RSS

Tag Archives: digital

SSL enablement on WCC and WCS

02 Oct

Apart from the certification generation process, these are the changes that were done to the WCC and WCS setup to enable one way SSL.

Also, the cert names and passwords will have to be changed as per the certs provided to you.

1) WCC WebLogic console

  • Login to weblogic console
  • Traverse to Environment > Servers > servername > General tab
  • Select “SSL Listen Port Enabled” and provide value for Listen Port: <7008>
  • Click Save
  • Traverse to Environment >Servers > server name > Keystores
  • Change the “Keystores” value to “Custom Identity and Custom Trust”
  • Provide relevant values to the following:
    • Identity
    • Custom Identity Keystore: <middleware-path>/keystores/keystore.jks>
    • Custom Identity Keystore Type: <JKS>
    • Custom Identity Keystore Passphrase:<welcome1>
    • Confirm Custom Identity Keystore Passphrase:<welcome1>
    • Trust
    • Custom Trust Keystore: <middleware-path>/keystores/keystore.jks>
    • Custom Trust Keystore Type: <JKS>
    • Custom Trust Keystore Passphrase:<welcome1>
    • Confirm Custom Trust Keystore Passphrase:<welcome1>
  • Click “Save” to save the updated entries
  • Traverse to Environment >Servers > server name > SSL
  • Provide relevant values to the following:
    • Private Key Alias:server_cert
    • Private Key Passphrase: <welcome1>
    • Confirm Private Key Passphrase:<welcome1>
  • Click on Advanced
  • Click on “Use Server Certs”
  • Click on Save
  • Repeat the same for all the servers under this domain.
  • Restart the servers if console indicates.
  • Change NodeManager Settings
  • Traverse to Environment > Machines > <machine_name>
  • Click on “Node Manager” tab
  • Change Type to “SSL”
  • Listen Port: <ssl listen port>

2) WCS WebLogic console

Repeat the Step 1 wrt WCS weblogic console/domain.

3) Application Changes – WCC

Change following property :<domain_home>/content/ucm/cs/config/config.cfg

UseSSL=true

4) Application Changes- WCS

Change the relevant properties from the below files in all the installed nodes for https and port.

  • {CAS deployment}/WEB-INF/deployerConfigContext.xml

<property name=”loginUrl” value=”https://<server-name&gt;.com:<https-port>/cs …”

  • {CS deployment}/WEB-INF/classes/SSOConfig.xml

<property name=”casUrl” value=”https://<server-name&gt;.com:<https-port>/cas” />

<property name=”casInternalURL” value=”.com:<https-port>/cas” />

  • {CS deployment}/WEB-INF/classes/AdvPub.xml

<property name=”regenServers”>
<list>
<value>https://<server-name&gt;.com:<https-port>/cs/ContentServer</value>
</list>
</property>

  • {install dir}/futuretense.ini

cs.eventhost=https\://<server-name>.com\:<https-port>

  • {install dir}/futuretense_xcel.ini

xcelerate.batchhost=<server-name>.com\:<https-port>

  • {install dir}/bin/cas.properties

cas.securityContext.serviceProperties.service=https://<server-name>.com:<https-port>/cas/services/j_acegi_cas_security_check

cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://<server-name>.com:<https-port>/cas/login

cas.securityContext.ticketValidator.casServerUrlPrefix=https://<server-name>.com:<https-port>/cas

  • {install dir}/bin/customBeans.xml

<bean id=”RequestParamValidator” class=”com.fatwire.cas.web.RequestParamValidator”>
<property name=”validUrls”>
<list>
<value>https://<server-name&gt;.com:<https-port>/cs/*</value>
</list>
</property>
</bean>
 

  • {CAS deployment}/WEB-INF/weblogic.xml and {CS deployment}/WEB-INF/weblogic.xml

<session-descriptor>
<cookie-path>/cs</cookie-path>
<cookie-secure>true</cookie-secure>
</session-descriptor>

  • {CAS deployment}/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml.

<bean id=”ticketGrantingTicketCookieGenerator” class=”com.fatwire.cas.web.support.CookieRetrievingCookieGeneratorModified”
p:cookieSecure=”true”
p:cookieMaxAge=”-1″
p:cookieName=”CASTGC”
p:cookiePath=”/cas”
p:httpOnly=”false” />

Restart the nodes once these changes are done and test the apps with https url/port number combinations.

Post these changes, you would still get the following error:
“Peer not authenticated”
To get rid of this , the previously generated server cert will have to be imported into default cacerts within the jdk used by server as below.

•Copy the server_cert.cert file to jvm path as below
/<java-home>/jre/lib/security
•Import the server cert into cacerts file
$ keytool -import -alias myalias -keystore cacerts -storepass changeit -file server_cert.cert

 
Leave a comment

Posted by on October 2, 2014 in WCC, WCS

 

Tags: , , , , , , , , , ,

 
Design a site like this with WordPress.com
Get started