Applying an SSL Certificate to Percussion CMS
Choose one of the topics below to learn more about applying an SSL Certificate to CM1:
Setting Up a Certificate from a Certificate Authority
Create Your Own Self-Sign Certificate
Setting Up a Certificate from a Certificate Authority
Place your keystore file (public/private key pair) and certificate file in the directory {installation root}/AppServer/server/rx/conf/.
a) Edit the file {installation root}/AppServer/server/rx/deploy/jboss-web.deployer/server.xml.
b) Add an SSL <Connector> as follow:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" keystoreFile="${jboss.server.home.dir}/conf/Percussion.keystore" keystorePass="mypassword" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="250" minSpareThreads="25" port="9991" scheme="https" secure="true" sslProtocol="TLS" protocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"/>
Where the following attributes are:
- keystoreFile="${jboss.server.home.dir}/conf/Percussion.keystore" is the path to your keystore file. The variable ${jboss.server.home.dir} is the path to the CM1 installation root directory.
- keystorePass="mypassword" is the keystore password.
- port="9991" is the chosen SSL port.
c) Save the file.
d) Import your certificate into the CM1 JRE Keystore: Open a terminal window, change to the {CM1 installation root}\JRE\bin directory and run the following command:
keytool -import -noprompt -trustcacerts -alias <keystoreentryalias> - storepass changeit -file <public certificatefilename> -keystore <JREkeystore>
Example:
keytool -import -noprompt -trustcacerts -alias Percussion -storepass changeit -file ..\..\AppServer\server\rx\conf\Percussion.cert -keystore ..\lib\security\cacerts
e) Restart CM1 for the changes to take effect.
Ensure that you can login through the https protocol and your SSL port. You may need to re-configure your Dashboard gadgets (edit settings) the first time that you login via SSL if you previously logged in via http protocol.
Create Your Own Self-Signed Certificate
1) Open a terminal window and change directory to {CM1installation root}/JRE/bin.
2) Create a public/private key pair:
keytool -genkey -alias <keystoreentryalias> -keyalg RSA -dname "CN=<CM1 server hostname>,OU=<organizationalunit>,O=<organization>,L=<location>,S=<state>,C=<country>" -keypass <keypassword> -storepass <storepassword> -keystore <keystorefilename> -validity <number_of_days>
Example:
keytool -genkey -alias Percussion -keyalg RSA -dname "CN=Win2003,OU=My Department,O=MyOrg,L=MyCity,S=MyState,C=US" -keypass mypassword -storepass mypassword -keystore ..\..\AppServer\server\rx\conf\Percussion.keystore -validity 1825
NOTE: Key password must be at least 6 characters.
3) Create self-signed certificate:
keytool -selfcert -alias <keystoreentryalias> -keyalg RSA -dname "CN=<CM1 server hostname>,OU=<organizationalunit>,O=<organization>,L=<location>,S=<state>,C=<country>" -keypass <keypassword> -storepass <storepassword> -keystore <keystorefilename> -validity <number_of_days>
Example:
keytool -selfcert -alias Percussion -keyalg RSA -dname "CN=Win2003,OU=My Department,O=MyCompany,L=MyCity,S=MyState,C=US" -keypass mypassword -storepass mypassword -keystore ..\..\AppServer\server\rx\conf\Percussion.keystore -validity 1825
4) Save the certificate to a public file (distributable):
keytool -export -alias <keystoreentryalias> -keypass <keypassword> -storepass <storepassword> -keystore <keystorefilename> -file <public certificatefilename>
Example:
keytool -export -alias Percussion -keypass mypassword -storepass mypassword -keystore ..\..\AppServer\server\rx\conf\Percussion.keystore -file ..\..\AppServer\server\rx\conf\Percussion.cert