Configuring SSL

Overview
Configuring SSL for JBoss Application Server
Configuring SSL for WebLogic Server
Configuring SSL for WebSphere Application Server
Configuring SSL on Windows Vista

Overview

You can create Secure Sockets Layer (SSL) credentials and configure SSL on the application server to enhance the security of communication with your application server.

As a security product, Rights Management requires the configuration of SSL. When configuring SSL certificates, ensure that you use only RSA keys. SSL Certificates with DSA keys are not supported.

The information provided applies to turnkey, automatic, and manual installations. It offers an example of a method for configuring SSL. You can also use other methods that are more appropriate for your network or organization.

Note: It is recommended that you complete the installation, configuration, and deployment of your AEM forms modules and ensure that the products are running correctly before you configure SSL on the application server.

Note: When creating SSL security certificates and credentials, use the same user account privileges as you used to run the application server. If the application server is run by using other user privileges, the form may not render properly for PDFForm renditions when the ContentRootURI points to https.

If you have an SSL-enabled LDAP server, configure User Management to work with it. (See Configure User Management for an SSL-enabled LDAP server .)

Configuring SSL for JBoss Application Server

To configure SSL on JBoss Application Server, you need an SSL credential for authentication. You can use the Java keytool to create a credential or request and import a credential from a certificate authority (CA). You must then enable SSL on JBoss.

You can run keytool by using a single command that includes all of the information needed to create the keystore.

In this procedure:

[appserver root] is the home directory of the application server running AEM forms.
[type] is a folder name that varies, depending on the type of install you performed.

Create an SSL credential

Depending on your database, you can configure lc_mysql.xml, lc_mssql.xml, lc_oracle.xml, or lc_turnkey.xml file as the profile file for your database. In the following steps, wherever [profile_name] is mentioned, replace it with appropriate profile name:

Navigate to [Adobe_JAVA_HOME]/ bin and type the following command to create the keystore:

keytool -genkey -dname "CN= Host Name , OU= Group Name , O= Company Name , L= City Name , S= State , C= Country Code " - alias "LC Cert" - keyalg rsa -keypass key_password -keystore keystorename. keystore

Replace [Adobe_JAVA_HOME] with the name of the directory where the JDK is installed, and replace the text in bold with values that correspond to your environment. The Host Name is the fully qualified domain name of the application server.
Enter the keystore_password when prompted for a password. The password for the keystore and the key must be identical.

Note: The keystore_password entered at this step may be the same password (key_password) that you entered in step 1, or may be different.
Copy the keystorename. keystore file to the [JBoss root] \standalone\configuration directory by typing the following command:
```
    copy keystorename.keystore [JBoss root]/standalone/configuration
```
Export the certificate file by typing the following command:

keytool -export -alias "LC Cert" -file LC_cert.cer -keystore [JBoss root]\standalone\configuration\keystorename.keystore
Enter the keystore_password when prompted for a password.
Copy the LC_cert.cer file to the [JBoss root] configuration directory by typing the following command:

copy LC_cert.cer [JBoss root]\standalone\configuration
View the contents of the certificate by typing the following command:

keytool -printcert -v -file [JBoss root]\standalone\configuration\LC_cert.cer
If necessary, provide write access to the cacerts file in [Adobe_JAVA_HOME]\jre\lib\security. Right-click the cacerts file, select Properties, and then deselect the Read-only attribute.
Import the certificate by typing the following command:

keytool -import -alias "LC Cert" -file LC_cert.cer -keystore [Adobe_JAVA_HOME]\jre\lib\security\cacerts
Type changeit as the password. changeit is the default password for a Java installation.
When prompted if you Trust this certificate? [no]:, type yes . The confirmation "Certificate was added to keystore” is displayed.
In a text editor, open the file

[JBoss root]\standalone\configuration\[profile_name].
Uncomment the following lines in the [profile_name] file:


