4.2.3. Encrypting CORBA Communication Using SSL

In a standard CoreMedia installation, session handles and content are transmitted in clear text across the network between client and server. This is usually not a problem when the editorial workplaces and the servers reside in the same trusted network. However, for secure remote access, encrypted communication is sometimes required.

If SSH tunneling is not an option, alternatively a Secure Socket Layer (SSL) connection can be used for the CORBA communication between CoreMedia applications.

The setup is slightly more complex than in the SSH case, because the certificate handling has to be administered explicitly for Java's SSL implementation, and because the port mapping has to be specified in CoreMedia configuration files.

In the following example it is assumed that communication has to be encrypted between a Site Manager on one side, and the Content Server and Workflow Server on the other side.

In the example, the following ports numbers are used. You may want to use different port numbers for your deployment.

Server Clear-Text Port SSL Port
Content Server 14300 14443
Workflow Server 14305 14445

Table 4.3. Example SSL Ports


The servers open an SSL Port in addition to the clear-text port. This allows the same server to be accessed using clear text communication from within a trusted network, and using SSL from outside. When a client is configured to use SSL, not a single byte will be sent to the clear text port, which may be blocked from outside access by a firewall.

Note that the server's HTTP port will have to be accessible to clients, for example to retrieve the IOR.

Enable SSL Encryption

Enabling SSL encryption for CORBA communication requires the following steps:

  1. Create key stores for Content Server and Workflow Server.

  2. Prepare the Content Server for SSL communication

  3. Prepare the Workflow Server for SSL communication

  4. Prepare the Site Manager for SSL communication.

  5. Restart all three applications

  6. Verify SSL communication

Create key stores

Create key stores which will later be distributed to the servers and clients. Consult your JDK documentation for further details about the keytool command.

  1. Create self-signed server keys for Content Server and Workflow Server

keytool -genkey -alias contentserver -v -keyalg RSA \
   -keystore contentserver.keystore
keytool -genkey -alias workflowserver -v -keyalg RSA \
   -keystore workflowserver.keystore
  1. Export the server's public keys from their key stores:

keytool -export -rfc -keystore contentserver.keystore \
   -alias contentserver -file contentserver.public-key
keytool -export -rfc  -keystore workflowserver.keystore \
   -alias workflowserver -file workflowserver.public-key  

Prepare the Content Server for SSL communication
  1. Add the following system properties to the content server's setenv.sh/setenv.bat files:

Property Type Property Name Property Value
ORB com.sun.CORBA.ORBServerPort 14300
ORB com.sun.CORBA.legacy.connection.ORBSocketFactoryClass com.coremedia.corba.SSLClientServerSocketFactory50
ORB com.sun.CORBA.transport.ORBListenSocket SSL:14443
System com.coremedia.corba.SSLServerSocketFactory.keystore <path to contentserver.keystore>
System com.coremedia.corba.SSLServerSocketFactory.passphrase <mypassword>

Table 4.4. Properties for Content Server SSL configuration


  1. Place the contentserver.keystore in the folder etc/keys/ of your installation home directory of the CMS server. For another location adjust the key store setting by defining the corresponding system property accordingly.

Prepare the Workflow Server for SSL communication
  1. Add the following two system properties during the invocation of the server:

Property Type Property Name Property Value
ORB com.sun.CORBA.ORBServerPort 14305
ORB com.sun.CORBA.legacy.connection.ORBSocketFactoryClass com.coremedia.corba.SSLClientServerSocketFactory50
ORB com.sun.CORBA.transport.ORBListenSocket SSL:14445
System com.coremedia.corba.SSLServerSocketFactory.keystore <path to workflowserver.keystore>
System com.coremedia.corba.SSLServerSocketFactory.passphrase <mypassword>

Table 4.5. Properties for Workflow Server SSL configuration


  1. Place the workflowserver.keystore in folder etc/keys/ of your installation home directory of the Workflow Server. For another location adjust the key store setting by defining the corresponding system property accordingly.

The following two steps are optional and are limited to rare cases, in which SSL encrypted communication may also be required between workflow server and content server.

