In a standard CoreMedia installation, session handles and content are transmitted in clear text across the network between client and server. This is usually not a problem when the editorial workplaces and the servers reside in the same trusted network. However, for secure remote access, encrypted communication is sometimes required.
If SSH tunneling is not an option, alternatively a Secure Socket Layer (SSL) connection can be used for the CORBA communication between CoreMedia applications.
The setup is slightly more complex than in the SSH case, because the certificate handling has to be administered explicitly for Java's SSL implementation, and because the port mapping has to be specified in CoreMedia configuration files.
In the following example it is assumed that communication has to be encrypted between a Site Manager on one side, and the Content Server and Workflow Server on the other side.
In the example, the following ports numbers are used. You may want to use different port numbers for your deployment.
Server | Clear-Text Port | SSL Port |
---|---|---|
Content Server | 14300 | 14443 |
Workflow Server | 14305 | 14445 |
Table 4.3. Example SSL Ports
The servers open an SSL Port in addition to the clear-text port. This allows the same server to be accessed using clear text communication from within a trusted network, and using SSL from outside. When a client is configured to use SSL, not a single byte will be sent to the clear text port, which may be blocked from outside access by a firewall.
Note that the server's HTTP port will have to be accessible to clients, for example to retrieve the IOR.
Enable SSL Encryption
Enabling SSL encryption for CORBA communication requires the following steps:
Create key stores for Content Server and Workflow Server.
Prepare the Content Server for SSL communication
Prepare the Workflow Server for SSL communication
Prepare the Site Manager for SSL communication.
Restart all three applications
Verify SSL communication
Create key stores
Create key stores which will later be distributed to the servers and clients. Consult your JDK documentation for further details about the keytool command.
Create self-signed server keys for Content Server and Workflow Server
keytool -genkey -alias contentserver -v -keyalg RSA \ -keystore contentserver.keystore keytool -genkey -alias workflowserver -v -keyalg RSA \ -keystore workflowserver.keystore
Export the server's public keys from their key stores:
keytool -export -rfc -keystore contentserver.keystore \ -alias contentserver -file contentserver.public-key keytool -export -rfc -keystore workflowserver.keystore \ -alias workflowserver -file workflowserver.public-key
Prepare the Content Server for SSL communication
Add the following system properties to the content server's
setenv.sh/setenv.bat
files:
Property Type | Property Name | Property Value |
---|---|---|
ORB | com.sun.CORBA.ORBServerPort | 14300 |
ORB | com.sun.CORBA.legacy.connection.ORBSocketFactoryClass | com.coremedia.corba.SSLClientServerSocketFactory50 |
ORB | com.sun.CORBA.transport.ORBListenSocket | SSL:14443 |
System | com.coremedia.corba.SSLServerSocketFactory.keystore | <path to contentserver.keystore> |
System | com.coremedia.corba.SSLServerSocketFactory.passphrase | <mypassword> |
Table 4.4. Properties for Content Server SSL configuration
Place the
contentserver.keystore
in the folderetc/keys/
of your installation home directory of the CMS server. For another location adjust the key store setting by defining the corresponding system property accordingly.
Prepare the Workflow Server for SSL communication
Add the following two system properties during the invocation of the server:
Property Type | Property Name | Property Value |
---|---|---|
ORB | com.sun.CORBA.ORBServerPort | 14305 |
ORB | com.sun.CORBA.legacy.connection.ORBSocketFactoryClass | com.coremedia.corba.SSLClientServerSocketFactory50 |
ORB | com.sun.CORBA.transport.ORBListenSocket | SSL:14445 |
System | com.coremedia.corba.SSLServerSocketFactory.keystore | <path to workflowserver.keystore> |
System | com.coremedia.corba.SSLServerSocketFactory.passphrase | <mypassword> |
Table 4.5. Properties for Workflow Server SSL configuration
Place the
workflowserver.keystore
in folderetc/keys/
of your installation home directory of the Workflow Server. For another location adjust the key store setting by defining the corresponding system property accordingly.
The following two steps are optional and are limited to rare cases, in which SSL encrypted communication may also be required between workflow server and content server.
In this case, you should add the content server's key to the workflow server's key store, and configure the workflow server as an SSL client like the Site Manager. Run the following command:
keytool -import -alias contentserver -keystore \ workflowserver.keystore -file contentserver.public-key
In addition to the above, set the following system properties during invocation of the Workflow Server:
Property Type | Property Name | Property Value |
---|---|---|
System | com.coremedia.corba.SSLClientSocketFactory.clearTextPort | 14300 |
System | com.coremedia.corba.SSLClientSocketFactory.sslPort | 14443 |
System | com.coremedia.corba.SSLClientSocketFactory.keystore | <path to workflowserver.keystore> |
System | com.coremedia.corba.SSLClientSocketFactory.passphrase | <mypassword> |
Table 4.6. Properties for Workflow to Content Server SSL configuration
Prepare the Site Manager for SSL communication
Import the servers' public keys to the Site Manager's key store:
keytool -import -alias contentserver \ -keystore editor.keystore -file contentserver.public-key keytool -import -alias workflowserver \ -keystore editor.keystore \ -file workflowserver.public-key
Add the following lines to
tomcat/webapps/editor-webstart/webstart/editor.jnlp
, behind the property tag withname="java.security.policy"
inside the resources tag.
<property name= "com.sun.CORBA.legacy.connection.ORBSocketFactoryClass" value="com.coremedia.corba.SSLClientSocketFactory50"/> <property name="com.coremedia.corba.SSLClientSocketFactory. clearTextPort" value="14300,14305"/> <property name= "com.coremedia.corba.SSLClientSocketFactory.sslPort" value="14443,14445"/> <property name="com.coremedia.corba.SSLClientSocketFactory.keystore" value=" $$codebaseproperties/corem/editor.keystore"/> <property name= "com.coremedia.corba.SSLClientSocketFactory.passphrase" value="mypassword"/>
Place the
editor.keystore
intomcat/webapps/editor-webstart/properties/corem/
of your installation.
Caution | |
---|---|
Though stated in the examples, it is not recommended to place the
|
Preparing a client ORB for SSL communication
CoreMedia clients running as web applications, such as the Content Application Engine, are usually configured to use the servlet container's ORB. CoreMedia provides an integration of the Oracle ORB into Tomcat. You can configure this ORB for SSL by setting the following system properties:
Property Type | Property Name | Property Value |
---|---|---|
ORB | com.sun.CORBA.legacy.connection.ORBSocketFactoryClass | com.coremedia.corba.SSLClientSocketFactory50 |
System | com.coremedia.corba.SSLClientSocketFactory.clearTextPort | 14300,14305 |
System | com.coremedia.corba.SSLClientSocketFactory.sslPort | 14443,14445 |
System | com.coremedia.corba.SSLClientSocketFactory.keystore | <path to workflowserver.keystore> |
System | com.coremedia.corba.SSLClientSocketFactory.passphrase | <mypassword> |
Table 4.7. Properties for Client ORB SSL configuration
Prepare Unified API clients for SSL communication
In order to instruct stand-alone Unified API clients like the command line tools to use SSL, the ORB properties must be set in the connection parameters for the Unified API instead of as system properties.
If you are setting up the Unified API connection programmatically, consider using the
connect(Map)
method of the classCap
.
Map parameters = new HashMap(); ... parameters. put("com.sun.CORBA.legacy.connection.ORBSocketFactoryClass", "com.coremedia.corba.SSLClientSocketFactory50"); connection = Cap.connect(parameters);
In any case, you may inject the parameter through the IOR URL passed to the Unified API. For command line tools, you can pass the URL on the command line:
cm systeminfo -url http://<SSHCLIENT>:<CorbaPort>/coremedia/ior? com.sun.CORBA.legacy.connection.ORBSocketFactoryClass= com.coremedia.corba.SSLClientSocketFactory50 -u admin -p admin
You can also set the extended URL in the file
capclient.properties
:
cap.client.server.ior.url=\ http://<SSHCLIENT>:<CorbaPort>/coremedia/ior?\ com.sun.CORBA.legacy.connection.ORBSocketFactoryClass=\ com.coremedia.corba.SSLClientSocketFactory50
It is also possible to pass an extended URL when opening a connection programmatically.
Restart Workflow Server, Content Server, and clients.
Restart all servers by restarting the servlet container where they are deployed.
Verify SSL communication
Verify SSL communication by searching the applications' logs for error messages, and by using netstat or lsof. Under Solaris, using the port numbers in this example, you could use the command:
netstat -e -a -p|grep ":14[34]"
It should show that before starting the Site Manager, the server is listening on port 14443/14445 (which are the SSL ports) and 14300/14305 (the clear text ports). After the Site Manager is started and a user has logged in, a connection should be established on port 14443/14445 (and not 14300/14305) towards the client's machine. Note that other applications might continue to connect to the clear text ports.