Around four years ago, I did a few presentations, here, in Switzerland about “Security & Documentum”. In there, I talked about a lot of different subjects related to both security and Documentum (you guessed it…) like: ciphers, SHA, FIPS & JCE, Documentum & DFC connect mode (characteristics, ciphers, protocols, encryptions, limitations), Documentum & DFC encryptions in transit and at rest (AEK\/DBK\/LTK\/FSK\/FEK, TCS, CS Lockbox, D2 Lockbox vs D2 Keystore, Passwords encryption and decryption), and some other topics (HTTPS on WebLogic, JBoss\/WildFly, Tomcat, best practices for security, LDAPS support, FIPS 140-2 support and compliance).<\/p>\n
<\/p>\n
“Why the hell are you talking about presentations you gave 4 years ago?”. Good question, thank you! This presentation was really dense so all I could do was just put an example of the configuration files needed for real SSL Certificate based secure communication but not how exactly to reach this point. I talked about this configuration in several blogs already but never took the time to explain\/show it from A to Z. So, that’s what I’m going to do here because without being able to create the SSL Certificate and trust stores, you will probably have some trouble to really configure Documentum to use the real-secure mode (in opposition to the default-secure, which is using anonymous and therefore not fully secure).<\/p>\n
<\/p>\n
In this blog, I will use self-signed SSL Certificate only. It is possible to use CA signed SSL Certificate, the only thing it would change is that you would need to set the trust chain into the different trust stores instead of the self-signed SSL Certificate. This has pros and cons however… This means it is easier to automate because a CA trust chain is a public SSL Certificate and therefore in case you are in a CI\/CD infrastructure, you can easily create the needed Documentum trust stores from anywhere (any pods, any containers, any VMs, aso…). However, that also means that anybody with access to this trust chain can potentially create the needed files used by a DFC Client to talk to your Docbroker and Repositories. That might or might not be a problem for you so I will let you decide on that. On the other hand, using a self-signed SSL Certificate makes it more difficult to gain access to the certificates (unless you are storing it in a public and open location of course) but at the same time, this complicates a little bit the setup for remote DFC Clients since you will need to share, somehow, the Docbroker and Repositories certificates in order to create a trust store for the DFC Clients.<\/p>\n
<\/p>\n
I split the steps into different sections: one global definition of parameters & passwords and then one section per component. Please note that for the DFC Client section, I used the JMS. The same steps can be applied for any DFC Client, you will just need to have access to the needed input files. Please make sure that all components are shutdown when you start the configuration, to avoid expected errors: it will be easier to spot errors if something you expect to be working isn’t, if you don’t have hundreds of expected errors in the middle because all clients are still trying to use non-secure (or default-secure) modes. Alright, enough blabbering, let’s start with the setup.<\/p>\n
<\/p>\n
All the files needed for the Docbroker and Repositories setup needs to be put into the $DOCUMENTUM\/dba\/secure\/<\/em> folder so all the commands will be executed in there directly. I defined here some environment variables that will be used by all the commands. The read commands will simply ask you to enter the needed password and press enter. Doing that will store the password into the environment variable (lb_pp<\/strong>, b_pwd<\/strong>, s_pwd<\/strong> and d_pwd<\/strong>). If you aren’t using any Lockbox (since deprecated since Documentum 16.7), just ignore the Lockbox part.