SSL can be enabled through xflicstat.cfg file.
Available settings:
HTTP_SSL - TRUE or FALSE. To enable SSL set it to TRUE. Default FALSE.
HTTP_SSL_REDIRECT - TRUE or FALSE. TRUE value enables automatic redirection from http to https. Default FALSE.
SSL_KEYSTORE - path to keystore with loaded certificate and its private key. Empty by default
SSL_KEYSTORE_PASSWORD - password to keystore. Empty by default.
SSL_KEYSTORE_KEY_ALIAS - key under which certificate is stored inside keystore. Default 'xflicstat'.
SSL_KEYSTORE_TYPE - type of keystore. License Statistics is able to use only JKS or PKCS12 keystores. Default 'JKS'.
SSL_PROTOCOLS - defines which ssl/tls protocols are enabled. It should either be commented out or not empty. Default 'TLSv1.1,TLSv1.2,TLSv1.3'.
SSL_CIPHERS - contains list of enabled/disabled ciphers. It should either be commented out or not empty. Default '!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'.
Every key should be either commented out or non-empty. Commented setting has default value.
Example configuration:
HTTP_SSL = TRUE HTTP_SSL_REDIRECT = TRUE SSL_KEYSTORE = C:\Keystores\keystore.p12 SSL_KEYSTORE_PASSWORD = Password123 SSL_KEYSTORE_KEY_ALIAS = licstat SSL_KEYSTORE_TYPE = PKCS12 SSL_PROTOCOLS = TLSv1.3 SSL_CIPHERS = !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA
Configuration above has enabled ssl, with automatic redirection from http to https. Certificate is stored inside keystore located at C:\Keystores\keystore.p12 under alias licstat. Type of the store is PKCS12. Only allowed protocol is TLSv1.3. Ciphers: aNULL, eNULL, EXPORT, DES, RC4, MD5, kRSA are disabled, any cipher other than one of them, is allowed.
Frequently asked questions:
What is SSL?
SSL is a protocol of secure communication between server and client through the network.
What is TLS?
It is a newer version of SSL. See "What is SSL?". In practice SSL and TLS names are used interchangeably.
What do I gain from enabling SSL?
It ensures that data sent from application (f.e. report about license usage) and to application (f.e. login credentials) is encrypted. It also allows web browser to verify if connection is secure.
What is keystore?
It is a file secured with password that can contain one or many certificates with or without their private keys.
Which ssl protocols should I enable?
The newer, the better (currently newest is TLS v1.3). But be aware that some older browsers could not support newer protocol versions.
Which ciphers should I enable/disable?
The ones that are known to be broken should be disabled. The list changes with time, new ciphers are created, and some old ones are being broken. Most of the time defaults should be up to date.
I have a certificate file and key, how do I create keystore?
It is described in this article.
How do I migrate SSL settings from Licstat 5.x to 6.x?
In 5.x there were two files needed: certificate (defined as SSL_CERTIFICATE_FILE) and certificate private key (defined as SSL_CERTIFICATE_KEY_FILE). In 6.x both of these files must be placed into keystore. How to do it is described here: this article.
What does 'Caused by: java.lang.IllegalArgumentException: Alias name [certificate_alias] does not identify a key entry' mean in my core.log file?
It means that License Statistics could not find certificate in keystore under given alias. Make sure that alias you provided in xflicstat.cfg is same as alias of certificate in keystore.
What can be the cause of 'APPLICATION FAILED TO START' in core.log file?
It could be caused by ssl misconfiguration. Check if your settings comply to rules presented at the start of this page.