For the keystoreFile attribute in [profile_name] specify the path of the keystore file you created. Specify keystore_password for the keystorePass attribute in [profile_name] .
Save the [profile_name] file.
Restart the application server:
- For turnkey installations:
  - From the Windows Control Panel , click Administrative Tools , and then click Services .
  - Select JBoss for Adobe Experience Manager forms.
  - Select Action > Stop.
  - Wait for the status of the service to appear as stopped.
  - Select Action > Start.
- For Adobe preconfigured or manually configured JBoss installations:
  - From a command prompt, navigate to [appserver root] /bin.
  - Stop the server by entering the following command:
    - (Windows) jboss-cli.bat --connect command=:shutdown
    - (Linux) ./jboss-cli.sh --connect command=:shutdown
  - Wait until the JBoss process has fully shut down (when the JBoss process returns control to the terminal it was started in).
  - Start the server by entering the following command:
    - (Windows) standalone.bat -c [profile_name] -b [server_IP_Address]
    - (Linux) ./standalone.sh -c [profile_name] -b [server_IP_Address]
To access administration console using SSL, type https://[host name]:[port]/adminui in a web browser:

The default SSL port for JBoss is 8443. From here on, specify this port when accessing AEM forms.

Request a credential from a CA

In a command prompt, navigate to [JAVA HOME] /bin and type the following command to create the keystore and the key:

keytool -genkey -dname "CN= Host Name , OU= Group Name , O= Company Name , L= City Name , S= State , C= Country Code " -alias " LC Cert " -keyalg RSA -keypass – key_password -keystore keystorename .keystore

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
Type the following command to generate a certificate request to send to the certificate authority:

keytool -certreq -alias "LC Cert" -keystore keystorename .keystore -file LCcertRequest.csr
When your request for a certificate file is fulfilled, complete the next procedure.

Use a credential obtained from a CA to enable SSL

In a command prompt, navigate to [JAVA HOME] /bin and type the following command to import the root certificate of the CA with which the CSR has been signed:

keytool -import -trustcacerts -file rootcert .pem -keystore keystorename .keystore -alias root

If the root certificate is not in the browser, also import it there.

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
In a command prompt, navigate to [JAVA HOME] /bin and type the following command to import the credential into the keystore:

keytool -import -trustcacerts -file CACertificateName .crt -keystore keystorename .keystore

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

Note: The imported CA signed certificate will replace a self-signed public certificate if it exists.
Complete steps 13 - 18 of Create an SSL credential.

Configuring SSL for WebLogic Server

To configure SSL on WebLogic Server, you need an SSL credential for authentication. You can use Java keytool to perform the following tasks to create a credential:

Create a public/private key pair, wrap the public key in an X.509 v1 self-signed certificate that is stored as a single-element certificate chain, and then store the certificate chain and the private key in a new keystore. This keystore is the application server’s Custom Identity keystore.
Extract the certificate and insert it into a new keystore. This keystore is the application server’s Custom Trust keystore.

Then, configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic.

Creating an SSL credential for use on WebLogic Server

The keytool command is typically located in the Java jre/bin directory and must include several options and option values, which are listed in the following table.

Keytool option	Description	Option value
-alias	The alias of the keystore.	Custom Identity keystore: `ads-credentials` Custom Trust keystore: `bedrock`
-keyalg	The algorithm to use to generate the key pair.	RSA You can use a different algorithm, depending on your company’s policy.
-keystore	The location and name of the keystore file. The location can include the absolute path of the file. Or, it can be relative to the current directory of the command prompt where the keytool command is entered.	Custom Identity keystore: `[` appserverdomain] `/adobe/` [server name] `/ads-ssl.jks` Custom Trust keystore: `[` appserverdomain] `/adobe/` [server name] `/ads-ca.jks`
-file	The location and name of the certificate file.	ads-ca.cer
-validity	The number of days that the certificate is considered valid.	3650 You can use a different value, depending on your company’s policy.
-storepass	The password that protects the contents of the keystore.	Custom Identity keystore: The keystore password must correspond with the SSL credential password that was specified for the Trust Store component of the Administration Console. Custom Trust keystore: Use the same password that you used for the Custom Identity keystore.
-keypass	The password that protects the private key of the key pair.	Use the same password that you used for the `-storepass` option. The key password must be at least six characters.
-dname	The distinguished name that identifies the person who owns the keystore.	`"CN=` `[User name]` `,OU=` `[Group Name]` `, O=` `[Company Name]` `, L=` `[City Name]` `, S=` `[State or province]` `, C=` `[Country Code]` `"` `[User name]` is the identification of the user who owns the keystore. `[Group Name]` is the identification of the corporate group that the keystore owner belongs to. `[Company Name]` is your organization’s name. `[City Name]` is the city where your organization is located. `[State or province]` is the state or province where your organization is located. `[Country Code]` is the two-letter code for the country where your organization is located.

