Enable SSL for AEM

AEM Forms 6.5

One of the prerequisites to integrating AEM Forms with Acrobat Sign is to have your AEM instance configured to use SSL. Adobe Experience Manager’s SSL setup wizard to make it easier to set up an AEM instance to run over HTTPS.
The following video explains the steps needed to configure SSL using the wizard

Hey, what’s up? In this video, we’re going to be configuring AEM to run over HTTPS using the new SSL wizard in AEM 6.3.
So we’ll just go ahead and log in to our new AEM instance and you’ll notice when setting up AEM for the first time, is the’re several administrative tasks that are created. And these are really to encourage some best practices especially when setting up a production environment. And so one of these is to configure HTTPS. And to make this easier, an SSL wizard has been created. So we’ll go ahead and open up the wizard. So the first thing we’re gonna do is create a new password for the KeyStore. And this is the KeyStore for the SSL service user. And that’s where the private key and certificate chain will be stored to enable the HTTPS listener. We also need to initialize our system wide Trust Store with a new password and this is required when working with any sort of certificates.
So the next thing we’re going to do is upload a private key as well as a certificate. Now the private key is the key used to create your SSL certificate and in this case we are just going to create a self signed certificate. In a true production environment, you would want to obtain your certificate from a certificate authority.
So I’m just going to create our private key and certificate from the command line and we’re just going to use the Open SSL tool. So the first thing that I’m gonna do is generate a new private key and we’ll use AES256 encryption. And for the name, it’ll just be called local host private key and then we’ll specify 4096, 4096 for the number of bits. So I’ll need to enter a passphrase for our private key.
Okay. So now we’ve got our private key and then the next thing we need to do is generate a certificate signing request. So again we’ll use Open SSL and we’ll specify SHA256 for our # and we’re going to be creating a new certificate signing request. So we’ll specify a name for our CSR, localhost.CSR and then this is only going to be used on a local host. So for the canonical name we can just specify a local host. So then we’ll enter the passphrase for our private key, so we can sign it. OK, so now we’ve got our certificate signing request as well as our private key. And then next thing we need to do is create our SSL certificate. So again, we’ll use the Open SSL tool and we’ll set the certificate to expire a year from now and we’ll use our certificate signing request as well as our private key to sign it.
So then we’ll just specify a file name for our SSL certificate so that’ll just be localhost.CRT. And then we need to enter the passphrase for our private key. OK, so now we’ve got our SSL certificate.
Now the last thing we’re going to do is encode our private key using distinguished encoding rules or DER format. Now this doesn’t change the contents of the private key but it’s a more portable format and it’s also the format that the SSL wizard expects. So use the Open SSL command line tool to complete this conversion. So pkcs8 is a standard syntax restoring private key information, so we’ll specify that here. And then for the inform our private key is currently in PEM format and for the outform we want it to be converted into DER format. And so for the in file we’ll specify our private key and then we’ll also specify the file name for our DER formatted private key. And we’ll just choose no crypt since this is just for development purposes. So enter our passphrase. OK so now we’ve got our private key that’s encoded in DER format.
So we’ve got two files that we’re going to upload to our SSL wizard.
So we’ll return to the wizard and we’ll select our private key. We just choose the DER formatted one and then we’ll also select our SSL certificate.
OK, so the next step of the wizard is where we can specify the port for HTTPS to run under. We’ll hit done and you can see that SSL has been successfully configured. So we’ll navigate to the HTTPS URL and you’ll notice immediately the browser gives us warnings that this is not secure. And that’s because we’re using a self signed cert. So in a true production environment, again you want to work with your IT teams to obtain a valid cert. So for this demo, we’re just going to proceed as is. We’ll click Advance and we’ll just proceed to our local post. And so now you can see that AEM is running over HTTPS. The SSL wizard is very convenient. But let’s take a look at where the cert and those configurations are actually saved. From the Start menu will go to Tools and we’ll go to Security and we’ll click into our Users and what we’re gonna pull up is the SSL service user. So that’s where the private key and the certificate chain are stored. We’ll scroll down and find our service user, our SSL service and we’ll click in there.
And if we scroll down we can see there’s a link to Manage the KeyStore for this user. And so in the link you can see that we have one certificate and that’s the local host cert that we created. And you can see that it expires a year from now.
And so if you wanted to update or add a new certificate for the SSL services user, you could do that from this UI. The other area that the SSL wizard updates is in OSGi configuration. So let’s navigate there now. So we’ll click the AEM logo and we’ll go to Tools, Operations and then we’ll click the Web Console cart. And so this will bring up the OSGi console in the configuration manager. And I’m just going to search for granite SSL. Uou can see we have this granite SSL connector factory. So this is the config that gets updated as part of the wizard. So you can see the port as well as the KeyStore user and KeyStore password. So if you need to make any updates, if you want to change the port, you would update this config.
So that concludes the setup of the SSL wizard for development environment in AEM 6.3. The SSL wizard can also be used to accelerate the setup of a production environment but you definitely want to involve your IT security team. Thanks.

Next steps

Create Acrobat Sign API application