close

Filter

loading table of contents...

Operations Basics / Version 2304

Table Of Contents

4.4.4 Encrypting CORBA Communication Using SSL

In a standard CoreMedia installation, session handles and content are transmitted in clear text across the network between client and server. This is usually not a problem when the editorial workplaces and the servers reside in the same trusted network. However, for secure remote access, encrypted communication is sometimes required.

If SSH tunneling is not an option, alternatively a Secure Socket Layer (SSL) connection can be used for the CORBA communication between CoreMedia applications.

The setup is slightly more complex than in the SSH case, because the certificate handling has to be administered explicitly for Java's SSL implementation, and because the port mapping has to be specified in CoreMedia configuration files.

In the following example it is assumed that communication has to be encrypted between a Site Manager on one side, and the Content Server and Workflow Server on the other side.

Note

Note

In this example, the port numbers from table Table 4.3, “Example SSL Ports” are used. You may want to use different port numbers for your deployment.

Server Clear-Text Port SSL Port
Content Server 14300 14443
Workflow Server 14305 14445

Table 4.3. Example SSL Ports


The servers open an SSL Port in addition to the clear-text port. This allows the same server to be accessed using clear text communication from within a trusted network, and using SSL from outside. When a client is configured to use SSL, not a single byte will be sent to the clear text port, which may be blocked from outside access by a firewall.

Note that the server's HTTP port will have to be accessible to clients, for example to retrieve the IOR.

Enable SSL Encryption

Enabling SSL encryption for CORBA communication requires the following steps:

  1. Create key stores for Content Server, Workflow Server and clients.

  2. Prepare the Content Server for SSL communication

  3. Prepare the Workflow Server for SSL communication

  4. Prepare the client for SSL communication.

  5. Restart all three applications

  6. Verify SSL communication

Create key stores

Create key stores which will later be distributed to the servers and clients. Consult your JDK documentation for further details about the keytool command.

  1. Create self-signed server keys for Content Server and Workflow Server

keytool -genkey -alias contentserver -v -keyalg RSA \
   -keystore contentserver.keystore
keytool -genkey -alias workflowserver -v -keyalg RSA \
   -keystore workflowserver.keystore
  1. Export the server's public keys from their key stores:

keytool -export -rfc -keystore contentserver.keystore \
   -alias contentserver -file contentserver.public-key
keytool -export -rfc  -keystore workflowserver.keystore \
   -alias workflowserver -file workflowserver.public-key  

Prepare the Content Server for SSL communication
  1. Add the following properties to the content server's configuration:

Property Name Property Value
com.coremedia.corba.server.port 14300
com.coremedia.corba.server.ssl.ssl-port 14443
com.coremedia.corba.server.ssl.keystore <path to contentserver.keystore>
com.coremedia.corba.server.ssl.passphrase <mypassword>

Table 4.4. Properties for Content Server SSL configuration


  1. Place the contentserver.keystore in the location defined by the com.coremedia.corba.server.ssl.keystore property.

Prepare the Workflow Server for SSL communication
  1. Add the following properties to the workflow server's configuration:

Property Name Property Value
com.coremedia.corba.server.port 14305
com.coremedia.corba.server.ssl.ssl-port 14445
com.coremedia.corba.server.ssl.keystore <path to workflowserver.keystore>
com.coremedia.corba.server.ssl.passphrase <mypassword>

Table 4.5. Properties for Workflow Server SSL configuration


  1. Place the workflowserver.keystore in the location defined by the com.coremedia.corba.server.ssl.keystore property of the workflow server.

The following two steps are optional and are limited to rare cases, in which SSL encrypted communication may also be required between workflow server and content server.

  1. In this case, you should add the content server's key to the workflow server's key store, and configure the workflow server as an SSL client. Run the following command:

keytool -import -alias contentserver -keystore \
  workflowserver.keystore -file contentserver.public-key 
  1. In addition to the above, set the following client system properties during invocation of the Workflow Server:

Property Name Property Value
com.coremedia.corba.client.ssl.clear-text-ports 14300
com.coremedia.corba.client.ssl.ssl-ports 14443
com.coremedia.corba.client.ssl.keystore <path to workflowserver.keystore>
com.coremedia.corba.client.ssl.passphrase <mypassword>

Table 4.6. Properties for Workflow to Content Server SSL configuration


Preparing a client ORB for SSL communication

All CoreMedia clients use CORBA to communicate with the servers.

  1. Import the servers' public keys to the clients's key store:

    keytool -import -alias contentserver \
      -keystore editor.keystore -file contentserver.public-key
    keytool -import -alias workflowserver \
      -keystore editor.keystore \
      -file workflowserver.public-key
    
  2. Configure the ORB for SSL by setting the properties from Table 4.7, “Properties for Client ORB SSL configuration”.

Property Name Property Value
com.coremedia.corba.client.ssl.clear-text-ports 14300,14305
com.coremedia.corba.client.ssl.ssl-ports 14443,14445
com.coremedia.corba.client.ssl.keystore <path to editor.keystore>
com.coremedia.corba.client.ssl.passphrase <mypassword>

Table 4.7. Properties for Client ORB SSL configuration


The comma separated values of the clear-text-ports and the ssl-ports properties must match. They must have the same length, and the n-th value of each property refers to the same component. In this example the first values, 14300 and 14443, denote the content server, and the second values, 14305 and 14445 belong to the workflow server.

Prepare the Site Manager for SSL Communication
  1. Create a keystore for the Site Manager.

  2. Import the servers' public keys to the Site Manager's key store:

keytool -import -alias contentserver \
  -keystore editor.keystore -file contentserver.public-key
keytool -import -alias workflowserver \
  -keystore editor.keystore \
  -file workflowserver.public-key
  1. Add the following lines to bin/editor.jpif.

    JAVA_VM_ARGS="$JAVA_VM_ARGS -Dcom.coremedia.corba.client.ssl.clear-text-ports=14300,14305"
    JAVA_VM_ARGS="$JAVA_VM_ARGS -Dcom.coremedia.corba.client.ssl.ssl-ports=14443,14445"
    JAVA_VM_ARGS="$JAVA_VM_ARGS -Dcom.coremedia.corba.client.ssl.keystore=properties/corem/editor.keystore"
    JAVA_VM_ARGS="$JAVA_VM_ARGS -Dcom.coremedia.corba.client.ssl.passphrase=mypassword"
    

  1. Place the editor.keystore in properties/corem/ of your installation.

Caution

Caution

Though stated in the examples, it is not recommended to place the editor.keystore at any publicly accessible place. This is only intended for testing and development. For productive use, an official key should be deployed with every Unified API installation on the client machines. Another possible way would be to download the key store via HTTPS using a certificate that is already present on the workplace computers.

Restart Workflow Server, Content Server, and clients.

Restart all servers by restarting the servlet container where they are deployed.

Verify SSL communication

Verify SSL communication by searching the applications' logs for error messages, and by using netstat or lsof. Under Solaris, using the port numbers in this example, you could use the command:

netstat -e -a -p|grep ":14[34]"

It should show that before starting the Site Manager, the server is listening on port 14443/14445 (which are the SSL ports) and 14300/14305 (the clear text ports). After the Site Manager is started and a user has logged in, a connection should be established on port 14443/14445 (and not 14300/14305) towards the client's machine. Note that other applications might continue to connect to the clear text ports.

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.