  1. In this case, you should add the content server's key to the workflow server's key store, and configure the workflow server as an SSL client like the Site Manager. Run the following command:

keytool -import -alias contentserver -keystore \
  workflowserver.keystore -file contentserver.public-key 
  1. In addition to the above, set the following system properties during invocation of the Workflow Server:

Property Type Property Name Property Value
System com.coremedia.corba.SSLClientSocketFactory.clearTextPort 14300
System com.coremedia.corba.SSLClientSocketFactory.sslPort 14443
System com.coremedia.corba.SSLClientSocketFactory.keystore <path to workflowserver.keystore>
System com.coremedia.corba.SSLClientSocketFactory.passphrase <mypassword>

Table 4.6. Properties for Workflow to Content Server SSL configuration


Prepare the Site Manager for SSL communication
  1. Import the servers' public keys to the Site Manager's key store:

keytool -import -alias contentserver \
  -keystore editor.keystore -file contentserver.public-key
keytool -import -alias workflowserver \
  -keystore editor.keystore \
  -file workflowserver.public-key
  1. Add the following lines to tomcat/webapps/editor-webstart/webstart/editor.jnlp, behind the property tag with name="java.security.policy" inside the resources tag.

<property name=
 "com.sun.CORBA.legacy.connection.ORBSocketFactoryClass" 
  value="com.coremedia.corba.SSLClientSocketFactory50"/>  
<property 
  name="com.coremedia.corba.SSLClientSocketFactory.
  clearTextPort" 
value="14300,14305"/>
<property name=
 "com.coremedia.corba.SSLClientSocketFactory.sslPort" 
  value="14443,14445"/>
<property 
  name="com.coremedia.corba.SSLClientSocketFactory.keystore" 
  value="
$$codebaseproperties/corem/editor.keystore"/>
<property name=
 "com.coremedia.corba.SSLClientSocketFactory.passphrase" 
value="mypassword"/> 
  1. Place the editor.keystore in tomcat/webapps/editor-webstart/properties/corem/ of your installation.

[Caution]Caution

Though stated in the examples, it is not recommended to place the editor.keystore at any publicly accessible place. This is only intended for testing and development. For productive use, an official key should be deployed with every Unified API installation on the client machines. For the CoreMedia Site Manager this key must be added to Web Start's key store. Another possible way would be to download the key store via HTTPS using a certificate that is already present on the workplace computers.

Preparing a client ORB for SSL communication
  1. CoreMedia clients running as web applications, such as the Content Application Engine, are usually configured to use the servlet container's ORB. CoreMedia provides an integration of the Oracle ORB into Tomcat. You can configure this ORB for SSL by setting the following system properties:

Property Type Property Name Property Value
ORB com.sun.CORBA.legacy.connection.ORBSocketFactoryClass com.coremedia.corba.SSLClientSocketFactory50
System com.coremedia.corba.SSLClientSocketFactory.clearTextPort 14300,14305
System com.coremedia.corba.SSLClientSocketFactory.sslPort 14443,14445
System com.coremedia.corba.SSLClientSocketFactory.keystore <path to workflowserver.keystore>
System com.coremedia.corba.SSLClientSocketFactory.passphrase <mypassword>

Table 4.7. Properties for Client ORB SSL configuration


Prepare Unified API clients for SSL communication
  1. In order to instruct stand-alone Unified API clients like the command line tools to use SSL, the ORB properties must be set in the connection parameters for the Unified API instead of as system properties.

  2. If you are setting up the Unified API connection programmatically, consider using the connect(Map) method of the class Cap.

Map parameters = new HashMap();
...
parameters.
put("com.sun.CORBA.legacy.connection.ORBSocketFactoryClass",   
  "com.coremedia.corba.SSLClientSocketFactory50");
connection = Cap.connect(parameters);
  1. In any case, you may inject the parameter through the IOR URL passed to the Unified API. For command line tools, you can pass the URL on the command line:

cm systeminfo 
  -url http://<SSHCLIENT>:<CorbaPort>/coremedia/ior?
  com.sun.CORBA.legacy.connection.ORBSocketFactoryClass=
  com.coremedia.corba.SSLClientSocketFactory50 
  -u admin -p admin 
  • You can also set the extended URL in the file capclient.properties:

cap.client.server.ior.url=\
  http://<SSHCLIENT>:<CorbaPort>/coremedia/ior?\
  com.sun.CORBA.legacy.connection.ORBSocketFactoryClass=\
  com.coremedia.corba.SSLClientSocketFactory50
  • It is also possible to pass an extended URL when opening a connection programmatically.

Restart Workflow Server, Content Server, and clients.

Restart all servers by restarting the servlet container where they are deployed.

Verify SSL communication

Verify SSL communication by searching the applications' logs for error messages, and by using netstat or lsof. Under Solaris, using the port numbers in this example, you could use the command:

netstat -e -a -p|grep ":14[34]"

It should show that before starting the Site Manager, the server is listening on port 14443/14445 (which are the SSL ports) and 14300/14305 (the clear text ports). After the Site Manager is started and a user has logged in, a connection should be established on port 14443/14445 (and not 14300/14305) towards the client's machine. Note that other applications might continue to connect to the clear text ports.