Obtaining or Creating Credentials for MSSL

You require a private key and public certificate for the author and publish instances:

  • Private keys must be contained in pkcs#12 or JKS format.
  • Certificates must be contained in pkcs#12 or JKS format. Additionally certificate contained in “CER” format can also be added to Granite Truststore.
  • Certificates can be self-signed or signed by a recognized CA.

JKS Format

Generate a private key and a certificate in JKS format. The private key is stored in a KeyStore file, and the certificate is stored in a TrustStore file. Use Java keytool to create both.

Perform the following steps using Java keytool to create the private key and the credential:

  1. Generate a private-public key pair in a KeyStore.

  2. Create or obtain the certificate:

    • Self-signed: Export the certificate from the KeyStore.
    • CA-signed: Generate a certificate request and send it to the CA.
  3. Import the certificate into a TrustStore.

Use the following procedure to create a private key and a self-signed certificate for both the author and publish instances. Use different values for command options accordingly.

  1. Open a command-line window or terminal. To create the private-public key pair, enter the following command, using option values from the table below:

    keytool -genkeypair -keyalg RSA -validity 3650 -alias alias -keystore keystorename.keystore  -keypass key_password -storepass  store_password -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country_ Code"
    
    OptionAuthorPublish
    -aliasauthorpublish
    -keystoreauthor.keystorepublish.keystore
  2. To export the certificate, enter the following command using option values from the table below:

    keytool -exportcert -alias alias -file cert_file -storetype jks -keystore keystore -storepass store_password
    
    OptionAuthorPublish
    -aliasauthorpublish
    -fileauthor.cerpublish.cer
    -keystoreauthor.keystorepublish.keystore

pkcs#12 Format

Generate a private key and a certificate in pkcs#12 format. Use openSSL to generate them. Use the following procedure to generate a private key and a certificate request. To obtain the certificate, either sign the request with your private key (self-signed certificate) or send the request to a CA. Then, generate the pkcs#12 archive that contains the private key and the certificate.

  1. Open a command-line window or terminal. To create the private key, enter the following command, using option values from the table below:

    openssl genrsa -out keyname.key 2048
    
    OptionAuthorPublish
    -outauthor.keypublish.key
  2. To generate a certificate request, enter the following command, using option values from the table below:

    openssl req -new -key keyname.key -out key_request.csr
    
    OptionAuthorPublish
    -keyauthor.keypublish.key
    -outauthor_request.csrpublish_request.csr

    Either sign the certificate request or send the request to a CA.

  3. To sign the certificate request, enter the following command, using option values from the table below:

    openssl x509 -req -days 3650 -in key_request.csr -signkey keyname.key -out certificate.cer
    
    OptionAuthorPublish
    -signkeyauthor.keypublish.key
    -inauthor_request.csrpublish_request.csr
    -outauthor.cerpublish.cer
  4. To add your private key and the signed certificate to a pkcs#12 file, enter the following command, using option values from the table below:

    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in certificate.cer -inkey keyname.key -out pkcs12_archive.pfx -name "alias"
    
    OptionAuthorPublish
    -inkeyauthor.keypublish.key
    -outauthor.pfxpublish.pfx
    -inauthor.cerpublish.cer
    -nameauthorpublish

Install the Private Key and TrustStore on Author

Install the following items on the author instance:

  • The private key of the author instance.
  • The certificate of the publish instance.

To perform the following procedure, you must be logged in as an adminstrator of the author instance.

Install the Author Private Key

  1. Open the User Management page for the author instance. (http://localhost:4502/libs/granite/security/content/useradmin.html)

  2. To open the properties of your user account, click your user name.

  3. If the Create KeyStore link appears in the Account Settings area, click the link. Configure a password and click OK.

  4. In the Account Settings area, click Manage Keystore.

    chlimage_1-65

  5. Click Add Private Key From Key Store File.

    chlimage_1-66

  6. Click Select Key Store file, then browse for and select the author.keystore file or the author.pfx file if using pkcs#12, then click Open.

  7. Enter an alias and the password for the key store. Enter the alias and password for the private key, then click Submit.

  8. Close the KeyStore Management dialog box.

    chlimage_1-67

Install the Publish Certificate

  1. Open the User Management page for the author instance. (http://localhost:4502/libs/granite/security/content/useradmin.html)

  2. To open the properties of your user account, click your user name.

  3. If the Create TrustStore link appears in the Account Settings area, click the link, create a password for the TrustStore and click OK.

  4. In the Account Settings area, click Manage TrustStore.

  5. Click Add Certificate From CER File.

    chlimage_1-68

  6. Clear the Map Certificate to User option. Click Select Certificate File, select publish.cer, and click Open.

  7. Close the TrustStore Management dialog box.

    chlimage_1-69

Install Private Key and TrustStore on Publish

Install the following items on the publish instance:

  • The private key of the publish instance.
  • The certificate of the author instance. Associate the certificate with the user that is used to execute replication requests.

To perform the following procedure, you must be logged in as an adminstrator of the publish instance.

Install the Publish Private Key

  1. Open the User Management page for the publish instance. (http://localhost:4503/libs/granite/security/content/useradmin.html)
  2. To open the properties of your user account, click your user name.
  3. If the Create KeyStore link appears in the Account Settings area, click the link. Configure a password and click OK.
  4. In the Account Settings area, click Manage Keystore.
  5. Click Add Private Key From Key Store File.
  6. Click Select Key Store file, then browse for and select the publish.keystore file or the publish.pfx file if using pkcs#12, then click Open.
  7. Enter an alias and the password for the key store. Enter the alias and password for the private key, then click Submit.
  8. Close the KeyStore Management dialog box.

