Use SSL with Dispatcher using-ssl-with-dispatcher
Use SSL connections between the Dispatcher and the rendering computer:
Use SSL when Dispatcher connects to AEM use-ssl-when-dispatcher-connects-to-aem
Configure the Dispatcher to communicate with the AEM or CQ render instance using SSL connections.
Before you configure Dispatcher, configure AEM or CQ to use SSL. For further information see:
SSL-related request headers ssl-related-request-headers
When Dispatcher receives an HTTPS request, Dispatcher includes the following headers in the subsequent request that it sends to AEM or CQ:
X-Forwarded-SSLX-Forwarded-SSL-CipherX-Forwarded-SSL-KeysizeX-Forwarded-SSL-Session-ID
A request through Apache-2.4 with mod_ssl includes headers that are similar to the following example:
X-Forwarded-SSL: on
X-Forwarded-SSL-Cipher: DHE-RSA-AES256-SHA
X-Forwarded-SSL-Session-ID: 814825E8CD055B4C166C2EF6D75E1D0FE786FFB29DEB6DE1E239D5C771CB5B4D
Configure Dispatcher to use SSL configuring-dispatcher-to-use-ssl
To configure Dispatcher to connect with AEM or CQ over SSL, your dispatcher.any file requires the following properties:
- A virtual host that handles HTTPS requests.
- The
renderssection of the virtual host includes an item that identifies the host name and port of the CQ or AEM instance that uses HTTPS. - The
rendersitem includes a property namedsecureof value1.
Note: Create another virtual host for handling HTTP requests, if necessary.
The following example dispatcher.any file shows the property values for connecting using HTTPS to a CQ instance that is running on host localhost and port 8443:
/farms
{
/secure
{
/virtualhosts
{
# select this farm for all incoming HTTPS requests
"https://*"
}
/renders
{
/0001
{
# hostname or IP of the render
/hostname "localhost"
# port of the render
/port "8443"
# connect via HTTPS
/secure "1"
}
}
# the rest of the properties are omitted
}
/non-secure
{
/virtualhosts
{
# select this farm for all incoming HTTP requests
"http://*"
}
/renders
{
/0001
{
# hostname or IP of the render
/hostname "localhost"
# port of the render
/port "4503"
}
}
# the rest of the properties are omitted
}
Configure mutual SSL between Dispatcher and AEM configuring-mutual-ssl-between-dispatcher-and-aem
To use Mutual SSL, configure the connections between Dispatcher and the render computer (typically an AEM or CQ publish instance):
- Dispatcher connects to the render instance over SSL.
- The render instance verifies the validity of the Dispatcher’s certificate.
- Dispatcher verifies that the CA of the render instance’s certificate is trusted.
- (Optional) Dispatcher verifies that the certificate of the render instance matches the render instance’s server address.
To configure mutual SSL, you require certificates that are signed with a trusted Certificate Authority (CA). Self-signed certificates are not adequate. You can either act as the CA or use the services of a third-party CA to sign your certificates. To configure mutual SSL, you require the following items:
- Signed certificates for the render instance and Dispatcher
- The CA certificate (if you are acting as the CA)
- OpenSSL libraries for generating the CA, certificates, and certificate requests.
To configure mutual SSL, perform the following steps:
- Install the latest version of Dispatcher for your platform. Use a Dispatcher binary that supports SSL (SSL is in the file name, such as
dispatcher-apache2.4-linux-x86-64-ssl10-4.1.7.tar). - Create or obtain a CA-signed certificate for the Dispatcher and the render instance.
- Create a keystore containing the render certificate and configure the render’s HTTP service.
- Configure the Dispatcher web server module for mutual SSL.
Create or obtain CA-signed certificates creating-or-obtaining-ca-signed-certificates
Create or obtain the CA-signed certificates that authenticate the publishing instance and Dispatcher.
Create your CA creating-your-ca
If you are acting as the CA, use to create the Certificate Authority that signs the server and client certificates. (You must have the OpenSSL libraries installed.) If you are using a third-party CA, do not perform this procedure.
-
Open a terminal and change the current directory to the directory that contains the
CA.shfile, such as/usr/local/ssl/misc. -
To create the CA, enter the following command and then provide values when prompted:
code language-shell ./CA.sh -newcanote note NOTE Several properties in the openssl.cnffile control the behavior of the CA.sh script. Edit this file as required before you create your CA.
Create the certificates creating-the-certificates
Use OpenSSL to create the certificate requests to send to the third-party CA or to sign with your CA.
When you create a certificate, OpenSSL uses the Common Name property to identify the certificate holder. For the certificate of the render instance, use the instance computer’s host name as the Common Name if you configure Dispatcher to accept the certificate. Do this procedure only if it matches the hostname of the Publishing instance. See the DispatcherCheckPeerCN property.
-
Open a terminal and change the current directory to the directory that contains the CH.sh file of your OpenSSL libraries.
-
Enter the following command and provide values when prompted. If necessary, use the host name of the publishing instance as the Common Name. The host name is DNS-resolvable name for the IP address of the render:
code language-shell ./CA.sh -newreqIf you are using a third-party CA, send the newreq.pem file to the CA to sign. If you are acting as the CA, continue to step 3.
-
To sign the certificate using the certificate of your CA, enter the following command:
code language-shell ./CA.sh -signTwo files named
newcert.pemandnewkey.pemare created in the directory that contains your CA management files. These two files are the public certificate and private key for the rendering computer, respectively. -
Rename
newcert.pemtorendercert.pem, and renamenewkey.pemtorenderkey.pem. -
Repeat steps 2 and 3 to create a certificate and a public key for the Dispatcher module. Ensure that you use a Common Name that is specific to the Dispatcher instance.
-
Rename
newcert.pemtodispcert.pem, and renamenewkey.pemtodispkey.pem.
Configure SSL on the render computer configuring-ssl-on-the-render-computer
Configure SSL on the render instance using the rendercert.pem and renderkey.pem files.
Convert the render certificate to JKS (Javaâ„¢ KeyStore) format converting-the-render-certificate-to-jks-format
Use the following command to convert the render certificate, which is a PEM file, to a PKCS#12 file. Also include the certificate of the CA that signed the render certificate:
-
In a terminal window, change the current directory to the location of the render certificate and private key.
-
To convert the render certificate, which is a PEM file, to a PKCS#12 file, enter the following command. Also include the certificate of the CA that signed the render certificate:
code language-shell openssl pkcs12 -export -in rendercert.pem -inkey renderkey.pem -certfile demoCA/cacert.pem -out rendercert.p12 -
To convert PKCS#12 file to Javaâ„¢ KeyStore (JKS) format, enter the following command:
code language-shell keytool -importkeystore -srckeystore servercert.p12 -srcstoretype pkcs12 -destkeystore render.keystore -
The Javaâ„¢ Keystore is created using a default alias. Change the alias if desired:
code language-shell keytool -changealias -alias 1 -destalias jettyhttp -keystore render.keystore
Add the CA cert to the render’s Truststore adding-the-ca-cert-to-the-render-s-truststore
If you are acting as the CA, import your CA certificate into a keystore. Then, configure the JVM that runs the render instance to trust the keystore.
-
Use a text editor to open the cacert.pem file and remove all the text that precedes the following line:
-----BEGIN CERTIFICATE----- -
Use the following command to import