By default both the frontend and backend fulcrums using basic HTTP with secure sockets layer (SSL). This guide documents how to enable SSL.
You will need to edit the file /etc/HTTPServerConfig.xml.
First disable the existing connector by commenting out the addConnector fragment from the XML and then uncomment this SSL connector as shown below:
As suggested in the comment full details of the Jetty configuration and how to set up the necessary keystore are contained here.
NetKernel must be restarted for changes in the HTTP configuration to take effect.
Managing SSL certificates is one of those chores that comes around regularly - but with a very low frequency - which means its almost impossible to remember from one year to the next what you need to do. Here for the record is a step-by-step procedure which, on a Linux box with openssl, works very smoothly. Each step uses the hostname "www.hostname.com" for illustration so just replace this with your own domain...
openssl req -new -newkey rsa:4096 -nodes -keyout www.hostname.com.key -out www.hostname.com.csr
When asked, make sure the qualified name is the hostname you want the certificate for. Upload (or cut and paste the text) the CSR to your SSL certificate authority and ask for the certificate.
You may get the opportunity to choose the type of server - usually "Apache" will give you the most standard result.
For example, with the GoDaddy "Apache" option you get a zip with two certs: www.hostname.com.crt and gd_bundle.crt
If this is what you get, then you need to do some work to associate the CA key chain with the host certificate...
Check like this...
openssl x509 -text -inform PEM -in www.hostname.com.crt
openssl x509 -text -inform PEM -in gd_bundle.crt
Even though they end with .crt mine were really PEM format!! (Thanks GoDaddy)
If they're not PEM then use openssl to convert to PEM.
Note, the left to right order of the cert and CA cert is critical...
cat www.hostname.com.crt gd_bundle.crt > jetty-chain.pem Verify this worked using...
openssl x509 -text -inform PEM -in jetty-chain.pem
openssl pkcs12 -export -inkey www.hostname.com.key -in jetty-chain.pem -out jetty-chain.pkcs12
keytool -importkeystore -srckeystore jetty-chain.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
keytool -list -keystore keystore -v
You should see...
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: 1 Creation date: 23-Jan-2013 Entry type: PrivateKeyEntry Certificate chain length: 3 ...
You want to see this Certificate chain length: 3 - where the chain length is greater than one to show that you've go the cert and the associate CA certificates chained.
keytool -keyclone -keystore keystore -alias 1 -dest jetty -new xxxxnewpassswordxxxxxxx
keytool -delete -alias 1 -keystore keystore
Verify that keystore looks good...
keytool -list -keystore keystore
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry jetty, 23-Jan-2013, PrivateKeyEntry, Certificate fingerprint (SHA1): D2:38:DC:08:87:10:5D:EC:0B:44:87:25:09:A9:55:3A:FE:5D:54:7A
You're all set - take the keystore and deploy it to your server. Make sure the SSLConnection settings in the HTTPTransportConfig.xml in your Fulcrum point to the keystore and have the correct passwords etc.