12.3 Server Certificates Continued
Once the signed server certificate is imported into the keystore file, the LISTSERV Maestro server needs to be aware of this certificate. This is the last step to securing the server. On the server to be secured with SSL, edit the file "server.xml" in the LISTSERV Maestro installation folder:
\Program Files\L-Soft\Application Server\conf\server.xml
Near the end of the file there is a section labeled "HTTPS (SSL)". This section contains a connector for HTTPS connections, which is initially commented out (with braces "<!--" and "-->"). Remove the comment-braces around the connector, not around the explanatory comment-text that precedes the connector, to activate it:
The HTTPS-connector is pre-configured to use port 443, which is the standard port for HTTPS (in comparison to port 80, which is the standard port for normal HTTP). If this port cannot be used, then it is possible to change the port to any other value that is not in use on the server. However, in this case the users will have to enter a URL like "https://server.domain.com:yourPort/lui" instead, (just as with standard HTTP, if the standard HTTP port had been changed to something other than 80).
Finally, comment out or simply remove the normal HTTP connector in the "server.xml" file. Either simply delete it or enclose it in comment braces:
This is necessary so that the server is no longer accessible using normal HTTP. If this is not done, then users could use both HTTPS and HTTP URLs to access the server. As most users are not familiar with the HTTPS availability, most would probably default to the normal HTTP, and all communication would once again be unencrypted - which defeats the purpose of securing the server. Therefore, it is safer to remove/comment out the standard HTTP connector to prevent users from accessing the server with normal HTTP and remind them to use HTTPS instead.
This also explains why it is not possible to secure a server that is running the Maestro Tracker component is running with SSL: The Maestro Tracker component always requires use of normal HTTP. It cannot be configured to use HTTPS (because the collection of the tracking events needs to be fast, and HTTPS is too slow for this). As all components installed on one server share the same connectors, necessary to enable/disable a connector type for all components simultaneously. Therefore, if it is desirable to secure the Administration Hub and/or Maestro User Interface components with SSL, they must be installed on a separate server from the Maestro Tracker component (however, both components may be on the same server, as long as they both plan to be secured).
LISTSERV Maestro is now prepared for SSL access. Start or re-start LISTSERV Maestro and access it normally, except now it is necessary to use HTTPS: URLs instead of the standard HTTP: URLs.