How to Set Up SSL for codebeamer
How to create keystore for Tomcat
The path and the key names (values between '<...>' characters) need to be replaced which might affect the certificates available.
- openssl pkcs12 -export -in sslcert/star.codebeamer.com/STAR_codebeamer_com.crt -inkey sslcert/star.codebeamer.com/codebeamer.com.key -out cb.pem -name codebeamer
- keytool -importkeystore -deststorepass <password> -destkeypass -destkeystore keystore.p12 -srckeystore cb.pem -srcstoretype PKCS12 -srcstorepass -alias codebeamer -noprompt
- keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.p12 -deststoretype pkcs12
- keytool -import -trustcacerts -alias AddTrustExternalCARoot -file sslcert/star.codebeamer.com/AddTrustExternalCARoot.crt -keystore keystore.p12
- keytool -import -trustcacerts -alias USERTrustRSAAddTrustCA -file sslcert/star.codebeamer.com/USERTrustRSAAddTrustCA.crt -keystore keystore.p12
- keytool -import -trustcacerts -alias SectigoRSADomainValidationSecureServerCA -file sslcert/star.codebeamer.com/SectigoRSADomainValidationSecureServerCA.crt -keystore keystore.p12
How to Set Up SSL with Docker
Environment Variables
TOMCAT_CONNECTOR_KEYSTORE_FILE
Absolute path of the keystore file, e.g. /home/appuser/ssl/keystore.p12.
The keystore file stores the server's private key and self-signed certificate which is needed to establish SSL protocols. For more information about Tomcat's SSL protocols, see: Apache Tomcat - Introduction to SSL.
TOMCAT_CONNECTOR_KEYSTORE_PASS
Password of the keystore file.
The keystore.p12 file is password protected. In case it needs to be edited, this variable stores the password required to open the file.
TOMCAT_CONNECTOR_USE_SERVER_CIPHER_SUITES_ORDER
Set to true to enforce the server's cipher order (from the ciphers setting) instead of allowing the client to choose the cipher.
The default value is true.
The use of this feature requires Java 8 or newer.
TOMCAT_CONNECTOR_CIPHERS
Comma separated list of Ciphers.
Default value is:
TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
TLS_AES_128_CCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_DHE_RSA_WITH_AES_256_CCM_8,
TLS_DHE_RSA_WITH_AES_256_CCM,
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
Docker Compose
# Copyright by Intland Software, https://www.intland.com
#
# All rights reserved.
#
# Please note that if you change this docker file, we do not take any responsibility and we are not liable for
# any damage caused through use of this image, be it indirect, special, incidental
# or consequential damages (including but not limited to damages for loss of business, loss of profits, interruption or the like).
version: '2.1'
services:
codebeamer-db:
image: intland/mysql:debian-8.0.23-utf8mb4
environment:
- MYSQL_USER=user
- MYSQL_PASSWORD=pass
- MYSQL_DATABASE=codebeamer
- MYSQL_ROOT_PASSWORD=password
- MYSQL_MAX_ALLOWED_PACKET=1024M
- MYSQL_INNODB_BUFFER_POOL_SIZE=1G
- MYSQL_INNODB_LOG_FILE_SIZE=256M
- MYSQL_INNODB_LOG_BUFFER_SIZE=256M
volumes:
- codebeamer-db-data:/var/lib/mysql
codebeamer-app:
image: intland/codebeamer:21.09-lts
ports:
- 9000:8090
environment:
- WAIT_HOSTS=container-mysql:3306
- WAIT_HOSTS_TIMEOUT=120
- CB_database_JDBC_Username=user
- CB_database_JDBC_Password=pass
- CB_database_JDBC_Driver=com.mysql.jdbc.Driver
- CB_database_JDBC_ConnectionURL=jdbc:mysql://container-mysql:3306/codebeamer?autoReconnect=true&zeroDateTimeBehavior=convertToNull&emulateLocators=true&characterEncoding=UTF-8&useSSL=false
- CB_database_JDBC_Timeout=120
- TOMCAT_CONNECTOR_KEYSTORE_FILE=/home/appuser/ssl/keystore.p12
- TOMCAT_CONNECTOR_KEYSTORE_PASS=<keystore password>
- JVM_OPTIONS= -Djdk.tls.ephemeralDHKeySize=2048
volumes:
- ./ssl/keystore.p12:/home/appuser/ssl/keystore.p12
- codebeamer-app-logo:/home/appuser/codebeamer/repository/config/logo
- codebeamer-app-repository-docs:/home/appuser/codebeamer/repository/docs
- codebeamer-app-repository-search:/home/appuser/codebeamer/repository/search
- codebeamer-app-logs:/home/appuser/codebeamer/logs
- codebeamer-app-tmp:/home/appuser/codebeamer/tomcat/tmp
links:
- codebeamer-db:container-mysql
volumes:
codebeamer-db-data:
codebeamer-app-logo:
codebeamer-app-repository-docs:
codebeamer-app-repository-search:
codebeamer-app-logs:
codebeamer-app-tmp:
Server.xml for HTTPS
Editing the server.xml file is only relevant when running a non-dockerized codebeamer instance. In case of using Docker Compose, the server.xml file is automatically generated upon running the docker compose command, and no modification is required from the user.