White Paper

Enabling Secure Socket layer for

ENOVIA and AutoVue (On V6R2013x)

3DS.COM
3DS.COM © Dassault © Dassault Systèmes
Systèmes

Version 1.0 - 2/27/2014

Written by Rushiraj K.
Validated by Sushma C.
Edited by Véronique LECOEUR
White Paper

Executive Summary
SSL (Secure Socket Layer) is a technology for establishing an encrypted link
between a server and a client – typically a web server (Website) and a browser.
Industries can establish secure communication for their web-based
visualization products like AutoVue used to view, digitally annotate and
collaborate on technical and business documents which are stored and
retrieved from ENOVIA Web-based application.

This White Paper has for target audience beginners and administrators who
want to understand the concept, the need of secure socket layer and its
implementation. It gives an overview of the SSL Concept and on configuring
SSL on a TOMCAT server which can secure data exchange through web for
ENOVIA and AutoVue.

3DS.COM © Dassault Systèmes

2
White Paper

Contents
1. Introduction to SSL ........................................................................................... 4
1.1. How SSL Works ................................................................................................. 4

1.2. How does the SSL Certificate Create a Secure Connection .............. 5
2. Configuring SSL for ENOVIA ..................................................................... 5
2.1. Pre-Requisites .................................................................................................... 6

2.2. Configuring SSL With a Tomcat Server on Windows ........................... 6

2.3. Configuring Settings on FCS Server ........................................................... 7

3. Configuring SSL for VueServlet ............................................................. 15
3.1. SSL Between AutoVue Client and the VueServlet ............................... 15
3.2. SSL Between VueServlet and the VueServlet ....................................... 18
4. Conclusion ........................................................................................................... 20

3DS.COM © Dassault Systèmes

5. Bibliography ........................................................................................................ 21

3
White Paper

1. Introduction to SSL
SSL (Secure Sockets Layer) is a security technology for establishing an encrypted link
between a server and a client by implementing encrypted data and certificate-based
authentication. The main purpose of the SSL protocol is to guarantee that no one can
tamper with the communication between a client and the server where the web application is
deployed. e.g.: usernames and passwords or credit card information when using e-
commerce web sites etc.

SSL protects the sensitive information as it travels across the world over the web. The
sensitive information is sent across the internet encrypted so that only the intended recipient
can understand it. In addition to encryption, it also provides authentication. This means user
can be sure that he is sending the information to the right server. Thus maintains the
confidentiality, message integrity, and authentication.

3DS.COM © Dassault Systèmes

1.1. How does SSL Work
All browsers have the capability to interact with secured web servers using the SSL protocol.
However, the browser and the server need what is called an SSL Certificate to be able to
establish a secure connection.

SSL Certificates have a key pair: a public and a private key. These keys work together to
establish an encrypted connection. The certificate, also contain basic information about the
site to which they belong, such as the domain name, owner name and company name.

Once the SSL Certificate from Server is trusted by the browser on the client machine it
implies that the client now trusts that organization’s identity too. The browser lets the user
know that the website is secure, and the user can feel safe browsing the site and even
entering their confidential information

Figure 1: Secured https URL

4
White Paper

1.2. How does SSL certificate create a secure connection

A. Browser connects to a web server (website) secured with SSL (https). Browser
requests that the server identify itself.
B. Server sends a copy of its SSL Certificate, including the server’s public key.
C. Browser checks the certificate root against a list of trusted CAs and that the
certificate is unexpired, unrevoked, and that its common name is valid for the website
that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and
sends back a symmetric session key using the server’s public key.
D. Server decrypts the symmetric session key using its private key and sends back an
acknowledgement encrypted with the session key to start the encrypted session.
E. Server and Browser now encrypt all transmitted data with the session key.

