Streamline FME Server SSL Configuration

See the related question: What are some of the difficulties that you experience with FME Server SSL Configuration?

See the related idea: Drag and Drop SSL Configuration

This was a lot of extra work in my migration to 2018.1, especially for a non-SSL person like myself.. The rest of the migration was plug and play - restore from backup and oops, now I have 2-3 hours of work figuring this out. Esri's installation of ArcGIS Enterprise uses SSL by default - enforcing good security practices. Even then, they take care of the certificate store for you.

Yes please :)

• Anything to make keystore certificate import easier is welcome - this definitely got IT involved and I think Safe via webchat as well
• The WebSocket configuration was a bit of a minefield, unfortunately I didn't get to follow this through fully but there is a heavy reliance on the Knowledge Base for this when it could be part of install documentation or the install process.
• Websocket config was necessary as https threw out topic monitoring

No criticism intended though, this was just from relatively recent experience.

Couldn't have put it better myself. The whole process doesn't seem to be up to Safe's own standards and leaves massive room for improvement.

Completely agree with both comments and would welcome an improvement. Do things change with FME 2019? Have seen nothing about it and no status change on this thread to imply such a thing. What says the FME Server team?

2019 is exactly the same mine field as 2018 - both of which took an extraordinary amount of time. I was down for 4 days trying to understand keystore problems that I had solved in 2018 and had to re-experience in 2019. My complaints around SSL are:

1. Configurable files should not be un-installed: Documentation says to put keystore into the program areas deleted during software un-installation. That means it doesn't get saved to be reused again. Put the configuration in the resources so it's backed up properly.
2. Upgrading in place could retain these settings and make it easy. 1 hour to uninstall and reinstall - and then another 4 days to try to understand SSL, tomcat, and all the things. Really painful.
3. Safe should really consider that SSL is the default configuration - then rewrite the installation process to that standard. IT wants SSL - help us help them.
4. For a single instance of server, no one loves editing 8 different XML files - they just don't. I understand the options allow organizations to create fault tolerance and all the possibilities but smaller organizations are not helped here.
5. Basically, put the basics into the installation wizard and we'll be done.

Hi @mb_fdfa, there have been no changes / improvements made for FME Server 2019.0/2019.1 with regards to SSL configuration. This idea is in the Top 10 that have not been implemented and that makes it a common discussion point amongst the team here.

We are chipping away at removing the need to edit configuration files for FME Server (it's not a great experience, especially for migrations) and I'd like to see this one addressed.

As soon as we have a timeline for this I'll be sure to update the FME Community.

Thank you for your comments, @k1! SSL configuration in FME Server is a pain point for many of our customers. I agree that it's frustrating these settings are not migrated.

You make a really good suggestion that it could be handled within the installation wizard itself.

And I think that default SSL will have to become a reality as web browsers increase security and, perhaps eventually, prohibit http without action by endusers.

I don't have any good news to share today, but I'll reach out to you when we commit to improving this experience all around.

Again, thank you for posting. It's important for us to hear your feedback.

Seems to be that SSL/https is already the only way for most externally-accessed sites I use. Otherwise it's an 'untrusted' type message and it's all over.

It took me hours to chase support and a screen share session to set up topic notifications. I was stuck on the SSL steps. Server was SSL enabled before that.

So 1 upvote to the idea.

I am currently upgrading from 2018.1 to 2019.1.2 and also discovered that the SSL configuration was not carried over after the restore, and now I will need to go back to our web admins to redo their work, which should be totally unnecessary. Nothing in the "upgrade" instructions mentioned any special consideration for SSL that I could find. I guess I'm used to ESRI products (among others) which will actually upgrade in place, surely the FME Server team could create an install package and not require such a manual process, it is 2019 after all. Also, SSL is basically a standard requirement nowadays and should be the default configuration, especially for those in government circles.

Thanks,

Eric

I am currently upgrading from 2018.1 to 2019.1.2 and also discovered that the SSL configuration was not carried over after the restore, and now I will need to go back to our web admins to redo their work, which should be totally unnecessary. Nothing in the "upgrade" instructions mentioned any special consideration for SSL that I could find. I guess I'm used to ESRI products (among others) which will actually upgrade in place, surely the FME Server team could create an install package and not require such a manual process, it's 2019 after all. Also, SSL is basically a standard requirement nowadays and should be the default configuration, especially for those in government circles.

Thanks,

Eric

Please note that the idea "Drag and Drop SSL Configuration" has been marked as duplicate of this idea.

I 'm also encounter many issues with the configuration of SSL of FME-SERVER (2017.1).

A clear (user-friendly) work instruction should also be made available to renew the management PKI certificate.

Any progress on this for FME Server 2021? Have just installed 2020.2.1 (express) and I see it's still a pretty manual process to go through as now I look at https config, https now being default policy for ours and many orgs.

Checking back for any progress on this, I'm about to upgrade FME Server 2020 to 2021 (and later in the year to 2022) and it would seem an easy process save for the SSL config not carrying over. I known that won't change this time, but going forwards it would be very helpful.

https://docs.safe.com/fme/html/FME_Server_Documentation/AdminGuide/Upgrade-in-Place-Same-Machine.htm

Please implement this. https is non-optional, not only from a data security point of view but also because many integrations with other services such as email servers or active directory require it.

The FME install going forward should be https first, and only allow a fall back to http if you do not have the required certificates in place during installation.

Upgrades should not break existing ssl configuration.

Installing and replacing certificates should be available through the GUI.

Please make sure that you cater for all different deployment types - single machine, express, distributed and fault tolerant.

Please improve the process for configuring secure web sockets as this is especially difficult.

As an end-user who used to have API functionality to the server a recent update to the server resulted in lost ability to make the calls. Since API is not a program-specific entity I would like to see further validation testing done for processes that change how SSL certificates and authentication work. Even with consulting with Safe personnel they were unable to provide a viable solution to restore the functionality.

#python #certifi

To add to this, documentation of which certificate stores various readers/writers/transformers etc. use (I’d add proxy settings to that too). 

As of FME Flow 2025.1, setting up HTTPS for Windows environments is much simpler. We’ve added HTTPS configuration directly into the installer wizard, taking care of much of the manual command entry and configuration file editing that was previously a big pain point. Alternatively, outside of the installer, we have new scripts that do the same thing, in case you want to configure HTTPS post-installation.

We hope this streamlines the majority of deployments and makes getting started with HTTPS a lot smoother. If you have ideas for further enhancements, feel free to start a new idea — we’d love to hear what would help most.

Thanks to everyone who supported this idea — your feedback helped shape this improvement!