Securing the Web Browser to Reflection ZFE Session Server

When an HTTPS connection is made to the session server, it authenticates itself to the client browser using a server certificate. The client checks the server certificate against its trusted certificate store. If the certificate or its root is in the trusted store, the connection proceeds. However, if the certificate is not trusted, you are warned by the browser and asked to agree to the connection.

By default, a self-signed certificate is generated and used by the session server to identify itself to the client. When you initiate a secure web browser connection to the session server using the HTTPS URL with the self-signed certificate in use, you are warned by the browser that the certificate is not trusted. At this point you can instruct the browser to trust the certificate and proceed with a secure connection.

You can avoid the need to instruct the browser to trust the default self-signed certificate by configuring the session server to use a trusted certificate. The necessary certificate, which most likely will be one signed by a certificate authority (CA) that is universally trusted, is provided by the administrator in charge of the ZFE installation.

The key and certificate chain must be in a keystore in either JCEKS format, or a PKCS12 format with strong encryption (PBE-SHA1-3DES). The password for the key and for the keystore must be the same.

To configure the Reflection ZFE session server to use the keystore:

It is possible to change the default behavior and disable the client browser from making an insecure HTTP connection to the ZFE session server from the start. To do this:

Open sessionserver/conf/container.properties and set the servletengine.port property to 0 and restart the session server.

Related Topics