For more information on keys and Certificates See: “http://www.tldp.org/HOWTO/SSL-

Certificates-HOWTO/x64.html”

3DS.COM © Dassault Systèmes

Figure 2 Handshaking between Web Browser and Web Server

2. Configuring SSL for ENOVIA

ENOVIA V6 architecture supports secure socket layer communications between Live
Collaboration Server and any FCS, as well as between two FCS.
In this paper (we are discussing and we have taken an example for) SSL configuration with
TOMCAT On Windows Server machine for ENOVIA V6R2013x level and AutoVue 20.2.

5
White Paper

2.1. Pre-Requisites.
Before starting with the configuration, few check points have to be met. These Pre-
Requisites help in avoiding errors at later stage of the procedure.
a. Java 1.5 or higher must be installed on the Server machine.
b. Java has been added to the "PATH" variable.
c. The path JAVA_HOME/jre/lib/security/ has been added to the "CLASSPATH"
variable. If "CLASSPATH" does not exist then it should be created in the environment
variables.
d. A supported level of Apache Tomcat has been installed on the Server.
e. CATALINA_HOME environment variable has been set to appropriate CATALINA
home directory.
Example: CATALINA HOME = F:\V6Stacks\V6R2013x_SSL\apache-tomcat-6.0.32

2.2. Configuring SSL with a Tomcat Server on Windows

Once we are ready with the Pre-Requisites, we can proceed further with configuring the SSL
setup for tomcat server on windows machine.

3DS.COM © Dassault Systèmes

On Certain operating systems (OS), because of OS security, command prompt must be run
as administrator. For this, go to OS_Install_Drive:/Windows/system32/ directory, and search
for cmd.exe. Right click in cmd.exe and then select run as administrator.

a. Open the command prompt as administrator as mentioned above.

b. In this step, a certificate needs to be generated for SSL. To generate the certificate,
in cmd window change the directory to JAVA_HOME\bin\, here keytool executable is
located.
Run the command: > keytool -genkey -alias <tomcat> -keyalg RSA -validity 360 -
dname "CN=<servername>,o=3DPLM,ou=DECQE,l=Pune,s=MH,c=IN" -keystore
<CATALINA_Install_Directory>\.keystore

When prompted, specify a password (e.g. change it) and note it. Keep the store password
and key password the same.
c. On successful execution of the keytool command, a file named .keystore is created in
the CATALINA_HOME directory. Verify that the .keystore file has been created in the
CATALINA_HOME directory.
d. Next step is to enable SSL setting in Apache Tomcat. To do so, change the directory
to CATALINA_HOME\conf\ directory. Open the server.xml file in text editor and then

6
White Paper

search for the string "scheme="https". Uncomment the definition of the SSL connect
on port that has "scheme=https" as attribute and update the definition as follows:

<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443"

minSpareThreads="5" maxSpareThreads="75" enableLookups="true"
disableUploadTimeout="true" acceptCount="100" maxThreads="200 scheme="https"
secure="true" SSLEnabled="true" sslProtocol="TLS"
keystoreFile="CATALINA_HOME\.keystore" keystorePass="changeit"
clientAuth="false"/>

Note: The value of keystorePass in the above descriptor should be the value for the
password specified in step b.
e. Run the Tomcat server.
f. Access the link https://SERVERNAME:8443/, where SERVERNAME is the full
computer name of the machine on which the application server is running. If the
setup is fine, then you should be able to view the Tomcat home page.

3DS.COM © Dassault Systèmes

2.3. Configuring settings on the FCS server (In this example, FCS
= MCS)

A. If the FCS URL is the same as the MCS URL, then the following settings should be
done on the MCS server.

B. Start the instance of the application server in which the MCS application is deployed.

C. Note the path of JAVA_HOME to which the application server in which the FCS
application is deployed is referring.
Copy the below entire program in a text file and then save it as InstallCert.java to
JAVA_HOME\jre\lib\security\ directory:

/*

* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

7
White Paper

* - Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

* - Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* - Neither the name of Sun Microsystems nor the names of its

* contributors may be used to endorse or promote products derived

* from this software without specific prior written permission.

* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND

CONTRIBUTORS "AS

* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO,

3DS.COM © Dassault Systèmes

* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR

* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

THEORY OF

* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

*/

import java.io.*;

import java.net.URL;

8
White Paper

import java.security.*;

import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

public static void main(String[] args)

throws Exception {

String host;

int port;

char[] passphrase;

if ((args.length == 1) || (args.length == 2)) {

3DS.COM © Dassault Systèmes

String[] c = args[0].split(":");

host = c[0];

port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);

String p = (args.length == 1) ? "changeit" : args[1];

passphrase = p.toCharArray();

else {

System.out.println("Usage: java InstallCert<host>[:port] [passphrase]");

return;

File file = new File("jssecacerts");

if (file.isFile() == false) {

9
White Paper

char SEP = File.separatorChar;

File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");

file = new File(dir, "jssecacerts");

if (file.isFile() == false) {

file = new File(dir, "cacerts");

System.out.println("Loading KeyStore " + file + "...");

InputStream in = new FileInputStream(file);

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

ks.load(in, passphrase);

3DS.COM © Dassault Systèmes

in.close();

SSLContext context = SSLContext.getInstance("TLS");

TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];

SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

context.init(null, new TrustManager[] {tm}, null);

SSLSocketFactory factory = context.getSocketFactory();

System.out.println("Opening connection to "+ host + ":" + port + "...");

SSLSocket socket = (SSLSocket)factory.createSocket(host, port);

10
White Paper

socket.setSoTimeout(10000);

try {

System.out.println("Starting SSL handshake...");

socket.startHandshake();

socket.close();

System.out.println();

System.out.println("No errors, certificate is already trusted");

} catch (SSLException e) {

System.out.println();

e.printStackTrace(System.out);

3DS.COM © Dassault Systèmes

X509Certificate[] chain = tm.chain;

if (chain == null) {

System.out.println("Could not obtain server certificate chain");

return;

BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));

System.out.println();

System.out.println("Server sent " + chain.length + "certificate(s):");

System.out.println();

MessageDigest sha1 = MessageDigest.getInstance("SHA1");

MessageDigest md5 = MessageDigest.getInstance("MD5");

for (int i = 0; i < chain.length; i++) {

11
White Paper

X509Certificate cert = chain[i];

System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN());

System.out.println(" Issuer " + cert.getIssuerDN());

sha1.update(cert.getEncoded());

System.out.println("sha1 " + toHexString(sha1.digest()));

md5.update(cert.getEncoded());

System.out.println(" md5" + toHexString(md5.digest()));

System.out.println();

System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");

String line = reader.readLine().trim();

3DS.COM © Dassault Systèmes

int k;

try {

k = (line.length() == 0) ? 0 : Integer.parseInt(line) -1;

} catch (NumberFormatException e) {

System.out.println("KeyStore not changed");

return;

X509Certificate cert = chain[k];

String alias = host + "-" + (k + 1);

ks.setCertificateEntry(alias, cert);

OutputStream out = new FileOutputStream("jssecacerts");

12
White Paper

ks.store(out, passphrase);

out.close();

System.out.println();

System.out.println(cert);

System.out.println();

System.out.println("Added certificate to keystore 'jssecacerts' using alias '" +

alias + "'");

private static final char[]HEXDIGITS = "0123456789abcdef".toCharArray();

private static String toHexString(byte[]bytes) {

StringBuilder sb = new StringBuilder(bytes.length * 3);

3DS.COM © Dassault Systèmes

for (int b : bytes) {

b &= 0xff;

sb.append(HEXDIGITS[b >> 4]);

sb.append(HEXDIGITS[b & 15]);

sb.append(' ');

return sb.toString();

private static class SavingTrustManager implements X509TrustManager {

private final X509TrustManager tm;

private X509Certificate[] chain;

