Step 1: Generate Key Store
Use Keytool to generate Keystore
You can also confirm if you have keytool in your system by using command keytool --help
Once you have keytool installed you can following command to generate ketstore
From command line navigate to /crx-quickstart/server/etc
Use the command "keytool -genkey -keystore mykey -alias myalias -keyalg rsa"
Set up SSL till CQ5.4 (Using server.xml)
use following entry in server.xml
<container>
<listener>
<!-- You already have one entry here don't modify it-->
</listener>
<!--Entry for new SSL Listener-->
<listener>
<bind-port>443</bind-port>
<ssl>
<protocol>SSL</protocol>
<key-store>
<name>etc/mykey</name>
<passphrase><Password you have given while creating certificate></passphrase>
</key-store>
<key>
<alias>myalias</alias>
<password><Password you have given while creating certificate></password>
</key>
</ssl>
</listener>
<!--End of new entry for SSL-->
</container>
You can also check /crx-quickstart/server/etc/SSL_HowTo.txt to see how configuration can be done.
NOTE: Once you have SSL set up check logs/server.log to make sure that the server is started on a secure port.
If you get Error like,
*ERROR* servletengine: Unable to start https listener on address 127.0.0.1, port 443: Permission denied
That means you need to start CQ as the root user.
Set up SSL in CQ5.5
In CQ5.5 CQSE is deployed as a bundle and you can configure SSL using Felix configuration, Please see a screenshot of how to do that. All parameter is self-explanatory
This is the actual configuration
Note
1. You can put the certificate file at any location you want. An only absolute path is required.
2. There is no way to configure multiple ports you can listen to now.
Set up SSL on apache (If your SSL terminate at apache)
Assuming that you are using Apache web server,
Click here to see how to generate a certificate and key file
If you already have cert and password then you can use the following command to generate key
openssl rsa -in <Your Key>.key -out <Key with Password>.new.key
Then go to /conf/httpd.conf and add the following entry
Listen 443
<VirtualHost *:80>
ServerName wemblog.com
ServerAlias wemblog*.com
RewriteEngine on
#Rewrite all request to https
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
</VirtualHost>
NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
ServerName wemblog.com
ServerAlias wemblog*.com
SSLEngine on
SSLCertificateFile <cert path>.cert
SSLCertificateKeyFile <key path>.key
RewriteEngine on
ProxyPreserveHost On
ProxyPass / http://localhost:4502/
ProxyPassreverse / http://localhost:4502
#set header for SSL
Header add X-Forwarded-Proto "https"
<LocationMatch "/(content|apps|etc).*">
RequestHeader set X-Forwarded-Proto "https"
</LocationMatch>
</VirtualHost>
To be honest you will get a ton of information about How to set up SSL on Apache on Google.
Note: If you just have to use https (force https in CQ) and not let the author use http, There are two options,
1) You can configure dispatcher rewrite rule to redirect all http requests to https.
2) If you are not using dispatcher, you can write rewrite rule under /etc/map to redirect all requests to https port. Here is an example
Please check https://cwiki.apache.org/SLING/flexible-resource-resolution.html
You have to do something like this
/etc/map
+-- http
+-- localhost.4502
+-- sling:redirect = "https://localhost:<your secure port>"
No comments:
Post a Comment
If you have any doubts or questions, please let us know.