Upgrade to release 7.9.14.0 or higher
With this release we simplify the initial setup of Stages for production and follow a security by default approach. Therefore the default configuration for new Stages installations is prepared for HTTPS only access to Stages. For existing installation - after the upgrade to Stages 7.9.14.0 or higher - a few manual steps are necessary as outlined below.
To be able to configure and use the latest TLS version 1.3 it is necessary to update the Java JDK 8 version on the server to at least JDK-8u381 or any higher 1.8.x version (64-Bit). Latest JDK 8 patch version is recommended.
The formerly error prone configuration for report execution and PDF printing is now also unified and delivered by default. The internal Stages communication will always use a separate connector on port 8085 that is not reachable from the outside.
To simplify the management of configurations for test and production servers, the variable replacement mechanism of config.xml was extended to server.xml and database.properties files. This should make it easier to sync the general Stages configuration between test and production environments while maintaining individual configuration values in just two files named config.properties and secret.properties. Please read Configure the Stages server for more details on that topic.
The following manual configuration changes need to be applied for installations that are configured for HTTPS usage, meaning you can reach Stages via https e.g. https://mystages.mycompany.com. For test server installations that are currently NOT prepared for HTTPS please follow these instructions.
Stages server is already configured for HTTPS
config.properties
Add the external hostname / DNS name of you Stages server as general.external.hostname into $STAGES_CONF/config.properties. E.g.
general.external.hostname = mystages.mycompany.com
server.xml
Ensure the following connector is available in $STAGES_CONF/server.xml. This connector is used only for Stages internal communication to provide the report, PDF print and execution export features. It is only reachable from the Stages server itself and not from other machines.
For an IPv6 only installation please adapt the address attribute as follows: address=“::1”
<!-- used for internal communication between Stages and its reporting app, listens only on the loopback interface --> <Connector port="8085" protocol="org.apache.coyote.http11.Http11Nio2Protocol" proxyName="${general.external.hostname}" proxyPort="443" secure="true" scheme="https" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" acceptCount="100" connectionTimeout="60000" disableUploadTimeout="true" address="127.0.0.1" />
config.xml
Ensure the following properties are removed from $STAGES_CONF/config.xml in case they exist there:
<property name="metrics.serverAddress" ... <property name="pdf.serverAddress" ... <property name="processor.serverAddress" ...
Apply configuration changes
Execute the configuration update and restart Stages as outlined here
Access Stages
Verify that Stages is available under its usual URL e.g. https://mystages.mycompany.com
Stages server does not yet support HTTPS
As Stages will now enforce usage of HTTPS additional steps are necessary, when you upgrade from a HTTP only setup. Stages comes by default with a self signed certificate for the domain stages.localhost which is just an alias for localhost. Therefore the default certificates are only useful for local access to Stages. The following steps will enable HTTPS access for your machine with the default self signed certificate. To access Stages from another machine without browser warnings, you need to create a certificate that is valid for your servers external hostname afterwards.
Download self signed certificate
Download the certificate keystore for the self signed certificate from here and store it in the $STAGES_CONF directory:
https://download.methodpark.de/stages/stages-self-signed-cert/stages-self-signed-keystore.p12
Download the self signed certificate to be able to import it into your systems truststore. This is only useful for pure local access to Stages.
https://download.methodpark.de/stages/stages-self-signed-cert/stages-self-signed.crt
config.properties
Add the external hostname / DNS name of your Stages server as general.external.hostname into $STAGES_CONF/config.properties, e.g. mystages.mycompany.com, and configure the path to the certificate keystore file relative to $STAGES_ROOT as general.keystore.path
general.external.hostname = mystages.mycompany.com general.keystore.path = conf/stages-self-signed-keystore.p12
secret.properties
Add the following two properties to $STAGES_CONF/secret.properties
general.keystore.keyAlias = stages general.keystore.password = SECRET
server.xml
Ensure the following connector is available in $STAGES_CONF/server.xml. This connector is used only for Stages internal communication to provide the report, PDF print and execution export features. It is only reachable from the Stages server itself and not from other machines.
For an IPv6 only installation please adapt the address attribute as follows: address=“::1”
<!-- used for internal communication between Stages and its reporting app, listens only on the loopback interface --> <Connector port="8085" protocol="org.apache.coyote.http11.Http11Nio2Protocol" proxyName="${general.external.hostname}" proxyPort="443" secure="true" scheme="https" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" acceptCount="100" connectionTimeout="60000" disableUploadTimeout="true" address="127.0.0.1" />
Additionally it is recommended to replace the existing connector for HTTP port 80 or 8080 by the following two connectors that will ensure that Stages is listening on the HTTP and HTTPS ports and that HTTP requests are redirected to HTTPS.
In case you do not want to use the default ports 80 and 443, but e.g. 8080 and 8443, please adapt the configuration of the port and redirectPort attributes accordingly.
<Connector port="80" protocol="org.apache.coyote.http11.Http11Nio2Protocol" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="500" minSpareThreads="50" enableLookups="false" acceptCount="1000" connectionTimeout="60000" disableUploadTimeout="true" compression="on" compressibleMimeType="text/html,text/xml,text/css,text/javascript,text/plain,application/javascript,application/json,application/xml,image/svg+xml,application/x-font-ttf" redirectPort="443" /> <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="500" minSpareThreads="50" enableLookups="false" acceptCount="1000" connectionTimeout="60000" disableUploadTimeout="true" compression="on" compressibleMimeType="text/html,text/xml,text/css,text/javascript,text/plain,application/javascript,application/json,application/xml,image/svg+xml,application/x-font-ttf" scheme="https" secure="true" SSLEnabled="true"> <SSLHostConfig disableSessionTickets="true" honorCipherOrder="false" protocols="TLSv1.3"> <Certificate certificateKeyAlias="${general.keystore.keyAlias}" certificateKeystoreFile="${stages.root}/${general.keystore.path}" certificateKeystorePassword="${general.keystore.password}" /> </SSLHostConfig> </Connector>
config.xml
Ensure the following properties are removed from $STAGES_CONF/config.xml in case they exist there:
<property name="metrics.serverAddress" ... <property name="pdf.serverAddress" ... <property name="processor.serverAddress" ...
Apply configuration changes
Execute configuration update and restart Stages as outlined here
Access Stages
Verify that Stages is available under https://stages.localhost when you open the browser on the server machine or https://mystages.mycompany.com. Please note that the browser will complain that the provided certificate is not valid or trusted. For the initial test please acknowledge the risk and click through to Stages.
After that you should create and configure your own singed certificate or create your own self signed certificate and import it into your browsers or systems truststore. For pure local access to Stages you can import the default stages-self-signed.crt certificate as downloaded here into your browsers truststore.