April 1, 2020
Estimated Post Reading Time ~

How to Set up SSL for local in CQ / WEM / Dispatcher

Use case For testing
Step 1: Generate Key Store
Use Keytool to generate Keystore

You can also confirm if you have keytool in your system by using command keytool --help

Once you have keytool installed you can following command to generate ketstore

From command line navigate to /crx-quickstart/server/etc
Use the command "keytool -genkey -keystore mykey -alias myalias -keyalg rsa"

Set up SSL till CQ5.4 (Using server.xml)

use following entry in server.xml

<container>
<listener>
<!-- You already have one entry here don't modify it-->
</listener>
<!--Entry for new SSL Listener-->
<listener>
<bind-port>443</bind-port>
<ssl>
<protocol>SSL</protocol>
<key-store>
<name>etc/mykey</name>
<passphrase><Password you have given while creating certificate></passphrase>
</key-store>
<key>
<alias>myalias</alias>
<password><Password you have given while creating certificate></password>
</key>
</ssl>
</listener>
<!--End of new entry for SSL-->
</container>


You can also check /crx-quickstart/server/etc/SSL_HowTo.txt to see how configuration can be done.

NOTE: Once you have SSL set up check logs/server.log to make sure that the server is started on a secure port.

If you get Error like,

*ERROR* servletengine: Unable to start https listener on address 127.0.0.1, port 443: Permission denied
That means you need to start CQ as the root user.

Set up SSL in CQ5.5
In CQ5.5 CQSE is deployed as a bundle and you can configure SSL using Felix configuration, Please see a screenshot of how to do that. All parameter is self-explanatory


This is the actual configuration


Note
1. You can put the certificate file at any location you want. An only absolute path is required.
2. There is no way to configure multiple ports you can listen to now.

Set up SSL on apache (If your SSL terminate at apache)

Assuming that you are using Apache web server,

Click here to see how to generate a certificate and key file

If you already have cert and password then you can use the following command to generate key

openssl rsa -in <Your Key>.key -out <Key with Password>.new.key
Then go to /conf/httpd.conf and add the following entry

Listen 443
<VirtualHost *:80>
ServerName wemblog.com
ServerAlias wemblog*.com

RewriteEngine on
#Rewrite all request to https
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
</VirtualHost>

NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
ServerName wemblog.com
ServerAlias wemblog*.com
SSLEngine on
SSLCertificateFile <cert path>.cert
SSLCertificateKeyFile <key path>.key

RewriteEngine on

ProxyPreserveHost On
ProxyPass / http://localhost:4502/
ProxyPassreverse / http://localhost:4502

#set header for SSL
Header add X-Forwarded-Proto "https"
<LocationMatch "/(content|apps|etc).*">
RequestHeader set X-Forwarded-Proto "https"
</LocationMatch>

</VirtualHost>

To be honest you will get a ton of information about How to set up SSL on Apache on Google.

Note: If you just have to use https (force https in CQ) and not let the author use http, There are two options,

1) You can configure dispatcher rewrite rule to redirect all http requests to https.
2) If you are not using dispatcher, you can write rewrite rule under /etc/map to redirect all requests to https port. Here is an example

Please check https://cwiki.apache.org/SLING/flexible-resource-resolution.html

You have to do something like this

/etc/map
+-- http
+-- localhost.4502
+-- sling:redirect = "https://localhost:<your secure port>"


By aem4beginner
Posted by at
Labels: ,

No comments:

Post a Comment

If you have any doubts or questions, please let us know.