Configuring LiveContent Central Services for HTTPS
If you use the HTTPS protocol, perform this task to configure LiveContent Central Services to use an SSL connection.
Before you begin
Before beginning, gather the following information.
- Pathname, type, and password of the SSL connector keystore
- Alias of the certificate you want to use
- Fully qualified domain name (FQDN) for the host where the service is installed.
To configure the LiveContent Central Services for use with HTTPS, update each of the application.yml files as described as follows.
Important: Entries to the application.yml file must use exactly two spaces per level of indentation. Do not use tabs. Incorrect indentations will cause the system to ignore your configuration. Entries to the application.yml file must be as in the examples. Copy/Paste from the examples may introduce incorrect left-spacing, which must be manually fixed to match the following examples.
Procedure
- Configure the Discovery Service.
- Open the application.yml file located at [LCC_home]/discovery-service/config/application.yml for editing.
- Add the following.
server: ssl: enabled: true key-store: the path name of the new SSL connector keystore key-store-password: ENC(your key-store password) key-store-type: pkcs12 key-alias: alias name used when the certificate is imported into keystore #key-password: your key password lcs: service: base-url: [FQDN]:${server.port}${server.servlet.context-path} - Save and close the application.yml file.
- Configure the Content Service.
- Open the application.yml file located at [LCC_home]/content-service/config/application.yml for editing.
- Add the following.
server: ssl: enabled: true key-store: the path name of the new SSL connector keystore key-store-password: ENC(your key-store password) key-store-type: pkcs12 key-alias: alias name used when the certificate is imported into keystore #key-password: your key password lcs: discovery: base-url: https://[FQDN]:2045 webServerRedirectUri: https://[FQDN]:${server.port}/login - Save and close the application.yml file.
- Configure the Publish Service.
- Open the application.yml file located at [LCC_home]/publish-service/config/application.yml for editing.
- Add the following.
server: ssl: enabled: true key-store: the path name of the new SSL connector keystore key-store-password: your key-store password key-store-type: pkcs12 key-alias: alias name used when the certificate is imported into keystore #key-password: ENC(your key password) lcs: discovery: base-url: https://[FQDN]:2045 distribution: base-url: https://[FQDN]:2445 deployer: base-url: https://[FQDN]:2345 service: base-url: [FQDN]:${server.port}${server.servlet.context-path} - Save and close the application.yml file.
- Configure the Deployer Service.
- Open the application.yml file located at [LCC_home]/deployer-service/config/application.yml for editing.
- Add the following.
server: ssl: enabled: true key-store: the path name of the new SSL connector keystore key-store-password: your key-store password key-store-type: pkcs12 key-alias: alias name used when the certificate is imported into keystore #key-password: ENC(your key password) lcs: discovery: base-url: https://[FQDN]:2045 distribution: base-url: https://[FQDN]:2445 service: base-url: [FQDN]:2345 - Save and close the application.yml file.
- Configure the Distribution Service.
- Open the application.yml file located at [LCC_home]/distribution-service/config/application.yml for editing.
- Add the following.
server: ssl: enabled: true key-store: the path name of the new SSL connector keystore key-store-password: your key-store password key-store-type: pkcs12 key-alias: alias name used when the certificate is imported into keystore #key-password: ENC(your key password) lcs: discovery: base-url: https://[FQDN]:2045 service: base-url: [FQDN]:${server.port}${server.servlet.context-path} - Save and close the application.yml file.
- Configuring JDBC connectors with SSL
- To secure your JDBC connection, specify the path to the root certificate in the application.yml file for each of the services.
spring: datasource: sslrootcert: the path to your certificate store, typically root.crt - Make sure the following configurations in the postgresql.conf file are not commented and that they have appropriate values.
Refer to the PostgreSQL official documentation for more information on securing your database connectors.ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' sl_ca_file = '' ssl_crl_file = '' ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers ssl_prefer_server_ciphers = on - Make sure the pg_hba.conf file includes the following configurations.
Refer to the PostgreSQL official documentation for more information on securing your database connectors.host all all 0.0.0.0/0 md5 hostssl all all 0.0.0.0/0 md5
- To secure your JDBC connection, specify the path to the root certificate in the application.yml file for each of the services.
- After you have configured the services, use the following scripts to clean up the database.
--Clear oauth tables TRUNCATE discovery.oauth_access_token CASCADE; TRUNCATE discovery.oauth_client_details CASCADE; TRUNCATE discovery.oauth_refresh_token CASCADE; - Restart all services.
- To configure the Publish tool for use with HTTPS, review the configurations listed in the config.xml file. This file is located at
[LCC_home]/publish-service/PublishUI.- Make sure that you have the accurate host and port information for Discovery service. If you have successfully set up the application.yml files to use HTTPS, then the value for DiscoveryServiceHost may resemble https://<hostname>:2045.
- Set enableHTTPS to true.
Refer to Configuring the Publish service and Publish tool file locations for a list of configurations used with the LiveContent Central Publish tool. - To configure the LiveContent Central IETP packaging tool for use with HTTPS, review the configurations listed in the lcccollectionpub.properties file. This file is located at
[LCC_home]/distribution-service/config.- Make sure that you have the accurate host and port information for Discovery service. If you have successfully set up the application.yml files to use HTTPS, then the value for discoveryServiceHost may resemble https://<hostname>:2045.
- Set httpProtocol to https.
- If you configured the Content service and Discovery service archives located at
[LCC_home]/distribution-serviceto use HTTPS, then make sure to update the following configurations in lcccollectionpub.properties.- zippedServiceHost :[FQDN]
- zippedHttpProtocol: https