For more information about using the keytool command, see the keytool.html file that is part of your JDK documentation.

Create the Custom Identity and Trust keystores

From a command prompt, navigate to [appserverdomain] /adobe/ [server name] .
Enter the following command:

[ JAVA_HOME ]/bin/keytool -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass store_password -keypass key_password -dname "CN= Hostname , OU= Group Name , O= Company Name , L= City Name , S= State ,C= Country Code

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.

For example:
```
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -genkey -v -alias ads-credentials -keyalg RSA -keystore "ads-credentials.jks" -validity 3650 -storepass P@ssw0rd -keypass P@ssw0rd -dname "CN=wasnode01, OU=LC, O=Adobe, L=Noida, S=UP,C=91
```
The Custom Identity keystore file named ‘‘ads-credentials.jks” is created in the [ appserverdomain ]/adobe/[ server name ] directory.
Extract the certificate from the ads-credentials keystore by entering the following command:

[JAVA_HOME] /bin/keytool -export -v -alias ads-credentials

-file "ads-ca.cer" -keystore "ads-credentials.jks"

-storepass store _ password

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store _ password with the password for the Custom Identity keystore.

For example:
```
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -export -v -alias ads-credentials -file "ads-ca.cer" -keystore "ads-credentials.jks" -storepass P@ssw0rd
```
The certificate file named “ads-ca.cer” is created in the [ appserverdomain ]/adobe/[ server name ] directory.
Copy the ads-ca.cer file to any host computers that need secure communication with the application server.
Insert the certificate into a new keystore file (the Custom Trust keystore) by entering the following command:

[JAVA_HOME] /bin/keytool -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass store_password -keypass key_password

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace store _ password and key _ password with your own passwords.

For example:
```
C:\Program Files\Java\jrockit-jdk1.6.0_24-R28\bin\keytool" -import -v -noprompt -alias bedrock -file "ads-ca.cer" -keystore "ads-ca.jks" -storepass Password1 -keypass Password1
```

The Custom Trust keystore file named ‘‘ads-ca.jks’’ is created in the [ appserverdomain ]/adobe/[ server ] directory.

Configure WebLogic so that it uses the Custom Identity keystore and Custom Trust keystore that you created. Also, disable the WebLogic Hostname Verification feature because the distinguished name used to create the keystore files did not include the name of the computer that hosts WebLogic Server.

Configure WebLogic to use SSL

Start the WebLogic Server administration console by typing http:// [host name] :7001/console in the URL line of a web browser.
Under Environment, in Domain Configurations, select Servers > [ server ] > Configuration > General .
Under General, in Configuration, ensure that Listen Port Enabled and SSL Listen Port Enabled are selected. If not enabled, do the following:
1. Under the Change Center, click Lock & Edit to modify selections and values.
2. Check the Listen Port Enabled and SSL Listen Port Enabled check boxes.
If this server is a Managed Server, change Listen Port to an unused port value (such as 8001) and SSL Listen Port to an unused port value (such as 8002). On a stand-alone server, the default SSL port is 7002.
Click Release Configuration .
Under Environment, in Domain Configurations, click Servers > [ Managed Server ] > Configuration > General .
Under General, in Configuration, select Keystores .
Under the Change Center, click Lock & Edit to modify selections and values.
Click Change to to get the keystore list as drop-down list and select Custom Identity And Custom Trust .
Under Identity, specify the following values:

Custom Identity Keystore : [appserverdomain] /adobe/ [server name] /ads-credentials.jks, where [appserverdomain] is the actual path and [server name] is the name of the application server.

Custom Identity Keystore Type : JKS

Custom Identity Keystore Passphrase : mypassword (custom identity keystore password)
Under Trust, specify the following values:

Custom Trust Keystore File Name : [appserverdomain] /adobe/ [server] /ads-ca.jks, where [appserverdomain] is the actual path

Custom Trust Keystore Type : JKS

Custom Trust Keystore Pass Phrase : mypassword (custom trust key password)
Under General, in Configuration, select SSL .
By default, Keystore is selected for Identity and Trust Locations. If not, change it to keystore.
Under Identity, specify the following values:

Private Key Alias : ads-credentials

Passphrase : mypassword
Click Release Configuration .

Disable the Hostname Verification feature

On the Configuration tab, click SSL.
Under Advanced, select None from the Hostname Verification list.

If Hostname Verification is not disabled, the Common Name (CN) must contain the server host name.
Under Change Center, click Lock & Edit to modify selections and values.
Restart the application server.

Configuring SSL for WebSphere Application Server

This section includes the following steps to configure SSL with your IBM WebSphere Application Server.

Creating a local user account on WebSphere

For enabling SSL, WebSphere needs access to a user account in the local OS user registry that has permission to administer the system:

(Windows) Create a new Windows user who is part of the Administrators group and has the privilege to act as part of the operating system. (See Create a Windows user for WebSphere .)
(Linux, UNIX) The user can be a root user or another user who has root privileges. When you enable SSL on WebSphere, use the server identification and password of this user.

Create a Linux or UNIX user for WebSphere

Log in as the root user.
Create a user by entering the following command in a command prompt:
- (Linux and Sun Solaris) useradd
- (IBM AIX) mkuser
Set the password of the new user by entering passwd in the command prompt.
(Linux and Solaris) Create a shadow password file by entering pwconv (with no parameters) in the command prompt.

Note: (Linux and Solaris) For WebSphere Application Server Local OS security registry to work, a shadow password file must exist. The shadow password file is usually named /etc/shadow and is based on the /etc/passwd file. If the shadow password file does not exist, an error occurs after enabling global security and configuring the user registry as Local OS.
Open the group file from the /etc directory in a text editor.
Add the user who you created in step 2 to the root group.
Save and close the file.
(UNIX with SSL enabled) Start and stop WebSphere as the root user.

Create a Windows user for WebSphere

Log in to Windows by using an administrator user account.
Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups .
Right-click Users and select New User .
Type a user name and password in the appropriate boxes, and type any other information you require in the remaining boxes.
Deselect User Must Change Password At Next Login , click Create , and then click Close .
Click Users , right-click the user you just created and select Properties .
Click the Member Of tab and then click Add .
In the Enter The Object Names To Select box, type Administrators , click Check Names to ensure that the group name is correct.
Click OK and then click OK again.
Select Start > Control Panel > Administrative Tools > Local Security Policy > Local Policies .
Click User Rights Assignment, and then right-click Act as Part of the Operating System and select Properties.
Click Add User or Group .
In the Enter The Object Names To Select box, type the name of the user you created in step 4, click Check Names to ensure that the name is correct, and then click OK .
Click OK to close the Act As Part Of The Operating System Properties dialog box.

Configure WebSphere to use the newly created user as Administrator

Ensure that WebSphere is running.
In WebSphere Administrative Console, select Security > Global Security .
Under Administrative security, select Administrative user roles .
Click Add and do the following:
1. Type * in the search box and click search.
2. Click Administrator under roles.
3. Add the newly created user to Mapped to role and map it to Administrator.
Click OK and save your changes.
Restart the WebSphere profile.

Enable administrative security

In WebSphere Administrative Console, select Security > Global Security .
Click Security Configuration Wizard .
Ensure Enable Application Security checkbox is enabled. Click Next .
Select Federated Repositories and click Next .
Specify the credentials you want to set and click Next .
Click Finish .
Restart the WebSphere profile.

WebSphere will start using the default keystore and truststore.

Enable SSL (custom key and truststore)

Truststores and keystores can be created using ikeyman utility or admin console. To make ikeyman work properly, enure that the WebSphere installation path does not contain parentheses.

In WebSphere Administrative Console, select Security > SSL certificate and key management .
Click Keystores and certificates under Related items.
In the Key store usages dropdown, ensure that SSL Keystores is selected. Click New .
Type a logical name and description.
Specify the path where you want your keystore to be created. If you have already created a keystore through ikeyman, specify the path to the keystore file.
Specify and confirm the password.
Choose the keystore type and click Apply .
Save the master configuration.
Click Personal Certificate .
If you had added already created a keystore using ikeyman, your certificate will appear. Otherwise, you need to add a new self-signed certificate by performing the following steps:
1. Select Create > Self-signed Certificate .
2. Specify appropriate values on the certificate form. Ensure that you keep Alias and common name as fully-qualified domain name of the machine.
3. Click Apply .
Repeat steps 2 through 10 for creating a truststore.

Apply custom keystore and truststore to the server

In WebSphere Administrative Console, select Security > SSL certificate and key management .
Click Manage endpoint security configuration . The local topology map opens.
Under Inbound, select direct child of nodes.
Under Related items, select SSL configurations .
Select NodeDeafultSSLSetting .
From the truststore name and keystore name drop-down lists, select the custom truststore and keystore that you created.
Click Apply .
Save the master configuration.
Restart the WebSphere profile.

Your profile now runs on custom SSL settings and your certificate.

Enabling support for AEM forms natives

In WebSphere Administrative Console, select Security > Global Security .
In the Authentication section, expand RMI/IIOP security and click CSIv2 inbound communications .
Ensure that SSL-supported is selected in the Transport drop down list.
Restart the WebSphere profile.

Configuring WebSphere to convert URLs that begins with https

To convert a URL that begins with https, add a Signer certificate for that URL to the WebSphere server.

Create a Signer certificate for a https enabled site

Ensure that WebSphere is running.
In WebSphere Administrative Console, navigate to Signer certificates and then click Security > SSL Certificate and Key Management > Key Stores and Certificates > NodeDefaultTrustStore > Signer Certificates.
Click Retrieve From Port and perform these tasks:
- In the Host box, type the URL. For example, type www.paypal.com .
- In the Port box, type 443 . This port is the default SSL port.
- In the Alias box, type an alias.
Click Retrieve Signer Information and then verify that the information is retrieved.
Click Apply and then click Save.

HTML-to-PDF conversion from the site whose certificate is added will now work from the Generate PDF service.

Note: For an application to connect to SSL sites from inside WebSphere, a Signer certificate is required. It is used by Java Secure Socket Extensions (JSSE) to validate certificates that the remote side of the connection sent during an SSL handshake.

Configuring dynamic ports

IBM WebSphere does not allow multiple calls to ORB.init() when Global Security is enabled. You can read about the permanent restriction at http://www-01.ibm.com/support/docview.wss?uid=swg1PK58704.

Perform the following steps to set the port to be dynamic and resolve the issue:

In WebSphere Administrative Console, select Servers > Server Types > WebSphere application server .
In the Preferences section, select your server.
In the Configuration tab, under Communications section, expand Ports , and click Details .
Click the following port names, change the port number to 0, and click OK .
- ORB_LISTENER_ADDRESS
- SAS_SSL_SERVERAUTH_LISTENER_ADDRESS
- CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS
- CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS

Configure the sling.properties file

Open [aem-forms_root]\crx-repository\launchpad\sling.properties file for editing.
Locate the sling.bootdelegation.ibm property and add com.ibm.websphere.ssl.* to its value field. The updated field look like the following:
```
sling.bootdelegation.ibm=com.ibm.xml.*, com.ibm.websphere.ssl.*
```
Save the file and restart the server.

Configuring SSL on Windows Vista

To configure SSL on Windows Vista™, you need an SSL certificate with RSA keys for authentication. You can use the Java keytool to create the certificate.

Note: Windows Vista will not work with DSA keys.

You can run keytool by using a single command that includes all the information that is required to create the certificate and keystore.

Create an SSL certificate

In a command prompt, navigate to [JAVA HOME] /bin and type the following command to create the certificate and keystore:

keytool -genkey -keyalg RSA -dname "CN= Host Name , OU= Group Name , O= Company Name ,L= City Name , S= State , C= Country Code " -alias "LC Cert" -keypass key _ password -keystore keystorename .keystore

Note: Replace [JAVA_HOME] with the directory where the JDK is installed, and replace the text in italic with values that correspond with your environment.
Type changeit as the password. This password is the default for a Java installation, and the system administrator may have changed it.