jpabloae.blog

Release Engineering at Openbravo

Openbravo ERP: SSL tips

Being Openbravo ERP a web based application, using SSL is currently a must for those who appreciate their privacy. Think about the kind of data that is transferred in an ERP: customer details, transactions with business partners, invoices, balance sheets, etc. Not using SSL basically exposes all this information to anyone around with a network sniffer.

This article assumes that you already have a working Openbravo ERP installation, using the following software stack:

If you try to use Openbravo ERP with the default configuration, then you will find some problems. Namely:

  1. All the reports generated by Jasper Reports don’t work, displaying an error such as the following one:
  2. 09:23:59 [ajp-8009-3] WARN  org.openbravo.erpCommon.utility.ErrorTextParserPOSTGRE - did not find constraint name for error message: Error loading byte data : https://localhost:4443/openbravo/web/images/CompanyLogo_big.png
    
  3. It’s slow. Noticeably slower than running it under plain HTTP, as if every request took an additional time of 100ms and 1 s, and as if nothing was being cached.

Needless to say that these are showstopper issues, because the first one prevents you from e.g. printing invoices and the second one makes it very unpleasant. Let’s fix these issues.

Reports problem

The first error is caused by the fact that the Java process that generates the reports requires some images located at a SSL protected URL of your server. And it doesn’t trust the provided certificate, so it fails. Actually this is supposed to be a feature, because it’s verifying that the site is really who it claims to be. There are two ways of solving this. The first one requires buying a SSL certificate from an approved provider and it’s appropriate for production servers. The second one doesn’t require to buy anything, and it’s suitable for testing servers.

For production servers:

  1. Register a (sub)domain name for for your ERP, e.g. openbravoerp.mydomain.com
  2. Buy a SSL certificate for openbravoerp.mydomain.com. You can find them for ~$70/year.
  3. Register openbravoerp.mydomain.com in the internal DNS server of your LAN, in case the server is hosted in-house. If you don’t have one, it’s time to set it up. There are tiny DNS servers that take no more than 5 minutes to install and set up.

For testing servers:

  1. If it’s going to be exposed to the Internet, register a (sub)domain name for the ERP in a free DNS service, such as DynDNS, e.g. erp-atlantis.dyndns.org
  2. Generate s self-signed certificate using OpenSSL.
  3. Import the SSL certitificate into the local JDK. Go to a command line terminal, download the InstallCert utility and run the following commands:
  4. javac InstallCert.java
    java InstallCert erp-atlantis.dyndns.org
    cp jssecacerts $JAVA_HOME/jre/lib/security
    
  5. Restart Tomcat to apply the changes of the previous step.
  6. For using the ERP in your LAN, register erp-atlantis.dyndns.org in your internal DNS server.

Performance problem

There are two separate issues regarding slowness. First of all, the web browser starts a new SSL negotiation in every request, adding a 100ms-1s delay to every single request. To fix this, make sure your Apache httpd configuration has the KeepAlive option turned on:

KeepAlive On
MaxKeepAliveRequests 200

In this case we have also doubled the number of allowed alive requests, because it is expected that this numbers grows as we now allow persistent connections.

The second issue is related to the cache. SSL does not store cache in disk between sessions, for the sake of security. But there is a performance penalty. So this a trade-off you need to decide. To make Apache httpd save the cache between sessions, we need to set the Cache-Control header to Public. This can be achieved by using the mod_headers module:

Header unset Pragma
Header append Cache-Control "public"

I want to thank katratxo for finding the solution to the cache issue.

Advertisements

Written by jpabloae

03/09/2009 at 15:08

Posted in openbravo

Tagged with ,

12 Responses

Subscribe to comments with RSS.

  1. good one !

    Sree

    04/09/2009 at 18:10

  2. Why not just use openvpn and a firewall?

    GH

    07/09/2009 at 20:58

    • That’s a very good option, certainly. But it depends on the situation and the user who’s going to use it.

      Some users are not willing to pay the price of requiring a VPN to access the ERP (e.g. mobility and hardware). Security is always a trade-off and there’s not an ultimate answer, in my opinion.

      Some will prefer one option and others a different one. But for sure no one will choose SSL if it causes all the reports to fail or if it’s dead slow.

      These are just some notes to help those in the process of setting up the ERP with SSL.

      jpabloae

      07/09/2009 at 22:16

  3. I can not find the path

    openbravo/web/images/CompanyLogo_big.png.

    Please help me.

    Sorry for the spelling, I’m French

    LAW

    03/11/2009 at 17:08

    • Hi. You are not providing details of what you want to do. That png image is in the web/images directory of your Openbravo ERP source directory, typically in /opt/OpenbravoERP or /opt/AppsOpenbravo. Or you can also get the image from the Mercurial repository:

      In any case, is this related to the SSL topic?

      jpabloae

      03/11/2009 at 17:14

  4. Sorry, but I was trying to change that image and put in place the logo of my company in the login page.

    LAW

    03/11/2009 at 17:32

  5. Hi. In my Openbravo ERP source directory in /opt/ there are nothing. You know why?

    LAW

    04/11/2009 at 09:13

    • Because you probably have it installed somewhere else. Please use the forums and post your questions there, it will be much more effective.

      jpabloae

      04/11/2009 at 09:52

  6. This is not me that is installed, I’m just responsible for working on it. Actually I want to change invoice, order and quote by adding the logo of my company in the header. It is possible?

    LAW

    04/11/2009 at 10:05

    • Please use the the forums and post your questions there, it is the right place for your question.

      jpabloae

      04/11/2009 at 10:12

      • Ok thanks

        LAW

        04/11/2009 at 10:19

  7. Hi,

    I reply because I post comments in several forums

    but I think I will not reply before a long time.

    So I hope you can help me to change the header of

    invoices, quotes etc … to add my company logo.

    Thanks

    LAW

    05/11/2009 at 10:04


Comments are closed.

%d bloggers like this: