Enabling SSL for Innoslate 4.12+

Enabling SSL for Innoslate Enterprise 4.12+ (Tomcat 11)

Enabling SSL/TLS encrypts traffic to your Innoslate instance using HTTPS, improving security and compliance (e.g., for sensitive model data). This guide covers self-signed (testing) and CA-issued (production) certificates.

Prerequisites

Innoslate Enterprise 4.12+ installed.
Verify your Java version (Java 21) and Tomcat version (e.g., 11) for compatibility with Innoslate 4.12 and modern TLS protocols (TLS 1.2/1.3).
Port 8443 (or 443 for production) open in your firewall.
Basic knowledge of command-line usage.
If changing the domain name, ensure it matches the certificate’s Common Name (CN) or Subject Alternative Name (SAN) before proceeding.
Administrative access to edit files and restart the Innoslate service.

Step 1: Prepare the Keystore (Self-Signed or CA-Issued)

Do not store your keystore inside the Innoslate folder (e.g., avoid `C:\Innoslate4\...`). Use a separate, persistent location to ensure the certificate survives uninstalls, upgrades, or clean reinstalls.

Option A: Self-Signed Certificate (Recommended for Testing/Internal Use Only)

Open a command prompt/PowerShell (as admin) or terminal. Run:

"C:\Program Files\Java\jdk-21\bin\keytool.exe" -genkeypair -alias innoslate -keyalg RSA -keysize 2048 -keystore C:\Certificates\innoslate.jks -validity 3650 -storepass changeit

Replace the path ("C:\Program Files\Java\jdk-21\bin\keytool.exe") if your Java is elsewhere.
Answer prompts: Use your server hostname/domain/IP as the Common Name (CN).
This creates `innoslate.jks` valid for ~10 years. Change the password from `changeit` in production.

Option B: CA-Issued Certificate (Production/Recommended)

Generate keystore and CSR (same as above, but with a stronger password):

"C:\Program Files\Innoslate4\jre\bin\keytool.exe" -genkeypair -alias innoslate -keyalg RSA -keysize 2048 -keystore C:\Certificates\innoslate.jks -validity 3650 -storepass your_strong_password

Replace the path ("C:\Program Files\Java\jdk-21\bin\keytool.exe") if your Java is elsewhere

2. Generate CSR:

"C:\Program Files\Innoslate4\jre\bin\keytool.exe" -certreq -alias innoslate -file C:\Certificates\innoslate.csr -keystore C:\Certificates\innoslate.jks -storepass your_strong_password

3. Submit `innoslate.csr` to your Certificate Authority (e.g., Let's Encrypt, DigiCert).

4. Receive signed certificate files (usually `.crt` or `.pem` + root/intermediate CA files).

5. Import in order (root first, then intermediates, then your signed cert):

   "C:\Program Files\Java\jdk-21\bin\keytool.exe" -import -trustcacerts -alias root -file root_ca.crt -keystore C:\Certificates\innoslate.jks -storepass your_strong_password

"C:\Program Files\Java\jdk-21\bin\keytool.exe" -import -trustcacerts -alias intermediate -file intermediate_ca.crt -keystore C:\Certificates\innoslate.jks -storepass your_strong_password

"C:\Program Files\Java\jdk-21\bin\keytool.exe" -import -trustcacerts -alias innoslate -file yourdomain.crt -keystore C:\Certificates\innoslate.jks -storepass your_strong_password

Step 2: Configure server.xml for HTTPS (Tomcat 11 Style)

Backup the file: `C:\Innoslate4\apache-tomcat\conf\server.xml`.
Open `server.xml` in a text editor (as admin).
Locate the existing HTTP `<Connector port="8080" ... />` section.
Add (or replace) the HTTPS Connector with this modern config:

   <Connector port="8443"

              protocol="org.apache.coyote.http11.Http11NioProtocol"

              maxThreads="200"

              scheme="https"

              secure="true"

              SSLEnabled="true"

              defaultSSLHostConfigName="default">

       <SSLHostConfig hostName="default"

                      protocols="TLSv1.2,TLSv1.3"

                      ciphers="TLS_AES_256_GCM_SHA384,

                               TLS_AES_128_GCM_SHA256,

                               TLS_CHACHA20_POLY1305_SHA256,

                               ECDHE-RSA-AES256-GCM-SHA384,

                               ECDHE-RSA-AES128-GCM-SHA256">

           <Certificate certificateKeystoreFile="C:/Certificates/innoslate.jks"

                        certificateKeystorePassword="your_strong_password"

                        type="RSA" />

       </SSLHostConfig>

   </Connector>

Use forward slashes (`/`) in the path for cross-platform compatibility.
For production: Change `port="443"` and use your actual keystore password.
Adjust `ciphers` if needed, but this set is secure and modern.

Step 3: Optional — Redirect HTTP to HTTPS (Recommended)

Keep the HTTP Connector but add `redirectPort="8443"` (or 443) to it.
Or enforce at the app level by adding this to `C:\Innoslate4\apache-tomcat\webapps\innoslate4\WEB-INF\web.xml` (backup first):

<security-constraint>

      <web-resource-collection>

          <web-resource-name>Entire Application</web-resource-name>

          <url-pattern>/*</url-pattern>

      </web-resource-collection>

      <user-data-constraint>

          <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

  </security-constraint>

Step 4: Restart and Verify

Restart the Innoslate service (via Services.msc on Windows, or `C:\Innoslate4\apache-tomcat\bin\shutdown.bat` then `startup.bat`).
Access: `https://your-server:8443` (accept self-signed warning if applicable).
Check logs: `C:\Innoslate4\apache-tomcat\logs\catalina.<date>.log` for SSL errors (e.g., wrong password or file not found).
Test with browser dev tools or ssllabs.com/ssltest — expect TLS 1.3 support and strong ciphers.

Troubleshooting Tips:

Keystore not found → Double-check absolute path and permissions (Tomcat service user must read it).
Password issues → Ensure `certificateKeystorePassword` matches exactly.
Port 443 binding fails → Run as admin or use port forwarding.
Self-signed warnings → Expected; import cert to client trust stores for internal use.