By default, the Express Server Manager and ExpressZip applications run on HTTPS and HTTP. However, the internal communication between the LizardTech Express Server Tomcat service and the image server uses HTTP. If the web server has been configured to refuse HTTP connections, you can configure the Express Server to use HTTPS exclusively.
Both the Express Server Manager and ExpressZip applications are hosted by the LizardTech Express Server Tomcat service, which is a web server and servlet container for web applications. To disable users from accessing the applications via HTTP, configure Tomcat to use HTTPS only, then configure the Express Server Manager and ExpressZip to use HTTPS.
Complete the following steps to disable HTTP access for Tomcat:
Open the following file in a text editor with administrator or root permissions:
<Installation Directory>\ImageServer\Tomcat\conf\server.xml
Delete or comment out the following lines:
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="8443" />
When you perform a task in the Express Server Manager, the Tomcat service communicates internally with the image server. Because the communication is internal and therefore assumed to be secure, Express Server uses HTTP instead of HTTPS. However, if you want to use HTTPS instead, you can modify the ExpressServerAdmin.properties file and configure Express Server to use a copy of the web server's SSL certificate. The SSL certificate must be saved in base64 encoding with the following file name:
ca-bundle.crt
For more information on the SSL certificate, refer to your web server's documentation.
TIP:Most web browser provide a utility for exporting the certificate used by a web page to base64 encoding. If you cannot export a copy of the certificate from the web server, you may navigate to the web page for your server and attempt to export the certificate with the browser.
To use HTTPS only, complete the following steps:
Open the following file in a text editor with administrator or root permissions:
<Installation Directory>\ImageServer\Tomcat\conf\ExpressServerAdmin.properties
Edit the value of the esapibase line to use HTTPS. For example, you might enter the following line:
esapibase=https://localhost/lizardtech/iserv/ows
Edit the value of the sslstrictness property or add it to the file.
The sslstrictness property accepts the following values:
strict. Tomcat communicates with the image server via HTTPS and only accepts SSL certificates that have been signed by a trusted certificate authority.
noverify. Tomcat communicates with the image server via HTTPS and accepts both self-signed certificates and certificates that have been signed by a trusted certificate authority.
none. Tomcat communicates with the image server via HTTP.
For example, you might enter the following line:
sslstrictness=noverify
Place a copy of the SSL certificate used by the web server for HTTPS in the following location:
<Installation Directory>\ImageServer\etc\
NOTE: For Express Server to read the certificate, the certificate must be named ca-bundle.crt and saved in base64 encoding.
The ExpressZip application is a client that connects to the Express Server. If you have configured the web server to use HTTPS only, you can modify the ExpressZip.properties file and configure Express Server to use a copy of the web server's SSL certificate. The SSL certificate must be saved in base64 encoding. For more information on the SSL certificate, refer to your web server's documentation.
TIP:Most web browser provide a utility for exporting the certificate used by a web page to base64 encoding. If you cannot export a copy of the certificate from the web server, you may navigate to the web page for your server and attempt to export the certificate with the browser.
To use HTTPS only for ExpressZip, complete the following steps:
Open the following file in a text editor with administrator or root permissions:
<Installation Directory>\ImageServer\Tomcat\conf\ExpressZip.properties
Edit the value of the wmshost line to use https. For example, you might enter the following line:
wmshost=https://local-express-server/lizardtech/iserv/ows
Edit the value of the sslstrictness property or add it if it does not exist. The sslstrictness property accepts the following values:
strict. ExpressZip connects to the Express Server WMS host via HTTPS and only accepts SSL certificates that have been signed by a trusted certificate authority.noverify. ExpressZip connects to the Express Server WMS host via HTTPS and accepts both self-signed certificates and certificates that have been signed by a trusted certificate authority.none. ExpressZip connects to the Express Server via HTTP.For example, you might enter the following line:
sslstrictness=none
Save the file.
Place a copy of the SSL certificate used by the web server for HTTPS in the following directory:
<Installation Directory>\ImageServer\etc\
NOTE: For Express Server to read the certificate, the certificate must be named ca-bundle.crt and saved in base64 encoding.