Section 1
Introduction

Section 2
Configuring for First Use

Section 3
Changing Admin Password

Section 4
Creating Accounts

Section 5
Global Component Settings

Section 6
Backups

Section 7
Log Files

Section 8
User Interface Settings

Section 9
Database Connections

Section 10
Non-Standard Ports

Section 11
Firewalls

Section 12
SSL

12.2 Which Components to Secure

12.3 Server Certificates

12.3 Server Certificates Continued

12.3 Server Certificates Continued

Section 13
Tracking and Recipient Profiles

Section 14
Editing INI Files

Section 15
Distributed Components

Section 16
User Interface Branding

Section 17
Evaluation Mode

Section 18
International Character Sets

Appendix A
Standard Default Ports

12.3.6 Making LISTSERV Maestro Aware of the Server Certificate

Once the signed server certificate is imported into the keystore file, the LISTSERV Maestro server needs to be aware of this certificate. This is the last step to securing the server. On the server to be secured with SSL, edit the file "server.xml" in the LISTSERV Maestro installation folder:

\Program Files\L-Soft\Application Server\conf\server.xml

Near the end of the file there is a section labeled "HTTPS (SSL)". This section contains a connector for HTTPS connections, which is initially commented out (with braces "<!--" and "-->"). Remove the comment-braces around the connector, not around the explanatory comment-text that precedes the connector, to activate it:

<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="443"/>
<Parameter name="socketFactory" value="org.apche.tomcat.net.SSLSocketFactory"/>
<Parameter name="clientAuth" value="false"/>
<Parameter name="keystore" value="TODO:Set path to keystore file!"/>
<Parameter name="keypass" value="TODO:Set to password of keystore file!"/>
</Connector>

It is also necessary to edit the values of the parameters "keystore" and "keypass", which currently contain only "TODO" comments:

  • As the value of "keystore", enter the absolute path to the keystore file (including drive letter) in which the signed certificate can be found. A relative path name cannot be used; the full path to the file must be supplied. The keystore file itself can be stored in any place that seems appropriate, but the "Application Server\commands" folder would be a good choice.
  • As the value of "keypass", enter the password that was used for the keystore (as explained earlier, the same password must also have been used). Security Issue: The password to the keystore and the certificate therein are included as plain text in this file. This can be a security breach, if unauthorized persons have access to this file. Therefore, employ the appropriate Windows security measures so that only authorized persons can access this file. This should previously have been done, as this file is integral to the functioning of the server. Tampering with this file, or other files in the "Application Server" folder, may prevent LISTSERV Maestro from working.

The HTTPS-connector is pre-configured to use port 443, which is the standard port for HTTPS (in comparison to port 80, which is the standard port for normal HTTP). If this port cannot be used, then it is possible to change the port to any other value that is not in use on the server. However, in this case the users will have to enter a URL like "https://server.domain.com:yourPort/lui" instead, (just as with standard HTTP, if the standard HTTP port had been changed to something other than 80).

Finally, comment out or simply remove the normal HTTP connector in the "server.xml" file. Either simply delete it or enclose it in comment braces:

<!--
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Paramter name="handler" value="org.apche.tomcat.service.http.HttpConnectionHandle:/>
</Connector>
-->

This is necessary so that the server is no longer accessible using normal HTTP. If this is not done, then users could use both HTTPS and HTTP URLs to access the server. As most users are not familiar with the HTTPS availability, most would probably default to the normal HTTP, and all communication would once again be unencrypted - which defeats the purpose of securing the server. Therefore, it is safer to remove/comment out the standard HTTP connector to prevent users from accessing the server with normal HTTP and remind them to use HTTPS instead.

This also explains why it is not possible to secure a server that is running the Maestro Tracker component is running with SSL: The Maestro Tracker component always requires use of normal HTTP. It cannot be configured to use HTTPS (because the collection of the tracking events needs to be fast, and HTTPS is too slow for this). As all components installed on one server share the same connectors, necessary to enable/disable a connector type for all components simultaneously. Therefore, if it is desirable to secure the Administration Hub and/or Maestro User Interface components with SSL, they must be installed on a separate server from the Maestro Tracker component (however, both components may be on the same server, as long as they both plan to be secured).

LISTSERV Maestro is now prepared for SSL access. Start or re-start LISTSERV Maestro and access it normally, except now it is necessary to use HTTPS: URLs instead of the standard HTTP: URLs.
Back One Page | Forward One Page