HTTPS setting

• Generation of key and server authentication book that uses keytool
• Confirmation of HTTPS communication
• Troubleshooting

Generation of key and server authentication book that uses keytool

Location of the executable file of keytool

• Windows version
  $DATASPIDER_HOME\jre\bin\keytool.exe
• UNIX/Linux version
  $DATASPIDER_HOME/jre/bin/keytool

Generation of server certificate and key

1. Generation of key
   Start the command prompt (shell in case of UNIX/Linux version). Use the keytool -genkeypair command to generate the key. In this command, the pair of the key for DataSpiderServer (public key and relating closed-door key) is generated, and it is stored in the specified key store - optional keystore it. The public key is wrapped with the self-signed certificate.
   
   Passing the key store to do the HTTPS communication effectively becomes it as follows.
   • $DATASPIDER_HOME\server\system\common\classes\.keystore
   
   

   keytool -genkeypair -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> Enter keystore password:  changeit What is your first and last name?   [Unknown]:  hostname What is the name of your organizational unit?   [Unknown]:  CS What is the name of your organization?   [Unknown]:  companyname What is the name of your City or Locality?   [Unknown]:  Minato-ku What is the name of your State or Province?   [Unknown]:  Tokyo What is the two-letter country code for this unit?   [Unknown]:  JP Is CN=hostname, OU=CS, O=companyname, L=Minato-ku, ST=Tokyo, C=JP correct?   [no]:  yes Enter key password for <Alias name>         (RETURN if same as keystore password):                    Push RETURN because it does as well as the password of the :* key store.

   
   When the keytool -genkeypair command is executed, first and last name (CN), organization unit name (OU), organization name (O), city or locality (L), and the input of the item of state or province (ST) and country code (C) are requested.

   Items

   Item	Specified information	Notes
   Common name(CN)	Specify the host name with the machine in which DataSpiderServer is installed.	It should agree to the domain name of URL specified by a browser according to CA with it.
   Organization unit name(OU)	Specify an arbitrary identification name like the section and the post name, etc.	There is a limitation in the character and the number of characters that can be used as specification according to CA by an English name etc.
   Organization name(O)	Specify the systematic name.	There is a limitation in the character and the number of characters that can be used according to CA.
   City or Locality(L)	Specify address information on the organization (municipal district town and village name).	There is a limitation in the character and the number of characters that can be used according to CA.
   State or Province(ST)	Specify address information on the organization (administrative divisions name).	There is a limitation in the character and the number of characters that can be used according to CA.
   Country code(C)	Specify the country code of ISO regulations.	Japan is "JP". Refer to "Online Browsing Platform (OBP)" (https://www.iso.org/obp/ui/#search) for the country code of ISO regulations.

   
   Effective days of the generated certificate are the 90th. When days any more are set, effective days of the certificate are specified - optional validity it.
   
   Example:When you specify effective days of the certificate on 180 days

   keytool -genkeypair -keyalg RSA -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -validity 180

   
   
2. Make certificate signature demand (CSR)
   If you will still operate by using the self-signed certificate, unnecessary to perform this procedure.
   Make certificate signature demand (CSR) by using the keytool -certreq command, and store it in the csr file.
   
   

   keytool -certreq -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <CSR file name>.csr

   
   File (*.csr) generated here is submitted to CA such as VeriSign. CA attests the requester (In off-line usually), and sends back the certificate with the signature that attests requester's public key. According to circumstances, CA might return the chain of the certificate. In the chain of the certificate, each certificate attests the public key of the first signer in the chain.


3. Import of certificate
   If you will still operate by using the self-signed certificate, unnecessary to perform this procedure.
   Import the certificate (or the chain of the certificate) by using the keytool -importcert command. At this time, it is necessary to do the certificate of CA (Include the certificate to the route CA when you acquire the server authentication book from middle CA) and to be doing the import as a certificate of trusted CA by the key store.
   
   
   • Import of certificate of CA
     If necessary, import the certificate of CA by using the following command:
     

     keytool -importcert -noprompt -trustcacerts -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name of CA> -file <CERT file name of CA>

   
   
   • Import of server authentication book
     

     keytool -importcert -noprompt -trustcacerts -keystore $DATASPIDER_HOME\server\system\common\classes\.keystore -alias <Alias name> -file <Certificate file signed by CA (or proof chain)>



4. Setting of security
   Put the check in [Enable HTTPS] in [DataSpiderServer settings]-[Security] tab in Control Panel and set the port number and the key store password when HTTPS is communicated.

Confirmation of HTTPS communication

1. On browser, type “https://<hostname or IP address>:<SSL port number>/” and access DataSpiderServer.


2. It is displayed on the screen as "DataSpider WebContainer". Here, confirm URL is “https", and the mark of the lock is displayed.
   (For Microsoft Edge, it is displayed on the left side of the address bar.)
   
   


3. When the lock mark is double-clicked, the certificate can be confirmed.
   
   


4. Confirm the following three points if this screen is displayed.
   • Issued to: Accessed URL and host name (domain name) must be corresponding.
   • Issued by: Providers of digital certification services that can trust it must have been described. (It becomes it for the self-signed certificate as well as issuing ahead)
   • Valid from: Do not expire. (in keytool -genkeypair When optional validity is not specified, effective days are the 90th)

Troubleshooting

• The alert message of security is displayed when accessing it from a browser.
• The server is inaccessible.
• Unable to launch DataSpider Studio for Web

The alert message of security is displayed when accessing it from a browser.

• "Your connection isn't private."
  The server authentication book is displayed and occasion about the self-signed certificate the following, for instance, the alert message is displayed. Do the work of the above-mentioned 2.-3 or install this self-signed certificate when you do not want to make the alert message displayed.
  
  
  

The server is inaccessible.

• Whether DataSpiderServer starts with the machine of the host name specified with URL or not?
• Whether there is a check in [Enable HTTPS] in [DataSpiderServer settings]-[Security] tab in Control Panel or not?
• Whether the port number specified with URL and that specified in [DataSpiderServer settings]-[Security] tab is corresponding or not?

Unable to launch DataSpider Studio for Web

• When launching Studio for Web, an error dialog " The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." will be displayed.
  
  It will be displayed when an untrusted certificate, such as a self-signed certificate or a certificate issued by an untrusted CA is used.
  To solve this error, import it to the certificate store in Studio for Web operating environment to be regarded as a trusted certificate.

Limitations

• The key store type that can be treated with DataSpiderServer is only JKS.