CAF & IS in https

Vital_Thyot · May 13, 2020, 9:05am

Hi,
I migrate our IS in htpps and now I would like to close the http port for security reasons.
But something is missing : CAF.
Every portlets we created we set url in : Settings execution in CAF application. (I’m not sur about the translation, I use MWS in French).
When I change my portlet in https : I have the following excepion in Portlet Run time :
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated (in server logs).
In http, I haven’t the problem. So I suppose, something is missing in settings between IS & MWS.

Holger_von_Thomsen · May 13, 2020, 12:47pm

Hi Vital,

you need to make sure that IS and MWS are using the same Truststore file (typically a JKS).

This is located under MWS/server/default/config/security.

Both, IS & MWS, come with a default certificate, but I am not sure if they are identical.

When you have your certificates validated by an external CA which is not part of cacerts in the JVM jre/lib/security directory you will have to build your own truststore and configure it in IS and MWS.
After configuring keystore (required for HTTPS port of MWS) and truststore you need to restart the MWS before the certificates will be recognized.

See IS Administrators Guide and MWS Administrators Guide for further informations about configuring certifictaes etc.

In MWS under AppDashboard-> "CAF Application Runtime Configuration" you can then change the URL for the Portlet to HTTPS.

Regards,
Holger

Vital_Thyot · May 14, 2020, 12:13pm

OK,
I will explain this afternoon what we have done with IS to configure https. But I am not comfortable with the subject because I don’t manage at all certificates subject.
Beside I don’t jknow if I need the private key. Do we need it (because I can not do all by myself), it id one of my colleague which is the private key gardian

Vital_Thyot · May 14, 2020, 6:55pm

OK,
I explain what I have done (we have done) on IS.
I haver a certificate (we call it here orbe.cert which is our company certificate). I can not handle it because it contains the private key (we call it here infinite key). A colleague of me (which is the guardian of certificates in our company, we call him here Peter Quill) create a jks file (we call it here powerstone.jks) and he use it a password to create this jks file (we call it here the violet password).

In IS, in Security → Keystore, Peter Quill created a Keystore alias (we call it here the xandar) and for create this, he need infinite key.
Peter Quill created a Trustore alias and for this, he need the violet password.

Then in Setting Ports, I open the 5557 port in https and we use the xandar keystore alias.

So according to what we’ve done Peter Quill and me, what we have to do in MWS. Can I work alone. Do I need Peter Quill? DO I need to copy / paste the powerstone.jks file somewhere or orbe.cert file ? Do I need the violet password or infinite key ?

Holger_von_Thomsen · May 15, 2020, 5:12pm

Hi Vital,

as this is a bit more complex to explain I will do so on monday as I am running out of time for today.

Just send a short reply to this thread to mark it as new for me. I will then pick it up when checking posts in the community.

Regards,
Holger