Problem

Configuring Crowd to Work with SSL needs a bit of a sprucing up.

Example connector out of date

The example connector (which most customers use by default) is missing many of the configuration that is included in the default 8095 connector included in Crowd. This can lead to issues that result in a support ticket.

There is not section on adding a redirect

Confluence includes a section on adding a security constraint to automatically redirect traffic from http to https, this is missing in the Crowd documentation. While it's possible to figure out how to add this by reviewing other Atlassian product documentation (or Tomcat documentation), it's easy to miss all of the areas in which you need to add the security constraint (as Crowd has 4 webapps, vs 1 for Confluence).

There is no step to update the base url

Updating the base url is an important step that is easy to forget, the documentation should include it.

Recommendation

Update the example connector to include all settings from the 8095 default connector:

<Connector acceptCount="100"
                   connectionTimeout="20000"
                   disableUploadTimeout="true"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   maxThreads="150"
                   minSpareThreads="25"
                   useBodyEncodingForURI="true"
                   URIEncoding="UTF-8"
                   compression="on"
                   sendReasonPhrase="true"
                   compressableMimeType="text/html,text/xml,application/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   SSLEnabled="true" 
                   scheme="https" 
                   secure="true"
                   clientAuth="false" 
                   sslProtocol="TLS"
                   sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                   keystoreFile="${user.home}/.keystore" 
                   keystorePass="changeit"
                   keyAlias="tomcat"
                   keyPass="changeit" />

Add a section detailing how to implement https redirect

Edit these files:

• ${CROWD_DIR}/apache-tomcat/webapps/ROOT/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-webapp/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-openidclient-webapp/WEB-INF/web.xml
• ${CROWD_DIR}/crowd-openidserver-webapp/WEB-INF/web.xml

Add the following at the end of the file before the </web-app> tag:

<security-constraint>
 <web-resource-collection>
 <web-resource-name>Restricted URLs</web-resource-name>
 <url-pattern>/</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

Add a section that details how to update the base url:

1. In your browser, go to > General
2. Change the Base URL field from http to https
3. Save