Content Platform Engine, Version 5.2.1              

Enabling SSL for Content Platform Engine

When you enable SSL, a server certificate is added to the Directory Services server (for authentication). In addition, the CA certificate is added in two different locations on the Content Platform Engine server (the JDK path location is for authorization). Take care to ensure that the proper certificate is added to each of the three locations.

Procedure

To enable SSL for Content Platform Engine:

  1. Obtain and install a server certificate and a CA certificate on the directory service. These certificates are available from independent certificate authorities, such as VeriSign, or you can generate your own certificates if you have the necessary certificate management software installed.
  2. Enable SSL on the directory service and set the SSL port number. The default SSL port number is 636; however, if you have more than one directory service that is using SSL on the server, you might need to use a non-default port number. See your directory server documentation for instructions.
  3. On the Content Platform Engine server, add the CA certificate to the application server keystore, if it does not already contain it.
  4. On the Content Platform Engine server, add the CA certificate to the JDK (Java™) keystore, if it does not already contain it. You can use the default keystore or create your own keystore in a custom location.
    • To use the JDK default Java keystore, do the following steps:
      1. Determine the Java version your application server uses and the JAVA_HOME location.
      2. Use the keytool to import the CA certificate to the Java keystore at %JAVA_HOME%\jre\lib\security\cacerts.
      3. To improve security, change the default password.
    • To use your own keystore (rather than the JDK default keystore), do the following steps:
      1. Add the following system parameters to the Java command line in your application server startup script:
        -Djavax.net.ssl.trustStore= path_to_your_keystore_file
-Djavax.net.ssl.trustStorePassword= password_of_your_keystore
      2. Use the Java keytool to import the CA certificate to your own keystore.
  5. Start Administration Console for Content Platform Engine if you did not already do so:
    1. On any computer, open a browser and navigate to the Administration Console for Content Platform Engine logon page:
      • In a standard availability environment, the logon page is at http://CPE_Server:port/acce. CPE_Server is the name of the system where Content Platform Engine is deployed. port is the HTTP port that is used by the application server where Content Platform Engine is deployed.
      • In a high availability environment, the logon page is at http://virtual_server:port/acce. virtual_server is the name of the load balancer or proxy server where the clusters of Content Platform Engine is deployed. port is the port number of the load balancer or proxy server.
    2. Log on as the gcd_admin user.
  6. Use IBM® Administration Console for Content Platform Engine to set the port number to match the SSL port number on the directory server:
    1. Select the domain node in the navigation pane.
    2. Select Properties in the details pane, open the drop-down list for Directory Configurations, and select your directory server type.
    3. Set the Directory Server Port value to match the SSL port on the directory server.
    4. Click Close.
  7. Obtain another server and CA certificate for the Content Platform Engine.
  8. Create a custom identity keystore on the Content Platform Engine server, and add the server certificate to the custom keystore.
  9. Using the application server administration tool, enable SSL and point to the custom identity keystore. Directions vary by application server type; see your application server documentation for detailed procedures.
    Option Description
    WebSphere® Application Server Configure an SSL repertoire. In the left pane of the WebSphere administrative console, navigate to Security > SSL. In the right pane, select your Java Secure Socket Extension (JSSE) repertoire and specify key and trust file names and passwords.
    Oracle WebLogic Server Set up a custom identity keystore. In the left pane of the WebLogic Administration Console, navigate to DomainName > Servers > ServerName. In the right pane, select Keystores and SSL and specify the keystore information.
    JBoss Application Server See your application server documentation.
    Important: (WebLogic only) The name in your certificate must match the host name specified in your WebLogic application server. If the name in the certificate is fully qualified (for example, Host1.filenet.com), the same fully qualified host name must appear in the Host field (WebLogic > Authentication Provider > Active Directory tab > Host field).
  10. Configure clients to use a particular URL for connecting to Content Platform Engine based on the application server type and the client transport (protocol) type. The following table provides the default ports and sample URLs:
    Table 1. Default ports and sample URLs
    Protocol SSL Default Port App Server Sample URL
    HTTP no 9080 WebSphere Application Server http://mycorp.com:9080/wsi/FNCEWS40MTOM/
    HTTPS yes 9443 WebSphere Application Server https://mycorp.com:9443/wsi/FNCEWS40MTOM/
    IIOP no 2809 WebSphere Application Server iiop://mycorp.com:2809/FileNetEngine
    IIOP yes 2809 WebSphere Application Server

    iiop://mycorp.com:2809/FileNetEngine (defautl)

    While the default port for IIOP with SSL is port 9403, use port 2809. The web application server resolves the SSL port number correctly.
    HTTP no 7001 WebLogic Server http://mycorp.com:7001/wsi/FNCEWS40MTOM/
    HTTPS yes 7002 WebLogic Server https://mycorp.com:7002/wsi/FNCEWS40MTOM/
    T3 (IIOP) no 7001 WebLogic Server t3://mycorp.com:7001/FileNet/Engine
    T3S (IIOP) yes 7002 WebLogic Server t3s://mycorp.com:7002/FileNet/Engine
    HTTP no 8080 JBoss Application Server http://mycorp.com:8080/wsi/FNCEWS40MTOM/
    HTTPS yes 8443 JBoss Application Server https://mycorp.com:8443/wsi/FNCEWS40MTOM/
    JNP no 1099 JBoss Application Server jnp://mycorp.com:1099/FileNet/Engine

    The port values in the table are default values. If you change the port that your application server listens on, you might need to change the port number used by the Content Platform Engine client.

  11. (Oracle WebLogic Server 10.3.2 or older on AIX®, HPUX, HPUXi, Linux, Linux on System z®, Solaris) Remove all the certificates that have SHA 256 RSA encryption in the keystore (cacerts). For example, if you are using IBM JRE version 1.6 SR7, remove these three certificates: secomscrootca2, keynectisrootca, and globalsignr3ca.
Parent topic: Setting up Content Platform Engine and client transport SSL security

Last updated: March 2016
p8pin261.htm

© Copyright IBM Corporation 2013, 2016.