To enable secure connection to the Diyotta user interface, follow below steps. Once the setup is complete then, the Diyotta URL should use https instead of http. Https verifies the identity of a website or web service before connecting and encrypts all the information sent between the website or service and the user interface. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. Https prevents all this information from being read or changed while in transit.

Step I: Generate valid SSL certificate.

SSL Certificate is major requirement for enabling HTTPS / SSL on Controller URL. If SSL Certificate is not authorized by CA then, the Diyotta URL will show “Invalid SSL Certificate” error. It is necessary to have SSL cert in Java keystore (JKS) format.

Once the certificate file is available place it in Diyotta Controller installation server and make sure the user with which Controller is installed is able to access it. Also, ensure you have the keystore password assigned during the certificate creation.

Step II: Configuring controller to enable SSL

You can configure controller to enable SSL in two ways as below. The configuration change for this is required to be done in the tomcat configuration under Diyotta installation. The tomcat config file - ${DIYOTTA_HOME}/controller/server/tomcat/conf/server.xml needs to be modified for both options details below.

Option I: Enable SSL on startup port used for login.

  • In this method, we will disable the existing configuration for startup port and add new configuration to use https.
  • In the server.xml search for below section. 

<Connector port="${port.startup}" protocol="HTTP/1.1" connectionTimeout="20000"

maxThreads="200"

minSpareThreads="25"

enableLookups="false"

acceptCount="100"

disableUploadTimeout="true" compression="on" compressionMinSize="1024"

noCompressionUserAgents="gozilla, traviata" compressableMimeType="application/json"/>

  • Comment out the above section by enclosing it within <!--  and -->.

<!--

<Connector port="${port.startup}" protocol="HTTP/1.1" connectionTimeout="20000"

maxThreads="200"

minSpareThreads="25"

enableLookups="false"

acceptCount="100"

disableUploadTimeout="true" compression="on" compressionMinSize="1024"

noCompressionUserAgents="gozilla, traviata" compressableMimeType="application/json"/>

-->

  • Next, add following content below the commented section.

<Connector port="${port.startup}"

maxThreads="200"

scheme="https"

secure="true"

SSLEnabled="true"

keystoreFile="<JKS File with fully qualified path>"

keystorePass="<keystore file password>"

clientAuth="false"

sslProtocol="TLS"/>

  • Once the SSL is enabled with this option, Diyotta URL will be https://<controller server ip/hostname>:<startup port>

Option II: Enable SSL on a different port

  • Use this option if you want to keep assigned startup port untouched and enable SSL on a different port.
  • In the server.xml file search for below section. 

<Connector port="${port.startup}" protocol="HTTP/1.1" connectionTimeout="20000"

maxThreads="200"

minSpareThreads="25"

enableLookups="false"

acceptCount="100"

disableUploadTimeout="true" compression="on" compressionMinSize="1024"

noCompressionUserAgents="gozilla, traviata" compressableMimeType="application/json"/>

  • Next, add following content below this.

<Connector port="<four digit port number>"

maxThreads="200"

scheme="https"

secure="true"

SLEnabled="true"

keystoreFile="<JKS File with fully qualified path>"

keystorePass="<keystore file password>"

clientAuth="false"

sslProtocol="TLS"/>

  • Once the SSL is enabled with this option, Diyotta URL will be https://<controller server ip/hostname>:<assigned connector port>
  • You can disable access to the default startup port so that users cannot use the default Diyotta URL using http.

Step III: Update the CLI configuration to reflect the change in the connectivity protocol  

The CLI configuration file - ${DIYOTTA_HOME}/controller/conf/dicmd.config needs to be modified for the CLI connection to use https and the certificate. Following fields need to be updated in the file. 

  • dicmd.contoller.protocol: Specify protocol to connect. Default is http and this will have to be changed to https when SSL is enabled.
  • dicmd.controller.host: Hostname or IP of the server where Controller is installed.
  • dicmd.controller.port: The startup port assigned during Controller installation.
  • dicmd.trustStore: Specify the JKS File with fully qualified path.
  • dicmd.trustStorePassword: Specify the password used to generate keystore file.

Step IV: Restart the Controller

After configuring the SSL using one of the above options, restart the controller. For this stop the Controller application and then start it again.

To stop the controller, refer the page Stopping Diyotta Controller

To start the controller, refer the page Starting Diyotta Controller