DB

Hi everyone,

we have set up an ARIS10 installation at our university, with two tenants - one for the teaching staff and one to use in courses with students.

Recently I added an SSL certificate (from let's encrypt) to the ARIS Server. Browsers identify fine via https, starting the ARIS10 client for the default tenant works, but starting the cilents (the jar files) for the teaching tenant or the course tenant presents an error message, saying that the SSL certificate is not trustworthy or missing in the JRE.

I specifically checked that the JRE (1.8.114) does accept "let's encrypt" certificates ( signed by IdenTrust CA) and the default tentant does not show this error.

Unfortunately importing the server certificate itself into the JRE is not an option, since this would have to be rolled out all over campus. I would rather not use an SSL encryption in this case.

Thus, I wanted to ask:

1. Is it possible to fix the cert error for the remaining two tenants?

2. If 1 is not possible, is there some way to remove the SSL encryption for all tenants?

3. Because of EDIT3: Is it possible to change the connection URL in the client configuration for the tenants to use port 1080 instead of 443?

 

Attached is an screenshot of the error message and the protocoll mentioned in the message. I did remove the URL for security reasons (the server is reachable from outside) but I will PM you the URL if you're willing to help.

Thank you in advance!

 

EDIT: I just wanted to add, that, of course I do have the server logs from the collectlogfile.sh available to provide them via a PM, for security reasons, again.

EDIT2: Importing the server cert into the JRE does not help for the failing tenants.

EDIT3: I'm futher investigating the issue, finding the following: When I start the client with the configuration for the default tenant, which works fine, the URL from the ARISLauncher log (ARISLauncher_23.08.2017_12-46-56.log.txt) changes to port 1080 instead of 443 (resp. 1443). Once the client started, I can change the tenant in the setings and connect to the other tenants perfectly. So it would solve the issue, if I could change the connection URL in the client configuration for the remaining tenants, can this be done?

Thank you!

by Frank Weyand
Posted on Wed, 08/23/2017 - 15:05

Hi,

well, the certificate used is not imported into the clients JRE, that is what the log sais.

According to that, what you wrote in edit3, I just think that for the default connection, you just to not use SSL. If you would fail also if you used SSL for the default tenant.

You can define for every connection, which port to use, and whether to use SSL or not. Just edit the connection, click onto the button next to the server name and maintain connection data.

You do not need to import the whole SSL certificate but only the public key.

Bye,

Frank

0
by Daniel Braunnagel Author
Posted on Wed, 08/23/2017 - 15:58

In reply to by Frank Weyand

Hi Frank,

thank you for your response.

Is it possible to change the connection settings stored in a jar for the tenant? For the scenarios where the jar's try to connect to the server on the :443 port, the client terminates before a user can change the connection settings. Opening the jar with a double click it goes until "ARIS checks if updates are available, please wait" and then terminates. Thus the students would not be able to connect the ARIS Server at all - unless they download the client from the default tenant and change all the settings by hand.

Or, if that's not possible, is there a way to revert the SSL enhancement completely?

 

Thanks,

Daniel

0
by Frank Weyand
Posted on Wed, 08/23/2017 - 16:54

Hi,

just set the https port via reconfigure to 0 and the http port to something senseful. Since http is working and if you do not have a problem with that, sure. You can tell your studends to connect with https and get a new JAR. If you connect to the downloadpage with http, and the jar is updated.

"let's encrypt" certificates only work, if the server is available in the Internet. Maybe this is the problem.

Bye,

Frank

0
by Daniel Braunnagel Author
Posted on Wed, 08/23/2017 - 17:39

Hi Frank,

thank you for the help. Setting reconfigure loadbalancer_m HTTPD.ssl.port=0 in ACC worked to turn of SSL.

The server is available in the internet (all computers on our campus have public IPs), and Let's Encrypt lists Java as compatible. So I'm a bit clueless. I will keep searching for a solution to use the cert and will update the post when I find one.

Thanks so far,

Daniel

0

Featured achievement

Question Solver
Share your expertise and have your answer accepted as best reply.
Recent Unlocks
  • CR
  • BH
  • Profile picture for user Ivan.Ivanov.softwareag.com
  • Profile picture for user mscheid
  • MS
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock