcat so that Openbravo can be run in encrypted mode (using the https protocol). However, it is still in development phase, which is used cetificate still self signed. If in the production phase, are not allowed to use a self signed certificate like this.

Step 1: create keystore and SSL certificate

This certificate is used to give identity to the server, so the client is safe to transmit data on this server. For a while we use a self signed certificate. To create a certificate, you can use the keytool that exist in Java (JVM) which is already installed. But, in my case, I use OpenSSL to create certificates. Run OpenSSL using the command shell. You will enter at the prompt openssl.

Create key using command with format bellow:

genrsa -des3 -out <path folder home anda>/tomcatkey.pem 2048

In my case, above command become:

genrsa -des3 -out /home/zaien/tomcatkey.pem 2048

You will asked for password (and confirm your password, you will entry this password twice). To simplify I will make all password are same in this process. I will set password as: tomcat.

Next is to create a certificate with the following command format:

req -config <path file openssl.cnf>/openssl.cnf -new -x509 -keyout <path folder home anda>/tomcatkey.pem -out <path folder home anda>/tomcatcert.crt -days 1095

In my case, above command become:

req -config /etc/ssl/openssl.cnf -new -x509 -keyout /home/zaien/tomcatkey.pem -out /home/zaien/tomcatcert.crt -days 1095

You will asked for password (and confirm your password, you will entry this password twice). To simplify I will make all password are same in this process. I will set password as: tomcat. In addition, you will be asked for data as follows (descending, I fill my data according to my case, your case may be different):

  1. countri name (ISO code 2 character): ID
  2. state/province: Jawa Timur
  3. Local name: Surabaya
  4. Organizarion name: Wirabumi Software
  5. Organization name: Openbravo
  6. Common name: Wirabumi Software
  7. Email address:

Next step is create keystore file by run this command using command line terminal from your home folder:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

This command will generate .keystore file at your home folder. During file creation, you need to answer some question, that similar to question during certificate creation. Please answer those question with the same answer. The next step is to copy certificate and key that was created (placed in your home folder) into the CATALINA_HOME folder. In my case, home folder is /home/zaien, while CATALINA_HOME is /opt/OpenbravoERP-2.50/tomcat.

Step 2: config server.xml on Tomcat

The next step is to edit server.xml to enable https on tomcat protocol using certificates and keys that have been created in step 1. Open the server.xml file in the folderCATALINA_HOME/conf.

Remove the comment (remove the <! – ->) At the connector port = “8443” and fill out an existing property to it, so the image appears as follows (in your case, the path may different.)

<Connector port="8443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"
 clientAuth="optional" SSLProtocol="TLS"

Make a comment (add <! – ->) At the connector port = “8080” which is the default port of Tomcat (in my case 8880) that appear as the following figure.

Restart Tomcat, and open your tomcat page. Note you can no longer open Openbravo using your standard ports. Now open the SSL port (8443), for example: https: / / localhost: 8443/openbravo. You will be asked for confirmation of acceptance certificate. Accept the certificate! And you now have access to Openbravo using the https protocol (SSL).



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s