run Tomcat with SSL for EMF server

[cseppan]

Need to look at how to configure Tomcat to using SSL/TLS, or possibly add nginx proxy on server. Confirm that EMF Client works with HTTPS connection, including local file upload and download.

[ddelvecchio]

I did find a useful article on the that should help when get to this task. I will add a link to this in the ticket.

Using SSL with Axis: https://www.informit.com/articles/article.aspx?p=24604

[cseppan]

I was able to successfully set up SSL in my Tomcat installation (9.0) and connect with the EMF client.

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Configuration

Generate a keystore file - for development, this is a self-signed certificate. On the production server, we'll need to get a real SSL certificate from an authority.

keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/conf/localhost-rsa.jks

password: changeit (this is the Java default so it's not a secret)
first and last name: localhost

Update the Tomcat conf file server.xml. Uncomment the section

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Restart Tomcat and confirm that https://localhost:8443/ loads in a browser - the browser will complain about the certificate.

With a real certificate, the EMF Client should just work at this point by setting the URL to https://server:8443/emf/services. For development, the self-signed certificate needs to get added to Java's keystore.

I opted to make a local copy of the default keystore to modify

cp /Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/lib/security/cacerts .

Download the self-signed certificate

echo -n | openssl s_client -connect localhost:8443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > self_cert.crt

Add the self-signed certificate to the keystore

keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias mycert -file self_cert.crt

When running the EMF Client, add the system property javax.net.ssl.trustStore

java -Djavax.net.ssl.trustStore=/path/to/custom/cacerts -classpath … gov.epa.emissions.framework.client.EMFClient https://localhost:8443/emf/services

[cseppan]

Based on my testing, I think we can go ahead and get an SSL certificate for the production server - not sure how that's handled for epa.gov domains. Once we have the certificate, we can turn on SSL alongside the existing HTTP connection and confirm there are no issues.

[cseppan]

Successfully ran the EMF Client using port 8443 on the EPA server. Two changes are needed to the EMFClient.bat file:

1. Change the URL from http://server:8080/emf/services to https://server:8443/emf/services
2. Add the flag "-Djavax.net.ssl.trustStore=WINDOWS-ROOT"

Current

java -Xmx1024M ... http://server:8080/emf/services

New

java -Xmx1024M -Djavax.net.ssl.trustStore=WINDOWS-ROOT ... https://server:8443/emf/services

Will need to update the EMF Client Installer program which automatically writes the EMFClient.bat file

[cseppan]

Looking through the emf.properties table, there's a property named DOWNLOAD_EXPORT_ROOT_URL which references port 8080. Once non-SSL access is turned off, this should get updated to 'https://server:8443/exports/'.

[aeythepa]

I tried setting the last of of bat file to this, but I could not get on:

java -Xmx1024M -DUSER_PREFERENCES="%userprofile%\EMFPrefs.txt" -DEMF_HOME="%EMF_HOME%" -DR_HOME="%R_HOME%" -Djavax.net.ssl.trustStore=WINDOWS-ROOT -classpath %CLASSPATH% gov.epa.emissions.framework.client.EMFClient https://sage.hesc.epa.gov:8443/emf/services

The error was:
Nov 03, 2023 10:45:32 AM org.apache.axis.utils.JavaUtils isAttachmentSupported
WARNING: Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
Verifying server version is v4.2 - 03/06/2023
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
...
Verifying server version is v4.2 - 03/06/2023
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 51 more
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
gov.epa.emissions.framework.services.EmfException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at gov.epa.emissions.framework.client.login.LoginPresenter.checkEmfVersion(LoginPresenter.java:88)
at gov.epa.emissions.framework.client.login.LoginWindow.display(LoginWindow.java:85)
at gov.epa.emissions.framework.client.login.LoginPresenter.display(LoginPresenter.java:113)
at gov.epa.emissions.framework.client.EMFClient$1.run(EMFClient.java:59)

[cseppan]

It looks like the Java property to set should be javax.net.ssl.trustStoreType rather than trustStore

java -Xmx1024M -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT ... https://server:8443/emf/services

I've attached a small Java program to help with testing the SSL connection (I needed to add the .txt extension to make GitHub happy):

SSLTest.java.txt

javac SSLTest.java
java SSLTest

null
null
Response Code : 200
Cipher Suite : TLS_AES_256_GCM_SHA384

Cert Type : X.509
Cert Hash Code : -1325636615
Cert Public Key Algorithm : EC
Cert Public Key Format : X.509

Cert Type : X.509
Cert Hash Code : 266225904
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509

Cert Type : X.509
Cert Hash Code : 1081005260
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509

By default, the program contacts google.com and prints some info about the certificate chain. Because Google uses a standard certificate issuer, nothing special needs to happen with the trustStoreType setting. The first two lines in the output (null, null) are the values of the trustStoreType and trustStore properties.

If you give the trustStoreType as a command-line parameter:

java -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT SSLTest

You should see the first line in the output be WINDOWS-ROOT instead of null. This is a quick check to make sure the command-line parameter is correct. The connection to google.com should still work fine; the program is just using Window's certificate trust information instead of what's built into the JVM.

To try connecting to the EPA EMF server, edit the Java program and change the line

String site = "https://google.com/";

to

String site = "https://sage.hesc.epa.gov:8443/";

If you run the modified program without any parameters, you should get the same "PKIX path building failed" error we've been seeing. But with -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT hopefully things will work.

As a test, I tried connecting to a military website that uses a custom certificate authority managed by DoD. I used the Windows program certmgr.msc to add the certificate authority to the list of Trusted Root Certification Authorities. At that point, I could load the site through a browser without any security warnings, and setting trustStoreType allowed the SSLTest program to connect. I'm hoping this is analogous to how the EPA Enterprise certificate authority has already been set up on the EPA Windows machines.