SavingTrustManager(X509TrustManager tm) {

13
White Paper

this.tm = tm;

public X509Certificate[]getAcceptedIssuers() {

throw new UnsupportedOperationException();

public void checkClientTrusted(X509Certificate[] chain, String authType)

throws CertificateException {

throw new UnsupportedOperationException();

public void checkServerTrusted(X509Certificate[] chain, String authType)

throws CertificateException {

3DS.COM © Dassault Systèmes

this.chain = chain;

tm.checkServerTrusted(chain, authType);

D. Open command prompt as administrator.

E. Change the directory to JAVA_HOME\bin\ directory and execute the below

command, specifying the complete path of InstallCert.java (i.e.,
JAVA_HOME\jre\lib\security\InstallCert.java).
JAVA_HOME\bin>javac "JAVA_HOME\jre\lib\security\InstallCert.java"

After successful execution of the above command, two files are created:
InstallCert.class and InstallCert$SavingTrustManager.class, verify that these files are
created in the security directory.

14
White Paper

F. Ensure that the current directory is JAVA_HOME\bin\ in the cmd window and execute
the below command, specifying the complete path of InstallCert.java
(i.e.,JAVA_HOME\jre\lib\security\InstallCert.java):
> java "JAVA_HOME\jre\lib\security\InstallCert.java" SERVERNAME:HTTPS_PORT

G. When prompted, add the certificate to the trusted keystore by pressing the Enter key.
The following message should be displayed:
"Added certificate to keystore 'jssecacerts' using alias SERVERNAME-1"

H. Run the command in Step 6 again to cross verify that the certificate has been added
to the keystore.

3. Configuring SSL for VueServlet

Launch the https URL, although the URL should throw a trusted certificate warning
message as shown in the fig.

3DS.COM © Dassault Systèmes

Figure 3: Security Warning

3.1. SSL Between the AutoVue Client and the VueServlet

In order to enable SSL between AutoVue client and the VueServlet, you must ensure that
SSL is enabled for the application server and that you have a CA-issued certificate installed
with your application server.

In addition to enabling SSL and setting up the keystore/truststore for the application server,
you must perform the following steps so that the AutoVue server can trust the application
server’s certificate:

15
White Paper

To enable SSL between AutoVue Client and Vueservlet, the following steps need to be
done:

Launch the https URL (https:// SERVERNAME: HTTPS_PORT/application_name) the URL

will throw a message for security certificate as shown in the below figure 4.

On this page, click on “continue to this website” this should take the user to ENOVIA login
page.

Figure 4: https URL showing certificate needs to be trusted

1. In this step, we have to trust the certificate by importing the certificate into Internet
Explorer. Click on the certificate, view the certificate and then click on install
certificate.

3DS.COM © Dassault Systèmes

Figure 5 Adding certificate to trusted root certification store – step1

16
White Paper

2. Browse and select “Trusted Root Certification Authorities” as shown in the figure 6.
Then install the certificate to import the certificate to IE.

3DS.COM © Dassault Systèmes

Figure 6 Adding certificate to trusted root certification- step2

3. Once you have successfully imported the certificate, now export the certificate from
Internet Explorer as a base-64 encoded format and save the certificate onto the
local disk. For example, C:\certs.cer

Figure 7: Adding Certificate to trusted root Certification- step3

17
White Paper

4. Import the certificate into the JRE of the AutoVue server using Java’s keytool
command:
<Java Install Directory>\bin>keytool -import -alias <servername> -file c:\certs.cer -
trustcacerts -v -keystore C:\Oracle\AutoVue\jre\lib\security\cacerts

5. Copy the certs.cer to the client machine (c:\certs.cer) and Import certificate in jdk of
client machine using Java’s keytool command:
<Java Install Directory>\bin>keytool -import -alias <servername> -keystore
"C:\Program Files\Java\<jdk_installed>\jre\lib\security\cacerts" -file "c:\certs.cer"

Optional: If user is using separate JRE then import the certificate in JRE of client
machine using Java’s keytool command:

<Java Install Directory>\bin>keytool -import -alias <servername> -keystore

3DS.COM © Dassault Systèmes

"C:\Program Files\Java\<jre_installed>\lib\security\cacerts" -file "c:\certs.cer"

NOTE: If user wants to check-in data to ENOVIA via any integration from a client
machine, then it is compulsory to import the certificate to the jdk/jre that is used by
that integration (Step 5 and optional step needs to be done)

With these steps SSL is successfully enabled between AutoVue Client and
VueServlet. Now SSL between VueServlet and AutoVue Server is to be done which
is discussed in next section.

