Skip to main content

3.2 – HTTPS and WSS (WebSocket secure connection)

  • Set ssl=true in gatway.conf file.
  • Set your port to your desired SSL port, like 443: port=443
  • Import your SSL certificate to a Java keystore, please check with your certificate issue and see how to buy and import certificate for Java application server.
  • Set up keyStore and keyStorePassword in gateway.conf:
  • Java 1.8 recommended which supports more and better cipher suites.
  • Java 1.8 supports PKCS12 key store, it’s better to use PKCS12 format directly.
  • Self-signed certificate may not work in some cases.
  • You can have multiple certificates in the Java key store, but Java will always use the first one by default.
  • Disable SSLV3, set sslProtocols = SSLv2Hello,TLSv1 in gateway.conf and restart. You can also add TLSv1.1, TLSv1.2 into it for Java 8.
  • You can expand the DK key size to 2048 in Java 8 by adding this Java option:-Djdk.tls.ephemeralDHKeySize=2048
  • You can choose the cipher suites you want to use by setting cipherSuites in gateway.conf. You'll need to install Java Cryptography Extension (JCE) to support all the cipher suites:

    Recommended cipher suites for Java 11:
    cipherSuites =

    Recommended cipher suites for Java 8:
    cipherSuites =

Set up Let’s Encrypt ( certificate:

  1. Apply for the certificate from and you’ll get the certificate files: cert.perm, privkey.perm, chain.pem etc in /etc/letsencrypt/live/yourDomain/.
  2. openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name spark -CAfile chain.pem -caname anyFriendlyName
  3. Add following entries in gateway.conf:
    keyStorePassword = yourExportPasswordInStep3
    ssl = true
    port = 443
  4. Restart the gateway.

Renew and update the certificate automatically:

Create a cron job to update check the certificate every day at 2:30AM (crontab -e):

30 2 * * * certbot renew --post-hook "sh /etc/letsencrypt/live/"

cd /etc/letsencrypt/live/domain/
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name spark -CAfile chain.pem -caname startme -passout pass:mypassword
systemctl stop SparkGateway
systemctl start SparkGateway
exit 0