To be compliant with the customer’s security rule, I had to configure SSL for a JBoss application server that holds the Documentum Foundation Services (DFS). I used the following procedure:
1. Generate a keystore
Change it to a temporary location, e. g. /var/tmp/SSL:
keytool -genkey -dname "cn=dms.test.org, ou=DEV, o=NICE, l=Delemont, s=Switzerland, c=CH" -keyalg "rsa" -validity 730 -alias tomcat -keysize 2048 -keystore dfs.keystore Enter keystore password: xxxx Enter key password for (RETURN if same as keystore password): xxxx
Important:
- always use tomcat for the alias
- enter a validity value, otherwise it will be 90 days
Warning: Due the Bugzilla issue 38217, both keystore and key passwords have to be the same!
2. Create a Certificate request
keytool -certreq -alias tomcat -file jbossDfs.csr -keystore dfs.keystore Enter keystore password: xxxx Enter key password for xxxx
3. Send the jbossDfs.csr file to the service that will signe the certificate
In our case, the customer has its own CA system and will return the signed certificate plus the trusted chain composed of root.cer and user.cer.
4. Import the certificates
Once all needed certificates are delivered, they can be imported into the keystore. Before importing the signed certificate, import the chain one.
4.1 Import the root certificate
keytool -import -alias cert1 -file root.cer -keystore dfs.keystore Enter keystore password: xxxx Owner: CN=.... Issuer: CN=.... Serial number: ..... Valid from: Mon Feb 04 09:23:02 CET 2013 until: Wed Feb 04 09:33:01 CET 2037 Certificate fingerprints: MD5: 94:40:..... SHA1: D0:10:....Trust this certificate? [no]: yes Certificate was added to keystore
4.2 Import the user certificate
keytool -import -alias cert2 -file user.cer -keystore dfs.keystore Enter keystore password: xxxx Certificate was added to keystore
4.3. Import the signed certificate
keytool -import -trustcacerts -alias tomcat -file jbossDfs.cer -keystore dfs.keystore Enter keystore password: xxxx Enter key password for xxxx Certificate reply was installed in keystore
5. Update server.xml to activate SSL
cd $DOCUMENTUM_SHARED/jboss4.2.0/server/DctmServer_MethodServer/deploy/jboss-web.deployer/
With vi update server.xml:
- uncomment the SSL definition
- set SSLEnabled from false to true
- Change the default password “changeit” to the one you used to secure the keystore password:
maxThreads="150" scheme="https" secure="true" keystoreFile="${jboss.server.home.dir}/conf/dfs.keystore" keystorePass="xxxx" clientAuth="false" sslProtocol="TLS" />
6. Change the server.xml permission
If groups and users can read the file, change the file permission to allow only the owner to read/write:
chmod 600 server.xml
7. Copy the keystore to the correct location
cp /var/tmp/SSL/dfs.keystore $DOCUMENTUM_SHARED/jboss4.2.0/server/DctmServer_MethodServer/conf/
8. Restart the JBoss server
You can check the server.log to see if everything is starting fine.
9. Test it
Perform a test using using the URL https//dms.test.org:9082/services/core/ObjectService.
The JBoss server now should be ready to manage https requests!
Please note that the client part is not covered in this post.