3.2. SSL Between the VueServlet and the AutoVue Server

Perform the following steps to enable SSL between the VueServlet and the AutoVue server.

1. In the web.xml descriptor file for the VueServlet, add the following init-param:
<init-param>
<param-name>EnableSSL</param-name>
<param-value>true</param-value>
</init-param>

Web.xml file located in “tomcat\webapps\”application name”\WEB-INF\web.xml”

Add the init-param lines as shown in the below screen shot.

18
White Paper

Figure 8: Modifying Web.xml file

2. Make the following modification to the AutoVue server’s jvueserver.properties file:

jvueserver.ssl.enable=true
Add jvueserver.ssl.enable=true after the line “jvueserver.rmi.enable=true” as shown
in below screenshot.

3DS.COM © Dassault Systèmes

Figure 9: Modifying jvueserver.properties file

3. Set the following in jvueserver.cmdline entry in jvueserver.properties:

-Djavax.net.ssl.keyStore= C:\.keystore -Djavax.net.ssl.keyStorePassword=changeit
Note: everything should be in same line.
Example:
jvueserver.cmdline=-Xmx128M -Djavax.net.ssl.keyStore=C:\.keystore -
Djavax.net.ssl.keyStorePassword=changeit -
Djava.security.policy="C:\Oracle\AutoVue\bin\policy" -
Dlog4j.configuration="file:/C:\Oracle\AutoVue\bin\log4j.xml"
com.cimmetry.jvueserver.JVueServer -
p"C:\Oracle\AutoVue\bin\jvueserver.properties"

4. Restart the AutoVue server and the application server (Tomcat)

SSL is now configured between the VueServlet and the AutoVue server.

19
White Paper

4. Summary
Through this document we tried to give a clear and precise idea about SSL, and how SSL
can be enabled for ENOVIA and AutoVue. With this, the user can secure the data exchange
for ENOVIA and AutoVue over the web.

We now understood how SSL helps in securing data and provides a strong sense of
confidentiality, message integrity, and server authentication to users. In this way SSL is
growing in popularity as the users grow more confident for not only shopping, online banking
but also embracing online application such as ENOVIA.

3DS.COM © Dassault Systèmes

20
White Paper

5. Bibliography
- http://www.digicert.com/ssl.htm

- https://www.globalsign.com/ssl-information-center/what-is-ssl.html

- http://info.ssl.com/article.aspx?id=10241

- https://www.instantssl.com/ssl.html

- http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html

- http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html

- http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html

- http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html

-
http://pic.dhe.ibm.com/infocenter/rdirserv/v5r1m0/index.jsp?topic=%2Fcom.ibm.rational.rds.

3DS.COM © Dassault Systèmes

administering.doc%2Ftopics%2Ft_ssl_communication.html

- http://www.mulesoft.com/tomcat-ssl

- http://www.techpaste.com/2013/11/secure-socket-layer-ssl-works-ssl/

- http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html

- http://jmiller.uaa.alaska.edu/csce465-fall2013/papers/cisco2002.pdf

-
http://media.3ds.com/support/documentation/product/V6R2013x/en/English/DSDoc.htm?tick
et=ST-819150-c0mvPgt2QX62HoymgcqP-cas

Installation and Administration | ENOVIA | Unified Live Collaboration | Live

Collaboration - Installation | Deploying Web Applications | Supporting Secure
Deployment | Supporting HTTPS/SSL Deployment

- http://www.oracle.com/technetwork/documentation/autovue-091442.html

21
 White Paper

3DS.COM © Dassault Systèmes