New SSL Parameters
Several new parameters have been added for the enhanced SSL feature. You need to configure these parameters to facilitate SSL communication between the Graphical Process Modeler (GPM) and the server. These new parameters must be defined in their respective property files.
All custom properties for your environment should be set in the customer_overrides.properties file so that they are not overwritten during an upgrade or patch installation. Properties defined in the sandbox.cfg file must not be defined in customer_overrides.properties, as they will be ignored in customer_overrides.properties. These properties are the only ones which are not defined in customer_overrides.properties.
The following table describes the new SSL parameters and provides the name of the property file where the parameter can be found.
| Parameter Name | Definition | Property file |
|---|---|---|
| WEBAPP_LIST_PORT | Identifies the port the GPM client should use
for communication with the server. It defaults to the base port during
the installation. If the Dashboard and GPM web applications have been deployed to a secure HTTP Server adapter instance, this parameter should be modified to match the port of the secure HTTP Server adapter instance. If the base SSL port (base HTTP port +1) is being used for secure deployment of GPM and Dashboard, this parameter should be modified to match the base SSL port (SSL_PORT in sandbox.cfg). |
sandbox.cfg file |
| WEBAPP_PROTOCOL | Identifies the protocol to use for communication with the Dashboard web application (http/https). | sandbox.cfg file |
| SKIP_BASEPORT_DEPLOYMENT_WARS | Indicates which web applications should be skipped
during war deployment on the base port. The list of wars is comma-delimited,
case-sensitive and without the .war suffix. The default is to not
skip any wars. After the Dashboard and GPM web applications are successfully
deployed on a secure HTTP Server Adapter, this parameter may be set
to =admin,dashboard,gbm to remove access to those web applications
on the base port. The complete list of web applications includes:
The value ALL may be used as a wildcard to indicate that all wars deployed on the base HTTP port should be skipped. This may not be necessary if the base port is blocked to external access. The value ALL must not be used with any other value. |
customer_overrides.properties |
| HTTPS_REDIRECT_WARS | Indicates the wars that will be automatically
redirected from the base HTTP port to either the secure HTTP Server
Adapter or base SSL port. The value ALL may be used to redirect all skipped wars on the base HTTP port to the HTTPS_LIST_PORT (the secure HTTP Server Adapter or base SSL port). The value ALL must not be used with any other value. |
customer_overrides.properties |
| HTTPS_LIST_PORT | Indicates the redirected destination port for requests made against the base HTTP port. Should be set to the value of the secure HTTP Server Adapter or base SSL port. | customer_overrides.properties |
| HTTPS_CLIENT_CERTS | A comma-separated list of system certificates whose public keys need to be added to the default trust store. These certificates are used for client-side verification during the SSL handshake when HTTPS calls are initiated from the application server-independent (ASI) server back to itself. This parameter requires server certificate keys that have a SubjectAltName. If you use existing keys without this parameter, this functionality will fail with very obscure messages. Note: The certificate configured for HTTPS
on baseport+1 (sslCert) is automatically added to the trust store
and does not need to be added to this list.
|
customer_overrides.properties |
When configuring this feature, if you only define SKIP_BASEPORT_DEPLOYMENT_WARS, but not HTTPS_REDIRECT_WARS and HTTPS_LIST_PORT, the web applications are inaccessible on the base port and the user is not automatically redirected to the HTTPS port. This is a valid scenario, if the user prefers not to redirect automatically for security reasons. The Web applications will still be available when accessed on the secure HTTP Server adapter or base SSL port.