jpabloae.blog

Release Engineering at Openbravo

Archive for September 2009

Openbravo ERP: SSL tips

Being Openbravo ERP a web based application, using SSL is currently a must for those who appreciate their privacy. Think about the kind of data that is transferred in an ERP: customer details, transactions with business partners, invoices, balance sheets, etc. Not using SSL basically exposes all this information to anyone around with a network sniffer.

This article assumes that you already have a working Openbravo ERP installation, using the following software stack:

If you try to use Openbravo ERP with the default configuration, then you will find some problems. Namely:

  1. All the reports generated by Jasper Reports don’t work, displaying an error such as the following one:
  2. 09:23:59 [ajp-8009-3] WARN  org.openbravo.erpCommon.utility.ErrorTextParserPOSTGRE - did not find constraint name for error message: Error loading byte data : https://localhost:4443/openbravo/web/images/CompanyLogo_big.png
    
  3. It’s slow. Noticeably slower than running it under plain HTTP, as if every request took an additional time of 100ms and 1 s, and as if nothing was being cached.

Needless to say that these are showstopper issues, because the first one prevents you from e.g. printing invoices and the second one makes it very unpleasant. Let’s fix these issues.

Reports problem

The first error is caused by the fact that the Java process that generates the reports requires some images located at a SSL protected URL of your server. And it doesn’t trust the provided certificate, so it fails. Actually this is supposed to be a feature, because it’s verifying that the site is really who it claims to be. There are two ways of solving this. The first one requires buying a SSL certificate from an approved provider and it’s appropriate for production servers. The second one doesn’t require to buy anything, and it’s suitable for testing servers.

For production servers:

  1. Register a (sub)domain name for for your ERP, e.g. openbravoerp.mydomain.com
  2. Buy a SSL certificate for openbravoerp.mydomain.com. You can find them for ~$70/year.
  3. Register openbravoerp.mydomain.com in the internal DNS server of your LAN, in case the server is hosted in-house. If you don’t have one, it’s time to set it up. There are tiny DNS servers that take no more than 5 minutes to install and set up.

For testing servers:

  1. If it’s going to be exposed to the Internet, register a (sub)domain name for the ERP in a free DNS service, such as DynDNS, e.g. erp-atlantis.dyndns.org
  2. Generate s self-signed certificate using OpenSSL.
  3. Import the SSL certitificate into the local JDK. Go to a command line terminal, download the InstallCert utility and run the following commands:
  4. javac InstallCert.java
    java InstallCert erp-atlantis.dyndns.org
    cp jssecacerts $JAVA_HOME/jre/lib/security
    
  5. Restart Tomcat to apply the changes of the previous step.
  6. For using the ERP in your LAN, register erp-atlantis.dyndns.org in your internal DNS server.

Performance problem

There are two separate issues regarding slowness. First of all, the web browser starts a new SSL negotiation in every request, adding a 100ms-1s delay to every single request. To fix this, make sure your Apache httpd configuration has the KeepAlive option turned on:

KeepAlive On
MaxKeepAliveRequests 200

In this case we have also doubled the number of allowed alive requests, because it is expected that this numbers grows as we now allow persistent connections.

The second issue is related to the cache. SSL does not store cache in disk between sessions, for the sake of security. But there is a performance penalty. So this a trade-off you need to decide. To make Apache httpd save the cache between sessions, we need to set the Cache-Control header to Public. This can be achieved by using the mod_headers module:

Header unset Pragma
Header append Cache-Control "public"

I want to thank katratxo for finding the solution to the cache issue.

Written by jpabloae

03/09/2009 at 15:08

Posted in openbravo

Tagged with ,