<\/p>\n <\/p>\n In this section, we will create the certificate for the Docbroker, create the needed keystore (it needs to be PKCS12) and encrypt the keystore password. If you aren’t using any Lockbox, in the “dm_encrypt_password<\/strong>” command, just remove the two parameters related to it (and its associated value\/password) and remove the “crypto_lockbox<\/strong>” from the Docbroker.ini<\/em> file (or whatever the name of your file is).<\/p>\n <\/p>\n At this point, you can start the Docbroker and it should start only on the secure port, without errors. If there are still clients up&running, you will probably face a lot of handshake failure errors… It is possible to define the list of ciphers to use in the Docbroker.ini<\/em> file (cipherlist=xxx:yyy:zzz<\/strong>) but if you do so, please make sure that all the SSL Clients (Repository and DFC Clients alike) that will talk to it does support this cipher as well.<\/p>\n <\/p>\n In this section, we will create the certificate for the Repositories (each repo can have its own if you prefer), create the needed keystore (it needs to be PKCS12), create the needed trust store (it needs to be PKCS7) and encrypt the keystore password. If you aren’t using any Lockbox, in the “dm_encrypt_password<\/strong>” command, just remove the two parameters related to it (and its associated value\/password). In case you have several Lockbox and AEK Key, you might want to retrieve their names from the server.ini<\/em> directly (inside the loop) and then use these to encrypt the password, for each Repository, independently.<\/p>\n <\/p>\n At this point, you can start the different Repositories and it should start and project itself to the Docbroker. However, The AgentExec should still fail to start properly because it should use the global dfc.properties<\/em> of the Documentum Server, which wasn’t updated yet. So you might want to configure the global dfc.properties<\/em> before starting the Repositories. It is possible to define the list of ciphers to use in the server.ini<\/em> file (cipherlist=xxx:yyy:zzz<\/strong>) but if you do so, please make sure that all the SSL Clients (DFC Clients) that will talk to it and SSL Servers (Docbroker) it talks to does support this cipher as well.<\/p>\n <\/p>\n In this section, we will create the needed trust store (it needs to be JKS) and encrypt the trust store password. Regarding the password encryption, this command will work on any DFC Client, you will just need to add the dfc.jar<\/em> in the classpath (for example on xPlore: -cp “$XPLORE_HOME\/dfc\/dfc.jar”<\/strong>) if you aren’t executing it on a Documentum Server.<\/p>\n <\/p>\n This is technically the global dfc.properties<\/em> of a Documentum Server and not really the JMS one but I assume almost everybody in the world is just including this one (using #include<\/strong>) for the dfc.properties<\/em> of the JMS (ServerApps, acs, bpm, …), to avoid duplication of generic parameters\/configurations at multiple locations and just manage them globally.<\/p>\n <\/p>\n At this point, you can start the DFC Client and it should be able to communicate with the Docbroker and with the Repositories. As said before, if you already started the Repository, you might want to make sure that the AgentExec is running and if not, maybe restart the Repositories quickly.<\/p>\n <\/p>\n Some final remarks on the SSL Certificate based secure configuration of Documentum:<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Around four years ago, I did a few presentations, here, in Switzerland about “Security & Documentum”. In there, I talked about a lot of different subjects related to both security and Documentum (you guessed it…) like: ciphers, SHA, FIPS & JCE, Documentum & DFC connect mode (characteristics, ciphers, protocols, encryptions, limitations), Documentum & DFC encryptions […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,525],"tags":[1149,1602,567,1176,129,903,2321,382],"type_dbi":[],"class_list":["post-16217","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware","category-enterprise-content-management","tag-certificate","tag-content-server","tag-dfc","tag-docbroker","tag-documentum","tag-jms","tag-secure","tag-ssl"],"acf":[],"yoast_head":"\ncd $DOCUMENTUM\/dba\/secure\/\nlb_name=\"lockbox.lb\"\naek_name=\"CSaek\"\nb_name=\"docbroker\"\ns_name=\"contentserver\"\nd_name=\"dfc\"\n\nread -s -p \" ----> Please enter the ${lb_name} passphrase: \" lb_pp\n\nread -s -p \" ----> Please enter the ${b_name} related password: \" b_pwd\n\nread -s -p \" ----> Please enter the ${s_name} related password: \" s_pwd\n\nread -s -p \" ----> Please enter the ${d_name} related password: \" d_pwd\n\necho \"\nLockbox passphrase entered: ${lb_pp}\nBroker password entered: ${b_pwd}\nServer password entered: ${s_pwd}\nDFC password entered: ${d_pwd}\"<\/pre>\nII. Docbroker setup – SSL Server only<\/h3>\n
openssl req -x509 -days 1096 -newkey rsa:2048 -keyout ${b_name}.key -out ${b_name}.crt -subj \"\/C=CH\/ST=Jura\/L=Delemont\/O=dbi services\/OU=IT\/CN=${b_name}\" -passout pass:\"${b_pwd}\"\n\nopenssl pkcs12 -export -out ${b_name}.p12 -inkey ${b_name}.key -in ${b_name}.crt -name ${b_name} -descert -passin pass:\"${b_pwd}\" -passout pass:\"${b_pwd}\"\n\ndm_encrypt_password -lockbox \"${lb_name}\" -lockboxpassphrase \"${lb_pp}\" -keyname \"${aek_name}\" -encrypt \"${b_pwd}\" -file ${b_name}.pwd\n\ncp $DOCUMENTUM\/dba\/Docbroker.ini $DOCUMENTUM\/dba\/Docbroker.ini.orig\n\necho \"[DOCBROKER_CONFIGURATION]\nsecure_connect_mode=secure\ncrypto_keyname=${aek_name}\ncrypto_lockbox=${lb_name}\nkeystore_file=${b_name}.p12\nkeystore_pwd_file=${b_name}.pwd\" > $DOCUMENTUM\/dba\/Docbroker.ini<\/pre>\nIII. Repository setup – SSL Server and SSL Client<\/h3>\n
openssl req -x509 -days 1096 -newkey rsa:2048 -keyout ${s_name}.key -out ${s_name}.crt -subj \"\/C=CH\/ST=Jura\/L=Jura\/O=dbi services\/OU=IT\/CN=${s_name}\" -passout pass:\"${s_pwd}\"\n\nopenssl pkcs12 -export -out ${s_name}.p12 -inkey ${s_name}.key -in ${s_name}.crt -name ${s_name} -descert -passin pass:\"${s_pwd}\" -passout pass:\"${s_pwd}\"\n\ndm_encrypt_password -lockbox \"${lb_name}\" -lockboxpassphrase \"${lb_pp}\" -keyname \"${aek_name}\" -encrypt \"${s_pwd}\" -file ${s_name}.pwd\n\nopenssl crl2pkcs7 -nocrl -certfile ${b_name}.crt -outform der -out ${s_name}-trust.p7b\n\nfor s_ini in $(ls $DOCUMENTUM\/dba\/config\/*\/server.ini); do\n cp ${s_ini} ${s_ini}.orig\n sed -i --follow-symlinks \"\/keystore_file\/d\" ${s_ini}\n sed -i --follow-symlinks \"\/keystore_pwd_file\/d\" ${s_ini}\n sed -i --follow-symlinks \"\/truststore_file\/d\" ${s_ini}\n sed -i --follow-symlinks \"\/cipherlist\/d\" ${s_ini}\n sed -i --follow-symlinks \"\/^crypto_keyname\/a truststore_file = ${s_name}-trust.p7b\" ${s_ini}\n sed -i --follow-symlinks \"\/^crypto_keyname\/a keystore_pwd_file = ${s_name}.pwd\" ${s_ini}\n sed -i --follow-symlinks \"\/^crypto_keyname\/a keystore_file = ${s_name}.p12\" ${s_ini}\ndone<\/pre>\nIV. DFC Clients setup (JMS, IndexAgent, DA, D2, …) – SSL Client only<\/h3>\n
openssl x509 -outform der -in ${b_name}.crt -out ${b_name}.der\n\nopenssl x509 -outform der -in ${s_name}.crt -out ${s_name}.der\n\n$JAVA_HOME\/bin\/keytool -importcert -keystore ${d_name}-trust.jks -file ${b_name}.der -alias ${b_name} -noprompt -storepass ${d_pwd}\n\n$JAVA_HOME\/bin\/keytool -importcert -keystore ${d_name}-trust.jks -file ${s_name}.der -alias ${s_name} -noprompt -storepass ${d_pwd}\n\nd_pwd_enc=$($JAVA_HOME\/bin\/java com.documentum.fc.tools.RegistryPasswordUtils ${d_pwd})\n\ncp $DOCUMENTUM\/config\/dfc.properties $DOCUMENTUM\/config\/dfc.properties.orig\nsed -i '\/dfc.session.secure_connect_default\/d' $DOCUMENTUM\/config\/dfc.properties\nsed -i '\/dfc.security.ssl.use_existing_truststore\/d' $DOCUMENTUM\/config\/dfc.properties\nsed -i '\/dfc.security.ssl.truststore\/d' $DOCUMENTUM\/config\/dfc.properties\nsed -i '\/dfc.security.ssl.truststore_password\/d' $DOCUMENTUM\/config\/dfc.properties\n\necho \"dfc.session.secure_connect_default=secure\ndfc.security.ssl.use_existing_truststore=false\ndfc.security.ssl.truststore=$DOCUMENTUM\/dba\/secure\/${d_name}-trust.jks\ndfc.security.ssl.truststore_password=${d_pwd_enc}\" >> $DOCUMENTUM\/config\/dfc.properties<\/pre>\n\n
\n