Configure a TLS Connection for a Uniface Servlet (WRD or SRD)

To enable the a Uniface servlet (WRD or SRD) to connect to the Uniface Router via TLS, you need to ensure that the Uniface Router is configured to support these connections, add trusted CA certificates to the trust store used by the servlet, and set the appropriate parameters in the servlet parameters.

  1. Ensure the Uniface Router is configured with a TLS protocol connection listening port. For example:

    urouter /install="URouter TLS" TCP:+13001 TLS:+13003

  2. Ensure the TLS port used by the WRD conforms to the restrictions imposed by WRD TLS connections:
    • Only certificate-based authentication is supported. Pre-shared key authentication is not supported. For more information, see Configure the TLS Connector to Use Certificates.
    • Client authentication is not supported.
    • Peer name verification is not supported.
    • The cipher list is not configurable and is fixed as the default cipher suites provided by JSSE.
  3. Prepare a file containing the trusted CA certificate used to sign the Uniface Router's certificate; for example urouter_ca.crt or ss_myhost.cert (for a self-signed certificate). This needs to be in PEM format.
  4. Using the Java keytool program, import the certificate into the trust store used by the servlet. This can be one of the following:
    • The WRD-specific trust store. The default location is UnifaceInstallDir\uniface\webapps\uniface\WEB-INF\wrdca.p12. To import the certificate, use the following command:

      "JRE_HOME\bin\keytool.exe" -importcert -alias HostName -storetype pkcs12 -keystore "UnifaceInstallDir\uniface\webapps\uniface\WEB-INF\wrdca.p12" -file CertificateFile -v

    • The Java Runtime Engine (JRE) trust store, which is used by all Java applications. To add a certificate, use the following command:

      "JRE_HOME\bin\keytool.exe" -importcert -alias HostName -keystore "JRE_HOME\lib\security\cacerts" -file CertificateFile -v

      If the certificate is self-signed, it should have the format ss_HostName.cert.

  5. Edit the web.xml file used to configure Uniface servlets. You can create a separate definition for a TLS-enabled WRD, such as wrdtls, or modify an existing servlet definition.
    1. Edit the MIDDLEWARE setting to specify the TLS protocol and the port number that uses that protocol. For example, for a servlet called wrdtls:
      <init-param>
         <param-name>MIDDLEWARE</param-name>
         <param-value>UV8:TLS:localhost+13003|UnifaceServer|Uniface_Server123|wasv</param-value>
      </init-param>
    2. Specify the password of the trust store wrdca.p12 using the STOREPASS context parameter. For example:
      <web-app>
        <display-name>Uniface Web Request Dispatcher</display-name>
        <!-- Password for trust store -->
        <context-param>
           <param-name>STOREPASS</param-name>
           <param-value>changeit</param-value>
        </context-param>
        ...

    For example:

    <web-app>
      <display-name>Uniface Web Request Dispatcher</display-name>
      <!-- Password for trust store -->
      <context-param>
         <param-name>STOREPASS</param-name>
         <param-value>changeit</param-value>
      </context-param>
      ...
    <!-- Uniface W(eb) R(equest) D(ispatcher) Servlet with TLS connection to localhost+13003 -->
    <servlet>
      <servlet-name>wrdtls</servlet-name>
      <servlet-class>com.compuware.uniface.urd.WRDServlet</servlet-class>
      <init-param>
        <param-name>TESTABLE</param-name>
        <param-value>true</param-value>
      </init-param>
    
      <init-param>
        <param-name>USERUNPREFIX</param-name>
        <param-value>false</param-value>
      </init-param>
    
    <!-- For TLS connection -->
      <init-param>
        <param-name>MIDDLEWARE</param-name>
        <param-value>UV8:TLS:localhost+13003|UnifaceServer|Uniface_Server123|wasv</param-value>
      </init-param>
    </servlet>
    
    <servlet-mapping>
       <servlet-name>wrdtls</servlet-name>
       <url-pattern>/wrdtls/*</url-pattern>
    </servlet-mapping>
    
    
    </web-app>
  6. Validate the TLS connection in the browser by entering a URL to a TLS-enabled web application or web service. For example:http://localhost:8080/uniface/wrdtls/mydsp.

Related Topics