Showing posts with label AEM with SSL. Show all posts
Showing posts with label AEM with SSL. Show all posts

Apache Felix Jetty Based Http Service configuration file Location in AEM 6.3

Statement : 
                 In a cluster environment by mistake if  you change port number apart from the one on which the instances are running  in the Apache Felix Jetty Based Http Service

Pre-requisite :
                 -  AEM servers runing on port : 8080
                 - Changing the port of any one of server in cluster to 4502.

Risk Mitigation :
  • Edit the properties of Apache Felix Jetty Based Http Service file in the below path  for each server
                             \crx-quickstart\launchpad\config\org\apache\felix\http

  • Jetty file location path:


  • Edit the configuration file to revert back to the original port number



  • Re-start the AEM instances one by one.
  • Thats's it!.

An Alternate way to setup SSL through Apache Felix Jetty Based Http Service

Statement: An Alternate way to setup SSL through Apache Felix Jetty Based Http Service

Pre-requisite:


  • JRE 1.8
  • AEM 6.3 up and runing

Solution :

How to Generate the Keystore.jks Dev credentials:
  • open the command prompt
  • Enter the below command
  • D:\AEM 6.2\Author\ssl> keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass changeit -validity 360 -keysize 2048

 What is your first and last name?
  [Unknown]:  chandrashekar Naik
What is the name of your organizational unit?
  [Unknown]:  ABC
What is the name of your organization?
  [Unknown]:  ABC
What is the name of your City or Locality?
  [Unknown]:  singapore
What is the name of your State or Province?
  [Unknown]:  singapore
What is the two-letter country code for this unit?
  [Unknown]:  65
Is CN=chandra Naik, OU=ABC, O=ABC, L=singapore, ST=singapore, C=65 correct?
  [no]:  yes

Enter key password for - enter the password
        (RETURN if same as keystore password): enter password
Re-enter new password:
  • That's it Keystore.jks file is generated under D:\AEM 6.2\Author\ssl>
  • Now Go to Felix console - https://localhost:5443/system/console/configMgr
  • Search for Apache Felix Jetty Based Http Service 
  • Open the Apache Felix Jetty Based Http Service
Where - Enable https = Select 
            Enter the Https port = 5443
           Path for keystore.jks = D:\AEM 6.2\Author\ssl
           File and password  used while generating keystore.jks file 

Configure Replication Agents to Use Secure URLs

Statement : Configure Replication Agents to Use Secure URLs.

Pre-Requisite :

  • Author is up and running on SSL port
  • Publisher is up an running on SSL port

Solution :

The following procedure configures the publish replication agent on the author instance. 
Perform the procedure for all replication agents that you want to communicate over SSL.
    • Click the Tools/Replication/Agents on author folder.
    • In the right-hand frame, right-click Default Agent and click Open.
    • Click Edit (below the Test Connection link) and then click the Transport tab.
    • In the URI box, change the URL so that it uses the HTTPS protocol and the port that you configured for SSL on the publish instance.
    • If you used a self-signed certificate to enable SSL on publish, select Enable Relaxed SSL.
    • Click OK.



      • Click Test Connection.



      Forcing to Use SSL port in AEM Author 6.3

      Statement : How to Force the website to use the SSL port

      Pre-requisite : 


      • AEM up and runnig on http port (Ex: 4502)
      • AEM up and running on https port(Ex: 5443), SSL setup is done.

      Solution :

      Option: Force to use entire website to Https

      • Go to /etc/map folder of type sling:folder
      • Now under /etc/map create http node of type sling:folder. 
      • Create a node under etc/map/http
        • node Name – localhost.4502 
        • Node Type– sling:mapping. 
      • Add below properties to this localhost.4502  node: 
        • Property Name: sling:redirect  Type : String   Value : https://localhost:5443 
      • Click Save ALL , That's It now all your website pages will be automatically open with https domain . 

      Option 2: Force to use few pages or specific page of website to SSL 

      • Go to /etc/map folder of type sling:folder
      • Now under /etc/map create http node of type sling:folder. 
      • Create a node under etc/map/http
        • node Name – localhost.4502 
        • Node Type– sling:mapping. 


      • Add below properties to this localhost.4502  node: 
        • Property Name: sling:redirect  Type : String   Value : https://localhost:5443 
        • Name: sling:match  Type : String   Value : aem/start.html 

      Or
        • Name: sling:match  Type : String   Value : content/geometrixx-outdoor/en/men/(.*).html 
      • Click Save ALL , That's It now only pages path mentioned in the sling match will be  served through https domain . 

