Assembla home | Assembla project page
 

Running Sage Webserver with SSL (https)

It is technically possible to run the Sage Webserver in secure mode, using SSL encryption. This will mean that all page requests and responses will be encrypted.

The benefits to this is that

  • your workplace will not know what you are doing from looking at the web proxy logs
    -- they will only see the hostname of the webserver, not the content
  • your webserver username and password will be encrypted
    -- normally the username and password is not encrypted so anyone with the power to sniff the network, or log the page requests, can retrieve your sage username and password.

Note that running SSL does not magically make your system more secure from hacker attacks.

If you are worried about this sort of thing, please read on...

Create an SSL certificate

Using the keytool included in java 1.4 you can generate an unsigned certificate using a command like: 

keytool -genkey -keyalg RSA -keypass 123456 -storepass 123456 -validity 900

Note: keytool can be found in C:\Program Files\Java\j2re1.4.xx\bin\

Below is a list of keytool arguments and their descriptions: 

-genkey       (Tells the keytool to generate a new key.)
-keyalg       (Specifies the encryption algorithm to use for the key.)
-keypass      (This is the password for the key that is being generated.)
-storepass    (This is the password used to control access to the keystore file.)
-validity     (The number of days in which the certificate is valid for.)

An unsigned certificate means that your browser will normally warn you that it cannot verify the certificate when it visits the pages, however, the pages will still be encrypted.

More detail can be found in the keytool documentation, for example if you need a certificate that has been signed by an appropriate authority.

Tomcat's how-to for SSL can be useful also.

Enabling SSL in the sage webserver

Shutdown SageTV or the SageTV Service

Set the property nielm/webserver/use_ssl=true

Set the property nielm/webserver/port=8443

Set the property nielm/webserver/ssl_args= with arguments from the following list 

-keystoreFile (default %HOME%/.keystore
-keystorePass (default 123456)
-keystoreType (default JKS)
-algorithm  (default SunX509)
-clientAuth (default false)
-port (default 8443)
-protocol (default TLS)
-backlog (default 1000)
-ifaddress (default none)

If you used the command line above, you can just accept the defaults, but normally you would only need to set -keystoreFile and -keystorePass to allow the Sage Webserver to use the keys in your keystore.

Note: Setting the port number in both "nielm/webserver/port=" and "nielm/webserver/ssl_args=" can cause the webserver to not respond. Try to just set the port using the "nielm/webserver/port=" line when using SSL.

Also, check to see that the .keystore file is actually created in the HOME directory. The HOME directory in a Windows 2k/XP enviornemnt is typically located in "C:\documents and settings\USERNAME" where USERNAME=The name of the account you are signed on as. If not, the .keystore file should be moved to the home directory or the -keystoreFile argument needs to be changed.

Restart SageTV or the SageTV service...

Test your newly secured webserver using: https://localhost:8443/sage/Home

Firefox users: Go into Tools-->Options-->Advanced-->Security and make sure that TLS 1.0 and at least one of the SSL certificates are checked (either SSL 2.0 or SSL 3.0 or both).