HTTPS setting

It is necessary to store the public key and the private key encryption/to make the server authentication book and the communication data a compound in the key store to which DataSpiderServer refers to do DataSpiderServer and the communication with various components with HTTPS.
Here, the server authentication book and the key are generated by using keytool of Java, and it explains the procedure for storing it in the key store to which DataSpiderServer refers.

Keytool is utility to manage the key and the certificate being offered by Java.

Refer to "keytool" (http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html) for details concerning keytool.

DataSpiderServer functions as HTTPS server, and can communicate with HTTPS by setting HTTPS with various components.

Generation of key and server authentication book that uses keytool
Confirmation of HTTPS communication
Troubleshooting

Generation of key and server authentication book that uses keytool

Location of the executable file of keytool

Windows version
$DATASPIDER_HOME\jre\bin\keytool.exe
UNIX/Linux version
$DATASPIDER_HOME/jre/bin/keytool

Generation of server certificate and key

Generation of server certificate and key can be performed by the following procedures.

If you still operate by using the self-signed certificate, perform the procedures in “4. Setting of security" after “1. Generation of key".

Generation of key
Start the command prompt (shell in case of UNIX/Linux version). Use the keytool -genkeypair command to generate the key. In this command, the pair of the key for DataSpiderServer (public key and relating closed-door key) is generated, and it is stored in the specified key store - optional keystore it. The public key is wrapped with the self-signed certificate.

Passing the key store to do the HTTPS communication effectively becomes it as follows.

$DATASPIDER_HOME\server\system\common\classes\.keystore

keytool -genkeypair -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name>
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  hostname
What is the name of your organizational unit?
  [Unknown]:  CS
What is the name of your organization?
  [Unknown]:  companyname
What is the name of your City or Locality?
  [Unknown]:  Minato-ku
What is the name of your State or Province?
  [Unknown]:  Tokyo
What is the two-letter country code for this unit?
  [Unknown]:  JP
Is CN=hostname, OU=CS, O=companyname, L=Minato-ku, ST=Tokyo, C=JP correct?
  [no]:  yes

Enter key password for <Alias name>
        (RETURN if same as keystore password):                    Push RETURN because it does as well as the password of the :* key store.

When the keytool -genkeypair command is executed, first and last name (CN), organization unit name (OU), organization name (O), city or locality (L), and the input of the item of state or province (ST) and country code (C) are requested.

Items

Item	Specified information	Notes
Common name(CN)	Specify the host name with the machine in which DataSpiderServer is installed.	It should agree to the domain name of URL specified by a browser according to CA with it.
Organization unit name(OU)	Specify an arbitrary identification name like the section and the post name, etc.	There is a limitation in the character and the number of characters that can be used as specification according to CA by an English name etc.
Organization name(O)	Specify the systematic name.	There is a limitation in the character and the number of characters that can be used according to CA.
City or Locality(L)	Specify address information on the organization (municipal district town and village name).	There is a limitation in the character and the number of characters that can be used according to CA.
State or Province(ST)	Specify address information on the organization (administrative divisions name).	There is a limitation in the character and the number of characters that can be used according to CA.
Country code(C)	Specify the country code of ISO regulations.	Japan is "JP". Refer to "Online Browsing Platform (OBP)" (https://www.iso.org/obp/ui/#search) for the country code of ISO regulations.

Effective days of the generated certificate are the 90th. When days any more are set, effective days of the certificate are specified - optional validity it.

Example:When you specify effective days of the certificate on 180 days

keytool -genkeypair -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -validity 180

Make certificate signature demand (CSR)
If you will still operate by using the self-signed certificate, unnecessary to perform this procedure.
Make certificate signature demand (CSR) by using the keytool -certreq command, and store it in the csr file.

keytool -certreq -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <CSR file name>.csr

File (*.csr) generated here is submitted to CA such as VeriSign. CA attests the requester (In off-line usually), and sends back the certificate with the signature that attests requester's public key. According to circumstances, CA might return the chain of the certificate. In the chain of the certificate, each certificate attests the public key of the first signer in the chain.

Import of certificate
If you will still operate by using the self-signed certificate, unnecessary to perform this procedure.
Import the certificate (or the chain of the certificate) by using the keytool -importcert command. At this time, it is necessary to do the certificate of CA (Include the certificate to the route CA when you acquire the server authentication book from middle CA) and to be doing the import as a certificate of trusted CA by the key store.
- Import of certificate of CA
  If necessary, import the certificate of CA by using the following command:
  
  keytool -importcert -noprompt -trustcacerts -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name of CA> -file <CERT file name of CA>
- Import of server authentication book
  
  keytool -importcert -noprompt -trustcacerts -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <Certificate file signed by CA (or proof chain)>

Setting of security
Put the check in [Enable HTTPS] in [DataSpiderServer settings]-[Security] tab in Control Panel and set the port number and the key store password when HTTPS is communicated.

Confirmation of HTTPS communication

Confirm whether it is possible to access it with HTTPS by starting DataSpiderServer. The confirmation procedure is as follows.

On browser, type “https://<hostname or IP address>:<SSL port number>/” and access DataSpiderServer.

It is displayed on the screen as "DataSpider WebContainer". Here, confirm URL is “https", and the mark of the lock is displayed.
(It is displayed in the lower right of the screen for Internet Explorer)

When the lock mark is double-clicked, the certificate can be confirmed.

Confirm the following three points if this screen is displayed.
- Issued to: Accessed URL and host name (domain name) must be corresponding.
- Issued by: Providers of digital certification services that can trust it must have been described. (It becomes it for the self-signed certificate as well as issuing ahead)
- Valid from: Do not expire. (in keytool -genkeypair When optional validity is not specified, effective days are the 90th)

It is confirmed that URL is “https", and the mark of the lock is displayed, and if it is unquestionable, the content of the certificate becomes “HTTPS communicates".

Troubleshooting

The alert message of security is displayed when accessing it from a browser.
The server is inaccessible.
Unable to launch DataSpider Studio for Web

The alert message of security is displayed when accessing it from a browser.

"This security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority."
The server authentication book is displayed and occasion about the self-signed certificate the following, for instance, the alert message is displayed. Do the work of the above-mentioned 2.-3 or install this self-signed certificate when you do not want to make the alert message displayed.

"The security certificate expired or is not yet valid."
The case to expire the server authentication book, for instance, the following alert message is displayed. the keytool -genkey command is executed The server authentication book can be generated by setting an arbitrary, effective days by specifying optional validity.

"The name on the security certificate is invalid or does not match the name of the site."
One's name (CN) of the host name with specified URL (domain name) and the server authentication book is displayed and a case not corresponding, for instance, the following alert message is displayed. Confirm one's name (CN) of the server authentication book, and try to access or try to generate the server authentication book.

The server is inaccessible.

Confirm the following three points if this screen is displayed.

Whether DataSpiderServer starts with the machine of the host name specified with URL or not?
Whether there is a check in [Enable HTTPS] in [DataSpiderServer settings]-[Security] tab in Control Panel or not?
Whether the port number specified with URL and that specified in [DataSpiderServer settings]-[Security] tab is corresponding or not?

Unable to launch DataSpider Studio for Web

When launching Studio for Web, an error dialog " The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." will be displayed.

It will be displayed when an untrusted certificate, such as a self-signed certificate or a certificate issued by an untrusted CA is used.
To solve this error, import it to the certificate store in Studio for Web operating environment to be regarded as a trusted certificate.

Limitations

The key store type that can be treated with DataSpiderServer is only JKS.