      How to change SSL port number post the SSL setup

      Statement : How do we change  the SSL port number from 8443 to 5443

      Pre-requisite :

      • Assuming intially SSL setup was done on port 8443
      • Now change the SSL port to 5443
      • JRE 1.8
      Solution :
      • Go to Felix console https://localhost:8443/system/console/configMgr
      • Search for Granite SSL connection Factory ad open it.


      • Change the HTTPS port to 5443 instaed of 8443.
      • Save the changes.
      • Open the URL with port 5443 - https://localhost:8443/system/console/configMgr -->click on Advanced--> localhost-->it will redirect to felix console.

      Updating the SSL Configuration Via cURL

      Statement  : Updating the SSL Configuration Via cURL

      Pre-requisite : 
      • JRE 1.8
      • AEM 6.3
      • Assuming privatekey.der and certificate.csr files are generated use of RSA tool
      Solution :
      cURL commond for the SSL setup: 
      1
      curl -u user:password -F "keystorePassword=password" -F "keystorePasswordConfirm=password" -F "truststorePassword=password" -F "truststorePasswordConfirm=password" -F "privatekeyFile=@localhostprivate.der" -F "certificateFile=@localhost.crt" -F "httpsPort=8443" http://host:port/libs/granite/security/post/sslSetup.html
      Note: run the above cURL commands from the folder path where the .DER abd .CRT files are. else use the complete path for these files while using the different folder path.

      SSL setup in AEM 6.3

      Statement : Integration of SSL with AEM 6.3

      Pre-requisite: 

      • JRE 1.8
      • AEM 6.3 up and running
      Solution :
      • Create folder with name SSL, where quickstart.jar file is located
      Step1 :  Create a private key 
      D:\AEM 6.3\AEM 6.3 software\ssl>openssl genrsa -aes256 -out localhostprivate.key
       4096
      Generating RSA private key, 4096 bit long modulus
      ................................................................................
      ...........++
      .++
      e is 65537 (0x10001)
      Enter pass phrase for localhostprivate.key:  <enter the password for private key>
      Verifying - Enter pass phrase for localhostprivate.key: <enter the password for private key>


       Step2:  Generate Certificate Signing Request(.csr) using private key

      D:\AEM 6.3\AEM 6.3 software\ssl>openssl req -sha256 -new -key localhostprivate.k
      ey -out localhost.csr -subj '/CN=localhost'
      Enter pass phrase for localhostprivate.key:



      Step3: Generate the SSL certificate and sign with the private key, Expiry is set for a year.

      D:\AEM 6.3\AEM 6.3 software\ssl>openssl x509 -req -days 365 -in localhost.csr -s
      ignkey localhostprivate.key -out localhost.crt
      Signature ok
      subject=/CN=localhost
      Getting Private key
      Enter pass phrase for localhostprivate.key:


      Step4: Convert Private Key to DER format- this format is required for the SSL setup in AEM
      D:\AEM 6.3\AEM 6.3 software\ssl>openssl pkcs8 -topk8 -inform PEM -outform DER -i
      n localhostprivate.key -out localhostprivate.der -nocrypt
      Enter pass phrase for localhostprivate.key:


      You must see below files under the SSL folder:




      Step 5: Go to this console http://localhost:4502/aem/inbox search for configure HTTPS -->click on Open
      • Enter the keystore password(one that is created while generating private key) and Trust store password (any new password) -->click on next

      • Select private key with .DER format and select .crt for certificate file --> Click on next

      • Select the port number : 8443 --> Next 
      • That's It - Shows the SSL setup successfully completed
      • Now click on the Go to HTTPS URL to browse the pages in SSL

      Step6 : Check the Validity of SSL certificate in Useradmin console
      • Go to https://localhost:8443/libs/granite/security/content/useradmin.html
      • Search for ssl-service


      • Open the SSL-service and search for Manage keystore under account settings(https://localhost:8443/libs/granite/security/content/userEditor.html/home/users/system/security/ssl-service)
      • Open the Manage Keystore to verify the validity of SSL certificate


      • From this manage keystore console can change the keystore password if required in future.
      • Open the trust key store console can change the trust key store password if required in future
      Step7 : How to verify on which port SSL is configured and which service
      • Go to Felix console : http://localhost:4502/system/console/configMgr
      • Search for Granite SSL connection factory
      OR - Use this below URL to validate the SSL setup
      • https://localhost:8443/libs/granite/security/post/sslSetup.html