Na tej strani
Ogledujete si pomoč za različico :
In an effort to continously improve the security of AEM, Adobe has introduced a feature called SSL By Default. The purpose is to encourage the use of HTTPS to connect to AEM instances.
You can start configuring SSL By Default by clicking the relevant Inbox message from your AEM home screen. To reach the Inbox, press the bell icon in the upper right corner of the screen. Then, click on View All. This will bring up a list of all alerts ordered in a list view.
In the list, select and open the Configure HTTPS alert:
A service user called ssl-service has been created for this feature. Once you open the alert, you will be guided through the follwing configuration wizard:
-
Once you enter the credentials, click Next in the upper right corner of the page. Then, upload the associated private key and certificate for the SSL connection.
Opomba:
For info on how to generate a private key and a certificate to use with the wizard, see this procedure below.
The first method involves posting to the SSLSetup server that is being used by the configuration wizard:
POST /libs/granite/security/post/sslSetup.html
------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="keystorePassword" test ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="keystorePasswordConfirm" test ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="truststorePassword" test ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="truststorePasswordConfirm" test ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="privatekeyFile"; filename="server.der" Content-Type: application/x-x509-ca-cert ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="certificateFile"; filename="server.crt" Content-Type: application/x-x509-ca-cert ------WebKitFormBoundaryyBO4ArmGlcfdGDbs Content-Disposition: form-data; name="httpsPort" 8443
The servlet, like any sling POST servlet, will respond with 200 OK or an error HTTP status code. You can find details about status in the response's HTML body.
Below are examples for both a successful response and an error.
SUCCESS EXAMPLE (status = 200):
<!DOCTYPE html> <html lang='en'> <head> <title>OK</title> </head> <body> <h1>OK</h1> <dl> <dt class='foundation-form-response-status-code'>Status</dt> <dd>200</dd> <dt class='foundation-form-response-status-message'>Message</dt> <dd>SSL successfully configured</dd> <dt class='foundation-form-response-title'>Title</dt> <dd>OK</dd> <dt class='foundation-form-response-description'>Description</dt> <dd>HTTPS has been configured on port 8443. The private key and certificate were stored in the key store of the user ssl-service. Please take note of the key store password you provided. You will need it for any subsequent updating of the private key or certificate.</dd> </dl> <h2>Links</h2> <ul class='foundation-form-response-links'> <li><a class='foundation-form-response-redirect' href='/'>Done</a></li> </ul> </body> </html>
<!DOCTYPE html> <html lang='en'> <head> <title>Error</title> </head> <body> <h1>Error</h1> <dl> <dt class='foundation-form-response-status-code'>Status</dt> <dd>500</dd> <dt class='foundation-form-response-status-message'>Message</dt> <dd>The provided file is not a valid key, DER format expected</dd> <dt class='foundation-form-response-title'>Title</dt> <dd>Error</dd> </dl> </body> </html>
Alternatively, you can automate the SSL setup by uploading a package that already contains these required items:
- The ssl-service user's keystore. This is located under /home/users/system/security/ssl-service/keystore in the repository.
- The GraniteSslConnectorFactory configuration
Below you will find an example for creating a self-signed certificate in DER format that the SSL Wizard can use.
Opomba:
The use of a self-signed certificate is for example purposes only and should not be used in production.
Convert the Private Key to DER format. This is because the SSL wizard requires key to be in DER format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in localhostprivate.key -out localhostprivate.der -nocrypt
Finally, upload the localhostprivate.der as the Private Key and localhost.crt as the SSL Certificate in step 2 of the graphical SSL Wizard described at the beginning of this page.
You can also automate the SSL configuration by using the cURL tool. You can do this by posting the configuration parameters to this URL:
http://serveraddress:serverport/libs/granite/security/post/sslSetup.html
Below are the parameters you can use in order to change the various settings in the configuration wizard:
- -F "keystorePassword=password" - the keystore password;
- -F "keystorePasswordConfirm=password" - confirm the keystore password;
- -F "truststorePassword=password" - the truststore password;
- -F "truststorePasswordConfirm=password" - confirm the truststore password;
- -F "privatekeyFile=@localhostprivate.der" - specify the private key;
- -F "certificateFile=@localhost.crt" - specify the certificate;
- -F "httpsPort=8443" - the port the HTTPS listener will work on.
Opomba:
The fastest way of running cURL to automate the SSL configuration is from the folder where the DER and CRT files are. Alternatively, you can specify the full path in the privatekeyFile and certificateFile arguments.
You also need to be authenticated in order to perform the update, so make sure you append the cURL command with the -u user:passeword parameter.
A correct cURL post command should look like this:
curl -u user:password -F "keystorePassword=password" -F "keystorePasswordConfirm=password" -F "truststorePassword=password" -F "truststorePasswordConfirm=password" -F "privatekeyFile=@localhostprivate.der" -F "certificateFile=@localhost.crt" -F "httpsPort=8443" http://host:port/libs/granite/security/post/sslSetup.html
Objav v storitvah Twitter™ in Facebook ne urejajo pogoji pogodbe Creative Commons.