Configure Pulse to use SSL

Celine · 2018-11-19 15:02:43 UTC

Hi there,

In relation to the blog’s article Using SSL With Pulse describing the changes to perform to change the port to 443, I’ve got a silly question:

In the file server.xml there are 2 Connector blocs.

The first one has port=“8099” and redirectPort=“8093”
The second has port=“8093” + all parameters to configure the SSL usage (minus the parameter “keystoreType” though)

1st:

<Connector connectionTimeout="20000" port="8099" protocol="HTTP/1.1" redirectPort="8093" URIEncoding="UTF-8" 
  compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
  compression="on"
  compressionMinSize="2048"
/>

2nd:

<Connector port="8093" protocol="HTTP/1.1" SSLEnabled="true" URIEncoding="UTF-8" scheme="https" secure="true" sslProtocol="TLS" 
    keystoreFile="conf/TOMCAT.keystore" keystorePass="Pulse12345" clientAuth="false" 
    compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
    compression="on"
    compressionMinSize="2048"
/>

My guess is I should change the second bloc, redefining the port number to 443, and set-up everything else, but isn’t there anything to do in the first bloc as well ?

Pulse version: 5.7.10

Cheers

ecarmona · 2018-11-20 00:39:34 UTC

Hi Celine,

Indeed the first block of parameters is configured to redirect to the HTTP requests to HTTPS, this is a default configuration that comes with Tomcat, but in reality, The “redirectPort” is not utilized by Pulse web, because it is not configured to re-direct HTTP - HTTPS requests by default.

Regards,

Erik

tryan · 2018-11-20 02:59:18 UTC

Hi @Celine,

Adding to that, if you are going to set up SSL you most likely don’t want HTTP available so you should delete or comment out the first block.

twong · 2018-11-20 04:02:11 UTC

I am using IIS to make Pulse to use SSL via Reverse Proxy / URL Rewrite, below is the web.config：

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="root" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="http://tm1server.cubewise.com:8099/{R:1}" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Rewrite Location Header" stopProcessing="true">
                    <match serverVariable="RESPONSE_Location" pattern="^http://(.*)" />
                    <conditions>
                        <add input="{ORIGINAL_HOST}" pattern=".+" />
                    </conditions>
                    <action type="Rewrite" value="https://{R:1}" replace="true" />
                </rule>
            </outboundRules>
        </rewrite>
        <directoryBrowse enabled="true" />
    </system.webServer>
</configuration>

tryan · 2018-11-20 04:29:16 UTC

Hi @twong,

Thanks for posting.

To past code trying using three ticks ``` (top left key on US keyboards), then new past on new line and finish with another three ticks on a new line.It will even colour the text!

<Service name="Catalina">

    <Connector connectionTimeout="20000" port="8099" protocol="HTTP/1.1" redirectPort="8093" URIEncoding="UTF-8" 
      compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
      compression="on"
      compressionMinSize="2048"
    />
    
    <Connector port="8093" protocol="HTTP/1.1" SSLEnabled="true" URIEncoding="UTF-8" scheme="https" secure="true" sslProtocol="TLS" 
        keystoreFile="conf/TOMCAT.keystore" keystorePass="Pulse12345" clientAuth="false" 
        compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
        compression="on"
        compressionMinSize="2048"
    />
               
    <Engine defaultHost="localhost" name="Catalina">
      <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="false"></Host>
    </Engine>
  </Service>

Celine · 2018-11-20 10:13:43 UTC

Ok, thanks a lot @ecarmona, @tryan for your replies.
That makes sense, I’ll comment the first bloc, and will keep the connectiontimeout parameter.
At the moment I’ll stick to SSL via tomcat, but good to have another option described via IIS, thanks fot that @twong

Cheers