Enabling Secure Sockets Layer

You can activate Secure Sockets Layer (SSL) in the Web server component of Ricoh ProcessDirector and link it to an existing digital certificate.

Before you begin this task, you must obtain a digital certificate and store it on the computer that the base product is installed on. Follow the instructions provided by the certificate authority (CA) for installing the certificate. You must also know where the keystore is located on the server and the password for the keystore.

In addition, save copies of these files in a safe location so you can find them easily if you need to restore them in the future:

  • /opt/infoprint/ippd/ws/conf/server.xml
  • /opt/infoprint/ippd/ws/webapps/aiw/WEB-INF/web.xml

If your server is not already using SSL, generate a new key and keystore with the keytool command.

The enabling process requires Perl to run. Before you enable SSL, make sure a Perl interpreter is installed.

  • keytool is a Java command. For details about using keytool, consult your CA or Java documentation.
  • Your private key password and keystore password must be the same. If they are not the same, you receive a java.io.IOException error.
To enable SSL:
  1. Log in to the primary computer as the Ricoh ProcessDirector system user.
  2. Copy the .keystore file to the /home directory for the Ricoh ProcessDirector system user.
  3. Change the owner of the .keystore file to the appropriate owner and group. Type this command, substituting the Ricoh ProcessDirector system user ID for system_ user and the Ricoh ProcessDirector system group for system_group:

    chown system_user:system_group .keystore

    The default system user is aiw1 and the default group is aiwgrp1.

  4. If you cannot copy the .keystore file and change the owner, log out and log back in to the primary computer as the root user or use su to become the root user and repeat the previous two steps.
  5. Switch to the Ricoh ProcessDirector system user. Type this command, substituting the Ricoh ProcessDirector system user ID for system_ user:

    su - system_user

  6. Open the /opt/infoprint/ippd/ws/conf directory.
  7. Open the server.xml file and make these changes:
    1. Find this code:
      <Connector port="15080"
      	protocol="HTTP/1.1"
      	connectionTimeout="20000"
      	redirectPort="15443"
      	URIEncoding="UTF-8"
      	compression="on"
      	compressionMinSize="2048"
      	compressableMimeType="text/html,text/xml,text/plain,text/css,
      	text/javascript,application/json"/>
    2. Insert this code below it:
      <Connector port="15443"
      	protocol="HTTP/1.1"
      	SSLEnabled="true"
      	enableLookups="true"
      	maxThreads="150"
      	scheme="https"
      	secure="true"
      	keystoreFile="path to .keystore"
      	keystorePass="keystore_password"
      	clientAuth="false"
      	sslProtocol="SSLv3"/>
    3. Replace path to .keystore with the path to your .keystore file. Leave the quotation marks.
    4. Replace keystore_password with the password to your keystore. Leave the quotation marks.
    5. Save and close the file.
  8. Stop the base product.
  9. Forward all HTTP requests for Ricoh ProcessDirector through a secure connection. Type:

    /opt/infoprint/ippd/base/security/forwardToHTTPS.pl

  10. Start the base product.
  11. Verify that requests are forwarded to the secure connection by opening a Web browser and typing this address, replacing server_name with the host name or IP address of the primary computer:

    http://server-name:15080/aiwhttp://server-name:15080/aiw

    When the page loads, the address should change to https://server-name:15443/aiw.

    • It might take several minutes for the configuration changes to take effect. You might need to refresh the browser several times to see the address change.

When users access the system, they are redirected to the secure protocol without having to take any action themselves. However, if you use a self-signed certificate or if the certificate is not specifically tied to the server, the Web browser issues a warning that the certificate is not trusted.

If you use Ricoh ProcessDirector Web services to exchange print data with other applications in your system, you must make sure that client software that you use to invoke the Web services supports SSL.

If you install service updates or a new version of Ricoh ProcessDirector, you must activate SSL again because the installation process clears the SSL settings in the Web server component.

If you need to update or replace your digital certificate, install the new certificate into the keystore and remove the old certificate. You will have to change the owner when you renew, however. See step 3 above. You do not have to do this entire task again because Ricoh ProcessDirector can find the new certificate in the keystore.

 
Copyright © 2006, 2018