Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All network communication with the Servoy Application Server can be optionally secured, by enabling HTTPS for all traffic over the HTTPS port and by enabled SSL encryption for the communication between the Smart Client and the Application Server.

Setting

...

the HTTP Port

The HTTP port, used to expose many of the services of the Servoy Application Server can be configured by editing the server.xml file located in ../application_server/server/conf. This file contains the following entry by default:

...

  • keystoreFile: for example 'conf/mykeystore.ks'
    The value of this attribute needs to refer to the location and name of the keystore (either absolute or relative to the Tomcat server home directory (../application_server/server))
  • keystorePass: for example 'mypassword'
    The passPhrase of the keystore. The passPhrase is specified when creating the keystore

...

If HTTPS is enabled, it's possible within the Tomcat server underlying the Servoy Application Server to redirect specific or all incoming HTTP traffic to HTTPS by editing the web.xml file located in ../application_server/server/webapps/ROOT/web_inf

Enforcing HTTPS

...

for All Traffic

To redirect all HTTP traffic to HTTP, add the following security-contraint at the the bottom of the file, just before '</web-app>':

Code Block
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Automatic SLL Forwarding</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

When forcing all HTTP requests to HTTPS, the servoy.jnlpCodebaseOverride setting needs to be the HTTPS URL (including the HTTPS Connector port number).

Enforcing HTTPS

...

on Selected Traffic

Instead of redirecting all traffic to HTTPS it's also possible to redirect only specific traffic to HTTPS or exclude specific traffic. Which traffic is redirected or not is controlled by the <url-pattern> and/or <url-pattern-exclude> nodes of the <web-resource-collection> node of the security-constraint.

...

Servoy comes with a so-called tunnel that Smart Clients can use to connect to Application Server. The tunnel is a more robust communication mode, at the cost of utilization of more server-side resources. For each Smart Client more memory, threads and sockets (connections) are used on the Application Server. The tunnel supports two modes, namely HTTP and Socket which can be used exclusively or mixed through the use of Profiles. Of the two tunnel modes, the HTTP mode consumes most serverside resources.

HTTP Tunnel
When using the tunnel in HTTP mode, all communication between the Smart Client and the Application Server is done using the HTTP Protocol, over the HTTP port on which the Application Server runs. The benefit of this mode is that it doesn't require that the client machines can access the Application Server on the RMI port. This can be a huge benefit in cases where it's not possible to open up access to the RMI port. When Smart Clients connect to the Application Server using the HTTP Tunnel, they will utilize threads and connections from the Tomcat application server that underlies the Servoy Application Server.

Socket Tunnel
The tunnel in Socket mode is similar to the tunnel in HTTP mode, except that the communication with the Application Server goes over the RMI port of the Application Server. This means that the RMI port of the Application Server should be accessible from all client machines that will run Smart Clients. Unlike the tunnel in HTTP mode, the tunnel in Socket mode uses server-side resources (threads & sockets (connections)) directly in Servoy, not through Tomcat. 

Resource Usage

...

per Connection Mode

The overview below indicated the difference in used resources per Connection mode. This information is provided in case tuning is required for large scale deployments. For example, by default the Tomcat HTTP/HTTPS connectors are configured to allow a maximum of 500 concurrent threads. When deploying large numbers of Smart Clients over the HTTP tunnel (possible in combination with a large number of Web Clients), it might be required to change the maximum allowed threads in the Tomcat connectors.

Connection Mode

Used Threads

Used sockets

Two-Way socket

1 thread per concurrent request

1 per request + 2 per client

HTTP Tunnel

2 Tomcat and 2 non-tomcat threads per client

2 per client

Socket Tunnel

2 threads per client

1 per client

Setting

...

the Connection Mode

All connection modes can be configured through the Servoy Admin page, under Network Settings.

...

The RMI port number that is actually used is shown under Server Information in the Servoy Server Status on the Servoy Admin page under Servoy Server Home

Setting

...

the RMI Port

The RMI Start port can be set through the Servoy Admin page under Network Settings > servoy.rmiStartPort. Default value is 1099 

...

The meaning of the RMI Server Hostname setting (java.rmi.server.hostname) depends on the Connection Mode used:

...

  • SocketFactory.useSSL: set to true
  • SocketFactory.tunnelUseSSLForHttp: if the tunnel is in http or http&socket mode you can specify if http traffic should also be encrypted by the factory. If clients already only connect through HTTPS this setting can be set to false. Because the content is already encrypted by that connection done by tomcat.
  • SocketFactory.SSLKeystorePath: set to the location and name of the keystore. The path must be relative to the Servoy Application Server installation directory (../application_server/), for example server/conf/mykeystore.ks
  • SocketFactory.SSLKeystorePassphrase: Set to the passPhrase used when creating the keystore
  • SocketFactory.SSLSupportedSuites: If you need to be complaint with 'PCI certification' or something like that. Or you really don't want to enable weak cyphers between server and client. You can here specify which once you do want to support. See here what ciphers can be chosen from as an example and how tomcat can be configured also (the https part) http://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html. This only works for the the sockets in 'http&socket' or just 'socket' configurations.

...

The Compression setting can be administered through the Servoy Admin page, under Network Settings > SocketFactory.compress. Compression is turned on by default and should always be on. It should only be disabled when experiencing connection issues due to compression.

Running Smart Clients Behind

...

a Proxy

In many scenario's there will be proxies in between the Smart Client and the Application Server. Depending on the connection mode through which the Smart Client connects and the configuration of Java WebStart on the client machine, this will either not be an issue at all, or require some configuration or will not work.

...

The configuration of the HTTP tunnel can be altered by adding the relevant settings as system properties through the Servoy Admin page, under Servoy Server Home > Admin settings > system.properties. It's also possible to expose different configurations through Profiles.

...

The HTTP tunnel is already configured for most reliable connectivity, so this does not require a Profile. A relevant Profile would be the performance Profile, which basically means enabling Chunked mode, by disabling "'closeRequestOnFlush" ' 

Code Block
titleBest performance Profile
system.property.com.sebster.tunnel.http.client.CLOSE_REQUEST_ON_FLUSH=false

...

If Kerebos authentication support is required, the following setting sets up required authentication context within Servoy: system.property.servoy.usejaas=true. This setting can be applied through the Servoy Admin page, under Servoy Server Home > Admin settings > system system.properties or can be applied through a specific Profile.

...