Publishing Web services encrypted by HTTPS

Both iServer and iEdge support publishing third-party Web services encrypted over HTTPS as WMS , WMTS, REST, and WFS service types, and the iServer Web Printing service supports printing Web services encrypted over HTTPS. There are two situations encountered when iServer and iEdge agents publish and use HTTPS services:

Scenario 1: The SSL certificate of the HTTPS server is authenticated by an authority

If the SSL certificate used by the HTTPS server is authenticated by an authority, the corresponding client certificate is already built into Java, so the iServer and iEdge agents publish and use third-party HTTPS services without any configuration.

Scenario 2: The SSL certificate of the HTTPS server is not authenticated by an authority

If the SSL certificate used by the HTTPS server is not authenticated by an authoritative institution, the client certificate that verifies the identity of this HTTPS server will be missing in Java. Therefore, it is necessary to first generate a client certificate in the HTTPS server, and then provide the generated client certificate to iServer and iEdge for use. In iServer (iEdge is the same as iServer), simply import the client certificate correctly and fill in the HTTPS service address to successfully publish and use third-party web services encrypted with HTTPS.

Client certificate generation step

1. Set the JAVA environment variable on the HTTPS server, that is, add the bin directory of JDK to the system's PATH environment variable.
2. Open a command line window anywhere on the HTTPS server, and enter the command to generate the server-side certificate, as shown in the following example:

kkeytool -genkey -alias tomcat -keyalg RSA -dname "cn=supermap.iserver.org,ou=localhost,o=localhost,l=china,st=sichuan,c=cn" -keystore D:\key.keystore

• Alias: Used to specify the alias of the server-side certificate.
• Keyalg: Asymmetric key algorithm, which can also be changed to Other key algorithms supported by keytool.
• dname: used to set the basic information of the generated server-side certificate, where CN refers to the domain name corresponding to the HTTPS server, here supermap.iserver.org。
• Keystore: Specifies the path and name of the generated server-side certificate, in this case D:\key.keystore.

3. Export the public key certificate and enter the following command in the command line window of the HTTPS server:

keytool -export -alias tomcat -keystore D:\key.keystore -rfc -file D:/supermap.cer

• Alias: The alias of the server-side certificate.
• Keystore: The path and name of the server-side certificate.
• File: Specifies the path and name of the generated public key certificate, in this case, the D:/supermap.cer.

4. To import the public key certificate and generate the client certificate, enter the following command in the command line window of the HTTPS server to generate the client certificate Key. Truststore for use by iServer.

keytool -export -alias tomcat -keystore D:\key.keystore -rfc -file D:/supermap.cer

• Alias: The alias of the server-side certificate.
• File: The path and name of the public key certificate.
• Keystore: Specifies the path and name of the generated client certificate, in this case D:/key.truststore.

Client certificate configuration method

On the iServer server, modify the catalina.bat file under the %SuperMap iServer_HOME%/bin directory , which adds the client certificate (key.truststore) to the iServer, authenticates the HTTPS server. The specific amendments are as follows:

Before modification, it is as follows:

set JAVA_OPTS=%JAVA_OPTS% -Xms256m -Xmx1536m -XX:MaxPermSize=192m -Xss512k

The modification is as follows:

 set JAVA_OPTS=%JAVA_OPTS% -Xms256m -Xmx512m -XX:MaxPermSize=192m -Xss512k -Djavax.net.ssl.trustStore=D:/key.truststore -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=123456

• Djavax.net.ssl.trustStore: Specify the path and name of the client certificate.
• Djavax.net.ssl.trustStorePassword: The password for the client certificate.

How to fill in HTTPS service address

When filling in the HTTPS service address to be forwarded in iServer and iEdge, the HTTPS service address should be in the form of domain name (i.e. The domain name of the HTTPS server, such as https://supermap.iserver.org:8443/iserver/services/map-china400/rest).