Configuring Developer VM for SSL
SSL configuration example for Developer VM with ATG 10/Weblogic 10/Spindrift Site Builder
1) Open standard windows terminal cmd.exe
2) Environment variables
To be able to generate new certificate we should set two environment variables:
To be able to generate new certificate we should set two environment variables:
SET WL_HOME=C:\dev\Cosmote_ro\wl\wls103
SET CLASSPATH=%WL_HOME%\server\lib\weblogic.jar
SET CLASSPATH=%WL_HOME%\server\lib\weblogic.jar
3) Remove expired certificate
We have keystore in our VMs here C:/dev/Cosmote_ro/certs/rtc.keystore with pretty old certificate
So as the first step we should check and remove certificate if it's already expired.
To see list of certificates use command:
So as the first step we should check and remove certificate if it's already expired.
To see list of certificates use command:
keytool -list -keystore C:/dev/Cosmote_ro/certs/rtc.keystore -storepass weblogic -v
Remove certificate if it's expired (if your VM is using certificate with different alias, please change it accordingly):
keytool -delete -alias rtc -keystore C:/dev/Cosmote_ro/certs/rtc.keystore -storepass weblogic
4) Generate new certificate and put it to the keystore:
keytool -genkey -v -alias rtc -keyalg RSA -keysize 2048 -sigalg MD5withRSA -dname "CN=wls-sysadm" -keypass weblogic -validity 3650 -keystore C:/dev/Cosmote_ro/certs/rtc.keystore -storepass weblogic
5) Make newly generated certificate trusted
Now we will put the same newly generated certificate as trusted with different alias to the keystore
For that we should export certificate from the keystore first:
Now we will put the same newly generated certificate as trusted with different alias to the keystore
For that we should export certificate from the keystore first:
keytool -export -alias rtc -file rtc_cert -keystore C:/dev/Cosmote_ro/certs/rtc.keystore -storepass weblogic
And then we should import this certificate as trusted back to the same keystore:
keytool -import -trustcacerts -alias rootcacert -file rtc_cert -keystore C:/dev/Cosmote_ro/certs/rtc.keystore -storepass weblogic
6) Weblogic 10 configuration
Open Environment > Servers > CosmoteStore-weblogic-prod, tab Configuration, subtab Keystores
Open Environment > Servers > CosmoteStore-weblogic-prod, tab Configuration, subtab Keystores
Keystores: Custom Identity and Java Standard Trust
Custom Identity Keystore: C:/dev/Cosmote_ro/certs/rtc.keystore
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: weblogic
Confirm Custom Identity Keystore Passphrase: weblogic
Custom Identity Keystore: C:/dev/Cosmote_ro/certs/rtc.keystore
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: weblogic
Confirm Custom Identity Keystore Passphrase: weblogic
Save the changes pressing button "Save"
Now switch to "SSL" subtab:
Identity and Trust Locations: Keystores
Private Key Alias: rtc
Private Key Passphrase: weblogic
Confirm Private Key Passphrase: weblogic
Private Key Alias: rtc
Private Key Passphrase: weblogic
Confirm Private Key Passphrase: weblogic
Save the changes.
Then switch to "General" subtab and set:
SSL Listen Port: 8443
Make sure checkbox "SSL Listen Port Enabled" is checked.
Make sure checkbox "SSL Listen Port Enabled" is checked.
Save your changes.
7) ATG 10 & SiteBuilder configuration
Below configuration is relevant for EAR built in development mode.
Since SSLv3 is considered as insecure by browsers we should change this in atg\dynamo\security\BasicSSLConfiguration
Also BasicSSLConfiguration refers to expired ATG certificate from atg-sample-keystore.jks keystore.
We will not generate another key but will use the same key we generated before.
Below configuration is relevant for EAR built in development mode.
Since SSLv3 is considered as insecure by browsers we should change this in atg\dynamo\security\BasicSSLConfiguration
Also BasicSSLConfiguration refers to expired ATG certificate from atg-sample-keystore.jks keystore.
We will not generate another key but will use the same key we generated before.
So we should create properties file and override values as follows:
c:\dev\Cosmote_ro\ATG\ATG10.1.2\home\servers\CosmoteStore-prod\localconfig\atg\dynamo\security\BasicSSLConfiguration.properties
Put inside the file:
secureSocketProtocol=TLS
keyManagerAlgorithm=SunX509
keyStore=C:/dev/Cosmote_ro/certs/rtc.keystore
keyStoreType=JKS
keyStorePassword=weblogic
keyManagerAlgorithm=SunX509
keyStore=C:/dev/Cosmote_ro/certs/rtc.keystore
keyStoreType=JKS
keyStorePassword=weblogic
After this changes atg/dynamo/server/HttpsServer component will be able to create secure SSL socket with /atg/dynamo/service/socket/SSLServerSocketFactory.
Now we should also disable default behaviour of the SiteBuilderRequestServlet. By default it's checking if page should be served with secure or non-secure protocol and performs redirects.
Since it should serve all pages with secure protocol we will just disable this to avoid incorrect redirection loop
Create the next properties file:
c:\dev\Cosmote_ro\ATG\ATG10.1.2\home\servers\CosmoteStore-prod\localconfig\spindrift\sitebuilder\SiteBuilderConfiguration.properties
Since it should serve all pages with secure protocol we will just disable this to avoid incorrect redirection loop
Create the next properties file:
c:\dev\Cosmote_ro\ATG\ATG10.1.2\home\servers\CosmoteStore-prod\localconfig\spindrift\sitebuilder\SiteBuilderConfiguration.properties
Put inside the file:
enableSslRedirects=false
Restart CosmoteStore-weblogic-prod server and try to access storefront using your VM IP (or network hostname) and 8443 port
https://< VM IP> :8443
The first time you will see browser warning since we have self-signed certificate.
8) Optional steps
When Secure port configuration is OK - we could disable insecure port in Weblogic admin console.
When Secure port configuration is OK - we could disable insecure port in Weblogic admin console.
Open Environment > Servers > CosmoteStore-weblogic-prod, tab Configuration, subtab General and uncheck Listen Port Enabled
Also we could force Weblogic to serve all connections to our ATG application with secure protocol.
To do so put the next fragment of XML into your CosmoteStorefront.war\WEB-INF\web.xml under web-app tag
To do so put the next fragment of XML into your CosmoteStorefront.war\WEB-INF\web.xml under web-app tag
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>SecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Rebuild and restart production server if necessary.
Command file for Windows to generate SSL certificate and also BasicSSLConfiguration.properties and SiteBuilderConfiguration.properties files attached
No comments:
Post a Comment
I appresiate your ideas. Please write your comment below.