HTTPS setting

It is necessary to store the public key and the private key encryption/to make the server authentication book and the communication data a compound in the key store to which DataSpiderServer refers to do DataSpiderServer and the communication with various components with HTTPS.
Here, the server authentication book and the key are generated by using keytool of Java, and it explains the procedure for storing it in the key store to which DataSpiderServer refers.

Keytool is utility to manage the key and the certificate being offered by Java.

Refer to "keytool" (http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html) for details concerning keytool.

DataSpiderServer functions as HTTPS server, and can communicate with HTTPS by setting HTTPS with various components.

Generation of key and server authentication book that uses keytool
Confirmation of HTTPS communication
Troubleshooting

Generation of key and server authentication book that uses keytool

Location of the executable file of keytool

Windows version
$DATASPIDER_HOME\jre\bin\keytool.exe
UNIX/Linux version
$DATASPIDER_HOME/jre/bin/keytool

Generation of server certificate and key

Hereafter, it is necessary to do the work of 1-4 to do DataSpiderServer and the communication with various components with HTTPS. (

2 3 are not necessary for the self-signing certificate.)

Generation of key
Start the command prompt (shell in case of UNIX/Linux version).Use the keytool -genkey command to generate the key.In this command, the pair of the key for DataSpiderServer (public key and relating closed-door key) is generated, and it is stored in the specified key store - optional keystore it.The public key is wrapped with the self-signing certificate.

Passing the key store to do the HTTPS communication effectively becomes it as follows.

$DATASPIDER_HOME\server\system\common\classes\.keystore

keytool -genkeypair -alias <Alias name> -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore
Input the password of the key store: changeit
Input one's name.
  [Unknown]:  hostname
Input the organization unit name.
  [Unknown]:  CS
Input the systematic name.
  [Unknown]:  companyname
Input a city name or a regional name.
  [Unknown]:  Bunkyo-ku
Input state name or a local name.
  [Unknown]:  Tokyo
It corresponds to this unit Input the country number of two characters.
  [Unknown]:  JP
Is it good in CN=hostname, OU=CS, O=companyname, L=Bunkyo-ku, ST=Tokyo, and C=JP?
  [no]:  yes

Input the key password of < dataspider >.
        (When it is the same as the password of the key store Push RETURN)                    Push RETURN because it does as well as the password of the :* key store.

When the keytool -genkey command is executed, one's name (CN), systematic name (O), organization unit name (OU), city name or regional name (L), and the input of the item of state name or local name (ST) and country number (C) are requested. The explanation of each item is as follows.

Items

Item	Specified information	Notes
Common name(CN)	Specify the host name with the machine in which DataSpiderServer is installed.	It should agree to the domain name of URL specified by a browser according to CA with it.
Organization name(O)	Specify an arbitrary identification name like the section and the post name, etc.	There is a limitation in the character and the number of characters that can be used as specification according to CA by an English name etc.
Organization unit name(OU)	Specify the systematic name.	There is a limitation in the character and the number of characters that can be used according to CA.
City name or regional name(L)	Specify address information on the organization (municipal district town and village name).	There is a limitation in the character and the number of characters that can be used according to CA.
State name or local name(ST)	Specify address information on the organization (administrative divisions name).	There is a limitation in the character and the number of characters that can be used according to CA.
Country code(C)	Specify the country code of ISO regulations.	Japan is "JP". Refer to "Online Browsing Platform (OBP)" (https://www.iso.org/obp/ui/#search) for the country code of ISO regulations.

Effective days of the generated certificate are the 90th.When days any more are set, effective days of the certificate are specified - optional validity it.

Example:When you specify effective days of the certificate on 180 days

keytool -genkeypair -alias <Alias name> -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -validity 180

Make certificate signature demand (CSR).
(This is not necessary for the self-signing certificate)
Make certificate signature demand (CSR) by using the keytool -certreq command, and store it in the csr file.

keytool -certreq -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <CSR flle name>.csr

File (*.csr) generated here is submitted to CA such as VeriSign.CA attests the requester (In off-line usually), and sends back the certificate with the signature that attests requester's public key.According to circumstances, CA might return the chain of the certificate.In the chain of the certificate, each certificate attests the public key of the first signer in the chain.

