WARNING: This server provides a static reference view of the NetKernel documentation. Links to dynamic content do not work. For the best experience we recommend you install NetKernel and view the documentation in the live system .

By default both the frontend and backend fulcrums using basic HTTP with secure sockets layer (SSL). This guide documents how to enable SSL.

You will need to edit the file /etc/HTTPServerConfig.xml.

First disable the existing connector by commenting out the addConnector fragment from the XML and then uncomment this SSL connector as shown below:


< !-- Uncomment for SSL Connector. See Jetty wiki for details: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL -->
<Call name="addConnector">
  <Arg>
    <New class="org.mortbay.jetty.security.SslSelectChannelConnector">
      <Set name="port">1060</Set>
      <Set name="maxIdleTime">30000</Set>
      <Set name="Acceptors">2</Set>
      <Set name="confidentialPort">1060</Set>
      <Set name="lowResourcesConnections">100</Set>
      <Set name="lowResourceMaxIdleTime">5000</Set>
      <Set name="statsOn">true</Set>
      <Set name="keystore">/home/pjr/workspace/install/keystore</Set>
      <Set name="password">test123</Set>
      <Set name="truststore">/home/pjr/workspace/install/keystore</Set>
      <Set name="trustPassword">test123</Set>
      <Set name="keyPassword">test123</Set>
    </New>
  </Arg>
</Call>

As suggested in the comment full details of the Jetty configuration and how to set up the necessary keystore are contained here.

NetKernel must be restarted for changes in the HTTP configuration to take effect.

SSL Certificate Generation

Managing SSL certificates is one of those chores that comes around regularly - but with a very low frequency - which means its almost impossible to remember from one year to the next what you need to do. Here for the record is a step-by-step procedure which, on a Linux box with openssl, works very smoothly. Each step uses the hostname "www.hostname.com" for illustration so just replace this with your own domain...

0. Create a new private key and CSR

openssl req -new -newkey rsa:4096 -nodes -keyout www.hostname.com.key -out www.hostname.com.csr

When asked, make sure the qualified name is the hostname you want the certificate for. Upload (or cut and paste the text) the CSR to your SSL certificate authority and ask for the certificate.

1. Download the certificate.

You may get the opportunity to choose the type of server - usually "Apache" will give you the most standard result.

For example, with the GoDaddy "Apache" option you get a zip with two certs: www.hostname.com.crt and gd_bundle.crt

If this is what you get, then you need to do some work to associate the CA key chain with the host certificate...

2. Make sure cert and CA keys are in PEM format

Check like this...

openssl x509 -text -inform PEM -in www.hostname.com.crt

openssl x509 -text -inform PEM -in gd_bundle.crt

Even though they end with .crt mine were really PEM format!! (Thanks GoDaddy)

If they're not PEM then use openssl to convert to PEM.

3. Create concatenated keychain

Note, the left to right order of the cert and CA cert is critical...

cat www.hostname.com.crt gd_bundle.crt > jetty-chain.pem Verify this worked using...

openssl x509 -text -inform PEM -in jetty-chain.pem

4. Create pkcs12 store with the private key and the certificate keychain...

openssl pkcs12 -export -inkey www.hostname.com.key -in jetty-chain.pem -out jetty-chain.pkcs12

5. Import pkcs12 into Java keystore...

keytool -importkeystore -srckeystore jetty-chain.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

6. Check that the certificate has a certificate chain length...

keytool -list -keystore keystore -v

You should see...

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 23-Jan-2013
Entry type: PrivateKeyEntry
Certificate chain length: 3
...

You want to see this Certificate chain length: 3 - where the chain length is greater than one to show that you've go the cert and the associate CA certificates chained.

7. Clone the key to give it "jetty" alias (and a new password if needed)

keytool -keyclone -keystore keystore -alias 1 -dest jetty -new xxxxnewpassswordxxxxxxx

8. Delete older key (Jetty doesn't like having 2 keys in the keystore)

keytool -delete -alias 1 -keystore keystore

Verify that keystore looks good...

keytool -list -keystore keystore

To see...

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

jetty, 23-Jan-2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): D2:38:DC:08:87:10:5D:EC:0B:44:87:25:09:A9:55:3A:FE:5D:54:7A

You're all set - take the keystore and deploy it to your server. Make sure the SSLConnection settings in the HTTPTransportConfig.xml in your Fulcrum point to the keystore and have the correct passwords etc.