11.3. HTTPS configuration

By default, eXo Platform runs in the HTTP mode. However, for the security purposes, you can configure it to run in the HTTPS mode. This section explains how to configure the HTTPS mode.

Generating your key

If you do not have your own X.509 certificate, you can make a simple certificate using the keytool command:

keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"

Now, your key is stored in server.keystore.

You need to import your key into the Sun JDK keystore (this is required to help running gadget features):

keytool -importkeystore -srckeystore server.keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts

Note

On the MAC OS X, the cacerts file is located at $JAVA_HOME/lib/security/cacerts.

Also, since your Sun JDK keystore has a different password than the one used for the key you created in the first step, you have to change your key password to match the new keystore password (The default JDK keystore pasword may be 'changeit').

keytool -keypasswd -alias serverkeys --keystore $JAVA_HOME/jre/lib/security/cacerts

Setting up JBoss configuration to use your key

  1. Edit the $PLATFORM_JBOSS_HOME/standalone/configuration/standalone-exo.xml file by adding "https connector" to the web subsystem configuration (change certificate-key-file and password to values appropriate for your keystore - assuming that the keystore password is 'changeit'):

    <subsystem xmlns="urn:jboss:domain:web:1.5" default-virtual-server="default-host" native="false">
    	...
    	<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" secure="true">
    	<ssl name="https" key-alias="serverkeys" password="changeit" certificate-key-file="${java.home}/lib/security/cacerts"/>
    	</connector>
    	...
    </subsystem>
  2. Access the portal by going to https://localhost:8443/portal.

Setting up Tomcat configuration to use your key

  1. Edit the $PLATFORM_TOMCAT_HOME/conf/server.xml file by commenting the lines:

    <Connector address="0.0.0.0" port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
    enableLookups="false" redirectPort="8443"
    connectionTimeout="20000" disableUploadTimeout="true"
    URIEncoding="UTF-8"
    compression="off" compressionMinSize="2048"
    noCompressionUserAgents=".*MSIE 6.*" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript" />
  2. Uncomment lines and add keystoreFile and keystorePass values:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${java.home}/lib/security/cacerts"
    keystorePass="changeit"/>
  3. Restart server. If your configuration is correct, you can access the portal via https://<ServerAddress>:8443/portal.

See also

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus