Question
How is it possible to setup and configure SSL in the CQ Servlet Engine (CQSE)?
Answer, Resolution
An SSL listener needs to be configured in the CQ Servlet Engine to enable SSL and thus HTTPS access. The following configuration example describes how to create a keystore from scratch containing a self-signed certificate using the Java keytool [1] command.
First of all, a new keystore file including a self-signed certificate needs to be created. To do this, run the following on a command-line:
$JAVA_HOME/bin/keytool -genkey -alias localhost -keyalg RSA -keystore /path/to/my/keystore
During the process, some information has to be provided, e.g. name of the certificate holder, company name, keystore and key password. Once the keystore has been created, the CQSE needs to be reconfigured.
Edit the server.xml configuration file and add a <listener> section to the <container> block as follows:
crx-quickstart/server/etc/server.xml
<listener> <bind-port>443</bind-port> <ssl> <protocol>SSL</protocol> <key-store> <name>/path/to/mykeystore</name> <passphrase><keystore_password></passphrase> </key-store> <key> <alias>localhost</alias> <password>keypass</password> </key> </ssl> </listener>
After a restart, the CQSE will be accessible via HTTPS. Due to the fact that a self-signed certificate is in use, browsers will display a security warning. In order to deploy a proper SSL certificate provided by an official certificate provider, such a certificate needs to be imported into the keystore of the server where the CQSE is running.
Applies to
CQSE 4.x