Install the Author Certificate

  1. Open the User Management page for the publish instance. (http://localhost:4503/libs/granite/security/content/useradmin.html)
  2. If the Create TrustStore link appears in the Global Trust Store area, click the link, create a password for the TrustStore and click OK.
  3. In the Account Settings area, click Manage TrustStore.
  4. Click Add Certificate From CER File.
  5. Make sure the Map Certificate to User option is selected. Click Select Certificate File, select author.cer, and click Open.
  6. Click Submit, then close the TrustStore Management dialog box.

Configure the HTTP Service on Publish

Configure the properties of the Apache Felix Jetty Based HTTP Service on the publish instance so that it uses HTTPS while accessing Granite Keystore. The PID of the service is org.apache.felix.http.

The following table lists the OSGi properties that you need to configure whether you are using the Web Console.

Property Name on Web ConsoleOSGi Property NameValue
Enable HTTPSorg.apache.felix.https.enabletrue
Enable HTTPS To Use Granite KeyStoreorg.apache.felix.https.use.granite.keystoretrue
HTTPS Portorg.osgi.service.http.port.secure8443 (or other desired port)
Client Certificateorg.apache.felix.https.clientcertificate“Client Certificate Wanted”

Configure the Replication Agent on Author

Configure the replication agent on the author instance to use the HTTPS protocol when connecting to the publish instance. For complete information about configuring replication agents see Configuring Your Replication Agents.

To enable MSSL, configure the properties on the Transport tab according to the following table:

PropertyValue
URI

https://server_name:SSL_port/bin/receive?sling:authRequestLogin=1

For example:

http://localhost:8443/bin/receive?sling:authRequestLogin=1

UserNo value
PasswordNo value
SSLClient Auth

chlimage_1-70

After you configure the replication agent, test the connection to determine whether MSSL is configured correctly.

29.08.2014 14:02:46 - Create new HttpClient for Default Agent
29.08.2014 14:02:46 - * HTTP Version: 1.1
29.08.2014 14:02:46 - * Using Client Auth SSL configuration *
29.08.2014 14:02:46 - adding header: Action:Test
29.08.2014 14:02:46 - adding header: Path:/content
29.08.2014 14:02:46 - adding header: Handle:/content
29.08.2014 14:02:46 - deserialize content for delivery
29.08.2014 14:02:46 - No message body: Content ReplicationContent.VOID is empty
29.08.2014 14:02:46 - Sending POST request to http://localhost:8443/bin/receive?sling:authRequestLogin=1
29.08.2014 14:02:46 - sent. Response: 200 OK
29.08.2014 14:02:46 - ------------------------------------------------
29.08.2014 14:02:46 - Sending message to localhost:8443
29.08.2014 14:02:46 - >> POST /bin/receive HTTP/1.0
29.08.2014 14:02:46 - >> Action: Test
29.08.2014 14:02:46 - >> Path: /content
29.08.2014 14:02:46 - >> Handle: /content
29.08.2014 14:02:46 - >> Referer: about:blank
29.08.2014 14:02:46 - >> Content-Length: 0
29.08.2014 14:02:46 - >> Content-Type: application/octet-stream
29.08.2014 14:02:46 - --
29.08.2014 14:02:46 - << HTTP/1.1 200 OK
29.08.2014 14:02:46 - << Connection: Keep-Alive
29.08.2014 14:02:46 - << Server: Day-Servlet-Engine/4.1.64
29.08.2014 14:02:46 - << Content-Type: text/plain;charset=utf-8
29.08.2014 14:02:46 - << Content-Length: 26
29.08.2014 14:02:46 - << Date: Fri, 29 Aug 2014 18:02:46 GMT
29.08.2014 14:02:46 - << Set-Cookie: login-token=3529326c-1500-4888-a4a3-93d299726f28%3ac8be86c6-04bb-4d18-80d6-91278e08d720_98797d969258a669%3acrx.default; Path=/; HttpOnly; Secure
29.08.2014 14:02:46 - << Set-Cookie: cq-authoring-mode=CLASSIC; Path=/; Secure
29.08.2014 14:02:46 - <<
29.08.2014 14:02:46 - << R
29.08.2014 14:02:46 - << eplicationAction TEST ok.
29.08.2014 14:02:46 - Message sent.
29.08.2014 14:02:46 - ------------------------------------------------
29.08.2014 14:02:46 - Replication (TEST) of /content successful.
Replication test succeeded

Experience Manager


Elevate and Empower Teams with Agentic AI for Exceptional Experiences

Online | Strategy Keynote | General Audience

Elevate and empower your CX teams with AI that transforms creativity, personalization, and productivity. Discover how Adobe is...

Tue, Mar 18, 1:00 PM PDT (8:00 PM UTC)

Register

3 Pillars of Purpose-driven Experiences: Trust, Data, and GenAI

In-person | Session | General Audience

Learn how leading B2B and B2C brands like AT&T and IBM are intersecting data, GenAI and trust to build “purpose-driven” experiences that...

Wed, Mar 19, 1:00 PM PDT (8:00 PM UTC)

Register

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more