You can enable support for HTTPS in LuciadFusion through:

  • The use of a reverse proxy in front of LuciadFusion. In this setup, all access to LuciadFusion passes through the reverse proxy, which you can configure to enable HTTPS. For more information about setting up LuciadFusion with a reverse proxy based on Apache HTTP server, see How to set up the LuciadFusion Platform with a reverse proxy.

  • The use of Spring Security, which is included with LuciadFusion.

    You can only choose the Spring Security option if you’re using an embedded container, such as the Jetty servlet container included with LuciadFusion. If you deployed LuciadFusion on an external servlet container, like Apache Tomcat, check the documentation of that container to find out how to enable HTTPS, or use the reverse proxy option.

    To enable HTTPS, you first need an SSL certificate. You can request that from a certificate authority.
    For development and testing purposes, you can also generate a self-signed certificate, using the keytool utility that comes with every JRE.

    For example:

    >keytool -genkey -alias <alias> -storetype <type> -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650

    When you use the Jetty servlet container included with LuciadFusion 2024 and beyond, the hostname used in HTTPS requests needs to match the name used in the self-signed certificate. This can be achieved by entering the fully qualified hostname when keytool asks your first and last name. Note that hostnames such as localhost or IP addresses are not allowed.

    Move the resulting keystore file to the config folder. Next, enable HTTPS by setting these SSL properties in the LuciadFusion configuration file: 

    		# SSL (https) can be enabled by setting the following properties:
    		server.ssl.key-store: classpath:keystore.p12
    		server.ssl.key-store-password: <password>
    		server.ssl.keyStoreType: <type>
    		server.ssl.keyAlias: <alias>

    Depending on the keystore type you chose, the keytool utility may store the provided alias in lower case. In that case, make sure to use the lower-case version of the alias in the server.ssl.keyAlias property. To prevent configuration issues, regardless of the keystore type, it’s recommended to always use lower-case aliases.