MAC SSL and FM + Tomcat

[jamesjames]

Hi.

Trying to figure something out and would like your some of your know how...

Im trying to get a Zulu seed code ical plugin to work with ssl, but the problems lays at my server, or in filmmaker. Its a osx lion with latest fm server build.

The problem is that my server is successfully running SSL on https://domain.com. When I use the plugin it uses FileMaker xml hosting to access the Ical server. But when I access FileMaker webpublish remotely the ssl is not being used. ( https://domain.com/zulu/ is the address where I need the ssl to function. )

From what I have gathered, FileMaker uses a tomcat / catalina server that works together with apache. But when I use it I get a error saying that it can't find the certificate. So I need to add the certificate to the FileMaker server, or possible to the tomcat folder that Zulu uses? The osx has already got a certificate for domain.com and I would guess it should cover domain.com/zulu as well, but I might be wrong?

\FileMaker Server\Web Publishing\publishing-engine\cwpe-tomcat\conf\Catalina

Has anyone any knowledge about this kind of stuff. I can't solve it and SeedCode is not helping since they claims the fault is at my side.

many thanks for reading..

[jamesjames]

Who knows. maybe it will help someone so here you go. The solution.

It works for me but took two days to solve since I haven't worked much with ssl and java before.

Error:

I can acces the https://mydomain.com/zulu/ without problems, but when I try to publish a calender with SSL I get this error:

-----------------------------------

Calendar Publishing Errorjava.sql.SQLException: Could not connect to database: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

-----------------------------------

Reason:

The Java 6 engine (used by tomcat that filemaker uses) on the osx lion cant find your ssl certificate. Java engine does not look for a certificate in the usual apache osx server keystore file. It uses its own keystore file called Cacerts. The location may vary depending on osx version. So when you connect, it cant find a certificate in the keystore file (keystore file is like a vaultwhere you can store certificates) because there is none. The solution is to import a proper signed certificate in to the Cacerts file so that it can be found by Filemaker and the Seecode.

Before you start:

1. Change filemaker seecode script (publish calander) to ssl: Yes and a correct server adress that correspond with your server certificate, yourdomain.com probably

2. Edit the zulu.xml according to ssl documents from seedcode. http://www.seedcode....n=Zulu.Security

By terminal its $Sudo nano FileMaker ServerWeb Publishingpublishing-enginecwpe-tomcatconfCatalinalocalhostzulu.xml

Solution:

1. Make sure you have a proper signed ssl certificate intsalled for web in server.app.

2. Export it from your keychain acces.app so that you get a file called something.cer

3. Start terminal.app

4. Run $ Sudo Keytool -import -alias yourdomain.com -file /example/folder/path/yourcertificate.cer -keystore /system/library/Java/Support/CoreDeploy.bundle/Contents/home/lib/security/Cacerts

5. Enter system password for the sudo command

6. Enter Cacerts password, default is: changeit

7. You will get a long text and a will you trust this question. Say yes.

8. It should say Certificate has been added to keystore-file

and your done.

Tips.

Sudo: gives acces as root

Keystore: File where you can store certificates

Nano: Text edit file in terminal

File paths: you can drag a file in to the terminal window to get a 100% correct adress

Alias: All certificates are called by an alias, you can choose whatever, but the same name as the certificate is good.

[Wim Decorte]

The tomcat web server that is built into FMS is not involved whatsoever in the web publishing. That's strictly Apache on OSX and IIS on Windows.

Tomcat only supports the internal admin server (and admin console) functionality of FMS. So you shouldn't touch it at all.