Import of certificate
(

This is not necessary for the self-signing certificate)
The import should do the certificate (Or, chain it the proof ream) signed from CA by using the keytool -import command because the certificate that makes at 1. is a self-signing certificate.At this time, it is necessary to do the certificate of CA (Include the certificate to the route CA when you acquire the server authentication book from middle CA) and to be doing the import as a certificate of trusted CA by the key store.

The certificate of VeriSign might not have to be made a certificate that can be trusted and to do the import in the key store because the cacerts key store file of Java is shipped with five VeriSign route CA certificates contained. However, when the certificate with the signature is demanded from other CA, and the certificate that attests the public key of this CA has not been added to cacerts yet, the certificate from corresponding CA should be assumed to be "Certificate that can be trusted" and the import be done.

Import of certificate of CA:
keytool -importcert -keystore $DATASPIDER_HOME\jre\lib\security\cacerts -alias <Alias name> -trustcacerts -file <CERT file name>
Import of server authentication book:
keytool -importcert -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <Certificate file signed by CA (or proof chain)>

Setting of security
Put the check in [Enable HTTPS] in [Control Panel]-[DataSpiderServer settings]-[Security]tab to do DataSpiderServer and the HTTPS communication between various components effectively, and set the port number and the key store password when HTTPS is communicated.

Confirmation of HTTPS communication

Confirm whether it is possible to access it with HTTPS by starting DataSpiderServer.The confirmation procedure is as follows.

On browser, type https://<hostname>:<SSL port number>/ and access DataSpiderServer.

It is displayed on the screen as "DataSpider WebContainer".Here, confirm URL is "https://-", and the mark of the lock is displayed.
(It is displayed in the lower right of the screen for Internet Explorer)

When the lock mark is double-clicked, the certificate can be confirmed.

Confirm the following three points if this screen is displayed.
- Accessed URL and host name (domain name) must be corresponding.
- Providers of digital certification services that can trust it must have been described.(It becomes it for the self-signing certificate as well as issuing ahead)
- Do not expire. (in keytool -genkey When optional validity is not specified, effective days are the 90th)

It is confirmed that URL is "https://-", and the mark of the lock is displayed, and if it is unquestionable, the content of the certificate becomes "HTTPS communicates".

Troubleshooting

The alert message of security is displayed when accessing it from a browser.
The server is inaccessible.

The alert message of security is displayed when accessing it from a browser.

"This security certificate was issued by a company you have not chosen to trust.View the certificate to determine whether you want to trust the certifying authority."
The server authentication book is displayed and occasion about the self-signing certificate the following ,for instance, the alert message is displayed.Do the work of the above-mentioned 2.-3 or install this self-signing certificate when you do not want to make the alert message displayed.

"The security certificate expired or is not yet valid."
The case to expire the server authentication book , for instance, the following alert message is displayed.When the keytool -genkey command is executed The server authentication book can be generated by setting an arbitrary, effective days by specifying optional validity.

"The name on the security certificate is invalid or does not match the name of the site."
One's name (CN) of the host name with specified URL (domain name) and the server authentication book is displayed and a case not corresponding , for instance, the following alert message is displayed.Confirm one's name (CN) of the server authentication book, and try to access or try to generate the server authentication book.

The server is inaccessible.

Confirm the following.

Whether DataSpiderServer starts with the machine of the host name specified with URL or not?
Whether there is a check in [Enable HTTPS] in [Control Panel]-[DataSpiderServer settings]-[Security] tab or not?
Whether the port number specified in [DataSpiderServer settings]-[Security] tab of "Setting of DataSpiderServer" of the port number and Control Panel specified with URL is corresponding or not?

Limitations

The key store type that can be treated with DataSpiderServer is only JKS.