Use case For testing
Step 1: Generate Key Store
Use Keytool to generate keystore
You can also confirm if you have keytool in your system by using command keytool --help
Once you have keytool installed you can following command to generate ketstore
From command line navigate to /crx-quickstart/server/etc
Use command "keytool -genkey -keystore mykey -alias myalias -keyalg rsa"
Set up SSL till CQ5.4 (Using server.xml)
use following entry in server.xml
<container>
<listener>
<!-- You already have one entry here don't modify it-->
</listener>
<!--Entry for new SSL Listener-->
<listener>
<bind-port>443</bind-port>
<ssl>
<protocol>SSL</protocol>
<key-store>
<name>etc/mykey</name>
<passphrase><Password you have given while creating certificate></passphrase>
</key-store>
<key>
<alias>myalias</alias>
<password><Password you have given while creating certificate></password>
</key>
</ssl>
</listener>
<!--End of new entry for SSL-->
</container>
You can also check /crx-quickstart/server/etc/SSL_HowTo.txt to see how configuration can be done.
NOTE:
Once you have SSL set up check logs/server.log to make sure that server is started on secure port.
If you get Error like,
*ERROR* servletengine: Unable to start https listener on address 127.0.0.1, port 443: Permission denied
That means you need to start CQ as root user.
Set up SSL in CQ5.5
In CQ5.5 CQSE is deployed as a bundle and you can configure SSL using Felix configuration, Please see screen shot of how to do that. All parameter is self explanatory
This is actual configuration
Note
1. You can put certificate file at any location you want. Only absolute path is required.
2. There is no way to configure multiple port you can listen to now.
Set up SSL on apache (If your SSL terminate at apache)
Assuming that you are using Apache web server,
Click here to see how to generate certificate and key file
If you already have cert and password then you can use following command to generate key
Then go to /conf/httpd.conf and add following entry
Listen 443
<VirtualHost *:80>
ServerName wemblog.com
ServerAlias wemblog*.com
RewriteEngine on
#Rewrite all request to https
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
</VirtualHost>
NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
ServerName wemblog.com
ServerAlias wemblog*.com
SSLEngine on
SSLCertificateFile <cert path>.cert
SSLCertificateKeyFile <key path>.key
RewriteEngine on
ProxyPreserveHost On
ProxyPass / http://localhost:4502/
ProxyPassreverse / http://localhost:4502
#set header for SSL
Header add X-Forwarded-Proto "https"
<LocationMatch "/(content|apps|etc).*">
RequestHeader set X-Forwarded-Proto "https"
</LocationMatch>
</VirtualHost>
To be honest you will get ton of information about How to set up SSL on Apache on Google.
Note: If you just have to use https (force https in CQ) and not let author to use http, There are two options,
1) You can configure dispatcher rewrite rule to redirect all http request to https.
2) If you are not using dispatcher, you can write rewrite rule under /etc/map to redirect all request to https port. Here is example
Please check https://cwiki.apache.org/SLING/flexible-resource-resolution.html
You have to do something like this
/etc/map
+-- http
+-- localhost.4502
+-- sling:redirect = "https://localhost:<your secure port>"
Step 1: Generate Key Store
Use Keytool to generate keystore
You can also confirm if you have keytool in your system by using command keytool --help
Once you have keytool installed you can following command to generate ketstore
From command line navigate to /crx-quickstart/server/etc
Use command "keytool -genkey -keystore mykey -alias myalias -keyalg rsa"
Set up SSL till CQ5.4 (Using server.xml)
use following entry in server.xml
<container>
<listener>
<!-- You already have one entry here don't modify it-->
</listener>
<!--Entry for new SSL Listener-->
<listener>
<bind-port>443</bind-port>
<ssl>
<protocol>SSL</protocol>
<key-store>
<name>etc/mykey</name>
<passphrase><Password you have given while creating certificate></passphrase>
</key-store>
<key>
<alias>myalias</alias>
<password><Password you have given while creating certificate></password>
</key>
</ssl>
</listener>
<!--End of new entry for SSL-->
</container>
You can also check /crx-quickstart/server/etc/SSL_HowTo.txt to see how configuration can be done.
NOTE:
Once you have SSL set up check logs/server.log to make sure that server is started on secure port.
If you get Error like,
*ERROR* servletengine: Unable to start https listener on address 127.0.0.1, port 443: Permission denied
That means you need to start CQ as root user.
Set up SSL in CQ5.5
In CQ5.5 CQSE is deployed as a bundle and you can configure SSL using Felix configuration, Please see screen shot of how to do that. All parameter is self explanatory
This is actual configuration
Note
1. You can put certificate file at any location you want. Only absolute path is required.
2. There is no way to configure multiple port you can listen to now.
Set up SSL on apache (If your SSL terminate at apache)
Assuming that you are using Apache web server,
Click here to see how to generate certificate and key file
If you already have cert and password then you can use following command to generate key
openssl rsa -in <Your Key>.key -out <Key with Password>.new.key
Then go to /conf/httpd.conf and add following entry
Listen 443
<VirtualHost *:80>
ServerName wemblog.com
ServerAlias wemblog*.com
RewriteEngine on
#Rewrite all request to https
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]
</VirtualHost>
NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
ServerName wemblog.com
ServerAlias wemblog*.com
SSLEngine on
SSLCertificateFile <cert path>.cert
SSLCertificateKeyFile <key path>.key
RewriteEngine on
ProxyPreserveHost On
ProxyPass / http://localhost:4502/
ProxyPassreverse / http://localhost:4502
#set header for SSL
Header add X-Forwarded-Proto "https"
<LocationMatch "/(content|apps|etc).*">
RequestHeader set X-Forwarded-Proto "https"
</LocationMatch>
</VirtualHost>
To be honest you will get ton of information about How to set up SSL on Apache on Google.
Note: If you just have to use https (force https in CQ) and not let author to use http, There are two options,
1) You can configure dispatcher rewrite rule to redirect all http request to https.
2) If you are not using dispatcher, you can write rewrite rule under /etc/map to redirect all request to https port. Here is example
Please check https://cwiki.apache.org/SLING/flexible-resource-resolution.html
You have to do something like this
/etc/map
+-- http
+-- localhost.4502
+-- sling:redirect = "https://localhost:<your secure port>"
How to run aem author and bind it with 443 port using non root user and without using dispatcher in AEM 6.1?
ReplyDeleteHello Dg,
DeleteIf you don't want to use Dispatcher, you can just use apache and proxy it to author instance.
Yogesh
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. everydaylocksmiths.com
ReplyDelete