http to https Issues

Lawrence Brown shared this question 2 years ago
Answered

Hi,


I've recently completed the instructions to change over to allow https using the yf instructions for YellowfinAccessed Via https page.


As far as I can see everything worked and the setup was successful, however when we try to connect via https nothing happens and tha page hangs.


Are there any further steps on the server side that need to be done to make this work?


Thanks in advance.

Comments (7)

photo
1

Hello Lawrence,


Thanks for reaching out with your question. It just so happens that I've re-written the HTTPS guide with more detail. I've also included some Troubleshooting tips in my guide.


That being said, it sounds like you may have a syntax error in one of the .xml configuration files. If you search the term "SEVERE" in your catalina.out log, located in <YellowfinInstall>/appserver/logs/catalina.out, it should tell you which file and the line number of the error.


Have a look at the guide and give that a go. Let me know your results.


Thanks,

Ryan

photo
1

Hi Ryan,

Thanks for the updated details, I've worked through them and they have moved me further forward, however I still can't connect to yellowfin. When I connect to http://localost:8080 it now redirects to https://localhost:8443 so it looks as if that is working but I still can't connect to Yellowfin.

I've attached the log files that have been updated when I try to connect to yellowfin via https, it looks as if the setting of the keystore setting has failed.

I've also find this that looks like if may be a problem?

"28-Apr-2017 09:24:10.113 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [C:\Windows\system32\config\systemprofile/.keystore] due to [Illegal character in opaque part at index 2: C:\Windows\system32\config\systemprofile/.keystore]

java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\Windows\system32\config\systemprofile/.keystore"

Thanks in advance and let me know if you need any more information,

Lawrence

photo
1

Hi Lawrence,


Good work in the log interpretation! I actually wrote the article when implementing this process on a Linux box, which uses "/" for file paths. In Windows, you'll want to use "\" when denoting file paths. In consideration of this, you'll want to edit your server.xml once more and find the 8443 connector block to update the keystoreFile paramater to read:


  1. keystoreFile="C:\Windows\system32\config\systemprofile\.keystore"

If doing so doesn't net any different results, analyze the permissions of the keystore file. It's possible that the user Yellowfin is running under doesn't have permissions to access the subfolders of system32.


Thanks,

Ryan

photo
1

Hi Ryan,


Sorry about all the files, thought it easier to include them all :-)


That has worked and I can now connect to yf via https://localhost:8443/ although my connection isn't secure so I'll work through the Secure Certificate route now.

I have an ssl certificate from AWS, can I used that one?

hanks again.

photo
1

Hi Lawrence,


No worries, I removed the files since this is a public question instead of a private ticket. Furthermore, you had already done the detective work for me. You're correct, you will get the self-signed certificate error message when using the tutorial method. Even though you get this message, your session is still encrypted. The warning is an indication that, since the cert is self-signed, the connection can't be guaranteed private.


For production instances you can configure Tomcat with a proper, signed certificate. It looks like there's some AWS documentation in regards to using these certificates within your websites and applications here. You should be able to couple this with the command for importing listed under "Importing the Certificate" in the Apache Tomcat guide:


  1. keytool -import -alias tomcat -keystore <path_to_keystore> -trustcacerts -file <filename_of_the_chain_certificate>

Which should import the Chain Certificate.


  1. keytool -import -alias tomcat -keystore <path_to_keystore> -file <your_certificate_name>

Which would import the sign certificate itself.


Unfortunately, the process of working with the AWS Certificate Manager isn't something I'm familiar with. There may be a Certificate Signing Request (CSR) step necessary, also in the Tomcat guide, however the AWS Certificate Manager looks like it may handle that for you.


Let me know if those documents help.


Thanks,

Ryan

photo
1

Hi Ryan,


I've worked my way through the documents you kindly sent but I'm still no further forward.


Any guidance would be appreciated.

photo
1

Hi Lawrence,


I'm going to start a ticket in your name so we can work this privately, as I'll be requesting logs. I'll go ahead and mark this as Answered, since we're continuing via ticket.


Thanks,

Ryan