# Configure TLS for IAM Console

## Introduction

The TLS protection of Soffid IAM Console is applied through the configuration of the Apache TomEE embedded in the installation.

This solution is running under java technology therefore we need a jks file (Java Key Store) or a PKCS#12 file with the information of your certificate.

Once you have the Console installed and your certificate in jks format you can follow this steps to configure it the first time or for an update.

Mind that sometimes, the network encryption algorithm is named SSL, in fact, the configuration file still displays the word SSL. However, SSL protocol is now outdated, and TLSv1.2 is used instead.

## Load a PKCS#12 (.PFX) file

There are many standard ways to store and transfer private keys and certificates, but the most common one is the PKCS#12 format. Its main advantage is that it contains, in a single file, both the private key and the public certificate.

To transform the .PFX file to a java key store (.JKS), and can use the next command (you have to adapt it to your system):

```shell
keytool -v -importkeystore -srckeystore <YOUR_FILE.PFX> -srcstoretype PKCS12 \
  -destkeystore /opt/soffid/iam-console-4/conf/yourcert.jks \
  -deststoretype JKS \
  -destkeypass 123456 -srcstorepass 1234 -deststorepass 123456
```

<div data-hasbody="true" data-macro-name="code" id="bkmrk--0"></div>Next, you will be asked for the PFX encryption password. It must be provided to you along the PFX file.

Next, you will be asked (probably twice) for the password to be used to encrypt the .JKS file. This password must be written down in the server.xml file. At the sample SSL configuration file placed at the top of this page, the sample password is 123456.

<p class="callout warning">If we have a key and certificate (key, crt), the step to perform the conversion is:</p>

```
openssl pkcs12 -inkey keyfile.key -in certificate.crt -out name_to_export -export

keytool -v -importkeystore -srckeystore name_to_export -srcstoretype PKCS12
    -destkeystore /opt/soffid/iam-console-4/conf/new_certificate_name.jks
    -deststoretype JKS
    -destkeypass password
    -srcstorepass password
    -deststorepass password
```

## Configuration

The configuration file to modify is the following one:

<p class="callout info">/opt/soffid/iam-console-4/conf/server.xml</p>

It can contain one or more connectors. Uncomment or add the following one, that enables the TLS configuration:

<div data-hasbody="true" data-macro-name="code" id="bkmrk-"><div data-hasbody="true" data-macro-name="code"><div><div><div><div data-hasbody="true" data-macro-name="code"><div><div><div>  
</div></div></div></div></div></div></div></div></div>These are the attributes that you have to configure.

<div id="bkmrk-attribute-comment-po"><table class="wrapped confluenceTable tablesorter tablesorter-default stickyTableHeaders" role="grid" style="width: 100%; height: 220.861px;"><colgroup><col style="width: 38.1837%;"></col><col style="width: 61.8026%;"></col></colgroup><thead class="tableFloatingHeaderOriginal"><tr class="tablesorter-headerRow" role="row" style="height: 29.6806px;"><th aria-disabled="false" aria-label="Attribute: No sort applied, activate to apply an ascending sort" aria-sort="none" class="confluenceTh tablesorter-header sortableHeader tablesorter-headerUnSorted" data-column="0" role="columnheader" scope="col" style="height: 29.6806px;" tabindex="0"><div>Attribute</div></th><th aria-disabled="false" aria-label="Comment: No sort applied, activate to apply an ascending sort" aria-sort="none" class="confluenceTh tablesorter-header sortableHeader tablesorter-headerUnSorted" data-column="1" role="columnheader" scope="col" style="height: 29.6806px;" tabindex="0"><div>Comment</div></th></tr></thead><tbody aria-live="polite" aria-relevant="all"><tr role="row" style="height: 27.6806px;"><td class="confluenceTd" style="height: 27.6806px;">**port**</td><td class="confluenceTd" style="height: 27.6806px;">You can choose the standard 443 or another custom port</td></tr><tr style="height: 57.6667px;"><td style="height: 57.6667px;">**protocols** (inside SSLHostConfig tag)

**sslEnabledProtocols** (inside Connector tag)

</td><td style="height: 57.6667px;">You can configure the protocols allowed. For intance, protocols="TLSv1.3" or sslEnabledProtocols="TLSv1.3"</td></tr><tr role="row" style="height: 46.4722px;"><td class="confluenceTd" style="height: 46.4722px;">**certificateKeystoreFile**</td><td class="confluenceTd" style="height: 46.4722px;">The source by default starts from /opt/soffid/iam-console-4/ (the installation directory)</td></tr><tr role="row" style="height: 29.6806px;"><td class="confluenceTd" style="height: 29.6806px;">**certificateKeystorePassword**</td><td class="confluenceTd" style="height: 29.6806px;">The password used to encrypt the jks file</td></tr><tr role="row" style="height: 29.6806px;"><td class="confluenceTd" style="height: 29.6806px;">**certificateKeyAlias**</td><td class="confluenceTd" style="height: 29.6806px;">The alias to identify your key and certificate</td></tr></tbody></table>

</div>To know the Key Alias, you can run:

```shell
keytool -list -keystore yourcert.jks
```

Then, copy or replace your jks file into to the file /opt/soffid/iam-console-4/conf/yourcert.jks

After that, you have to restart the iam-console services.

```shell
sudo systemctl restart soffid-iamconsole
```

<p class="callout info">If you have some configuration error, you can search for more information in the Console log (the current day log):  
/opt/soffid/iam-console-4/logs/soffid-YYYY-MM-DD.log</p>

##### Example server.xml

This example only allows protocols TLSv1.3

```XML
............
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the
         AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->
    
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig protocols="TLSv1.3">
            <Certificate certificateKeystoreFile="conf/yourcert.jks" certificateKeystorePassword="XXXXXX" 
                         certificateKeyAlias="1" type="RSA" xpoweredBy="false" server="Apache TomEE" />
        </SSLHostConfig>
    </Connector>
............
```

## Further information

Additional information can be found at Tomcat website: [https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html](https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html)

---

*[https://es.wikipedia.org/wiki/TLS](https://es.wikipedia.org/wiki/TLS)*