SSL By Default
- Topics:
- Administering
CREATED FOR:
- Admin
In an effort to continously improve the security of AEM, Adobe has introduced a feature called SSL By Default. The purpose is to encourage the use of HTTPS to connect to AEM instances.
Enabling SSL By Default
You can start configuring SSL By Default by clicking the relevant Inbox message from your AEM home screen. To reach the Inbox, press the bell icon in the upper right corner of the screen. Then, click on View All. This will bring up a list of all alerts ordered in a list view.
In the list, select and open the Configure HTTPS alert:
[NOTE!]
If the Configure HTTPS alert is not present in the Inbox, you can navigate directly to the HTTPS Wizard by going to http://serveraddress:serverport/libs/granite/security/content/sslConfig.html?item=configuration%2Fconfiguressl&_charset_=utf-8
A service user called ssl-service has been created for this feature. Once you open the alert, you will be guided through the follwing configuration wizard:
-
First, set up the Store Credentials. These are the credentials for the ssl-service system user’s key store that will contain the private key and trust store for the HTTPS listener.
-
Once you enter the credentials, click Next in the upper right corner of the page. Then, upload the associated private key and certificate for the SSL connection.
NOTE
For info on how to generate a private key and a certificate to use with the wizard, see this procedure below. -
Lastly, specify the HTTPS hostname and the TCP port for the HTTPS listener.
Automating SSL By Default
There are three ways of automating SSL By Default.
Via HTTP POST
The first method involves posting to the SSLSetup server that is being used by the configuration wizard:
POST /libs/granite/security/post/sslSetup.html
You can use the following payload in your POST to automate configuration:
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="keystorePassword"
test
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="keystorePasswordConfirm"
test
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="truststorePassword"
test
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="truststorePasswordConfirm"
test
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="privatekeyFile"; filename="server.der"
Content-Type: application/x-x509-ca-cert
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="certificateFile"; filename="server.crt"
Content-Type: application/x-x509-ca-cert
------WebKitFormBoundaryyBO4ArmGlcfdGDbs
Content-Disposition: form-data; name="httpsPort"
8443
The servlet, like any sling POST servlet, will respond with 200 OK or an error HTTP status code. You can find details about status in the response’s HTML body.
Below are examples for both a successful response and an error.
SUCCESS EXAMPLE (status = 200):
<!DOCTYPE html>
<html lang='en'>
<head>
<title>OK</title>
</head>
<body>
<h1>OK</h1>
<dl>
<dt class='foundation-form-response-status-code'>Status</dt>
<dd>200</dd>
<dt class='foundation-form-response-status-message'>Message</dt>
<dd>SSL successfully configured</dd>
<dt class='foundation-form-response-title'>Title</dt>
<dd>OK</dd>
<dt class='foundation-form-response-description'>Description</dt>
<dd>HTTPS has been configured on port 8443. The private key and
certificate were stored in the key store of the user ssl-service.
Please take note of the key store password you provided. You will need
it for any subsequent updating of the private key or certificate.</dd>
</dl>
<h2>Links</h2>
<ul class='foundation-form-response-links'>
<li><a class='foundation-form-response-redirect' href='/'>Done</a></li>
</ul>
</body>
</html>
ERROR EXAMPLE (status = 500):
<!DOCTYPE html>
<html lang='en'>
<head>
<title>Error</title>
</head>
<body>
<h1>Error</h1>
<dl>
<dt class='foundation-form-response-status-code'>Status</dt>
<dd>500</dd>
<dt class='foundation-form-response-status-message'>Message</dt>
<dd>The provided file is not a valid key, DER format expected</dd>
<dt class='foundation-form-response-title'>Title</dt>
<dd>Error</dd>
</dl>
</body>
</html>
Via Package
Alternatively, you can automate the SSL setup by uploading a package that already contains these required items:
- The ssl-service user’s keystore. This is located under /home/users/system/security/ssl-service/keystore in the repository.
- The
GraniteSslConnectorFactory
configuration
Generating a Private Key/Certificate Pair to Use with the Wizard
Below you will find an example for creating a self-signed certificate in DER format that the SSL Wizard can use.
-
First, create the private key:
openssl genrsa -aes256 -out localhostprivate.key 4096 openssl rsa -in localhostprivate.key -out localhostprivate.key
-
Then, Generate a Certificate Signing Request (CSR) using private key:
openssl req -sha256 -new -key localhostprivate.key -out localhost.csr -subj '/CN=localhost'
-
Generate the SSL certificate and sign it with the private key. In this example, will expire one year from now:
openssl x509 -req -days 365 -in localhost.csr -signkey localhostprivate.key -out localhost.crt
Convert the Private Key to DER format. This is because the SSL wizard requires key to be in DER format:
openssl pkcs8 -topk8 -inform PEM -outform DER -in localhostprivate.key -out localhostprivate.der -nocrypt
Finally, upload the localhostprivate.der as the Private Key and localhost.crt as the SSL Certificate in step 2 of the graphical SSL Wizard described at the beginning of this page.
Updating the SSL Configuration Via cURL
You can also automate the SSL configuration by using the cURL tool. You can do this by posting the configuration parameters to this URL:
https://<serveraddress>:<serverport>/libs/granite/security/post/sslSetup.html
Below are the parameters you can use in order to change the various settings in the configuration wizard:
-
-F "keystorePassword=password"
- the keystore password; -
-F "keystorePasswordConfirm=password"
- confirm the keystore password; -
-F "truststorePassword=password"
- the truststore password; -
-F "truststorePasswordConfirm=password"
- confirm the truststore password; -
-F "privatekeyFile=@localhostprivate.der"
- specify the private key; -
-F "certificateFile=@localhost.crt"
- specify the certificate; -
-F "httpsHostname=host.example.com"
- specify the hostname; -
-F "httpsPort=8443"
- the port the HTTPS listener will work on.
privatekeyFile
and certificateFile arguments.-u user:passeword
parameter.curl -u user:password -F "keystorePassword=password" -F "keystorePasswordConfirm=password" -F "truststorePassword=password" -F "truststorePasswordConfirm=password" -F "privatekeyFile=@localhostprivate.der" -F "certificateFile=@localhost.crt" -F "httpsHostname=host.example.com" -F "httpsPort=8443" https://host:port/libs/granite/security/post/sslSetup.html
Multiple certificates using cURL
You can send the servlet a chain of certificates by repeating the certificateFile parameter like this:
-F "certificateFile=@root.crt" -F "certificateFile=@localhost.crt"..
Once you have executed the command, verify that all the certificates made it to the keystore. Check the keystore from:
http://localhost:4502/libs/granite/security/content/userEditor.html/home/users/system/security/ssl-service
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management