Configuring LiveContent Central Services for HTTPS

If you use the HTTPS protocol, perform this task to configure LiveContent Central Services to use an SSL connection.

Before you begin

Before beginning, gather the following information.
  • Pathname, type, and password of the SSL connector keystore
  • Alias of the certificate you want to use
  • Fully qualified domain name (FQDN) for the host where the service is installed.
In addition, make sure all necessary certificates are part of the keystore used to configure LiveContent Central Services and Java keystore (CACERT). To access LiveContent Central Services remotely, a firewall is setup to allow inbound and outbound traffic for all the ports involved.
To configure the LiveContent Central Services for use with HTTPS, update each of the application.yml files as described as follows.

Procedure

  1. Configure the Discovery Service.
    1. Open the application.yml file located at [LCC_home]/discovery-service/config/application.yml for editing.
    2. Add the following.
      server:
        ssl:
          enabled: true
          key-store: the path name of the new SSL connector keystore
          key-store-password: ENC(your key-store password)
          key-store-type: pkcs12
          key-alias: alias name used when the certificate is imported into keystore
          #key-password: your key password
      
      lcs:
        service:
          base-url: [FQDN]:${server.port}${server.servlet.context-path}
      
    3. Save and close the application.yml file.
  2. Configure the Content Service.
    1. Open the application.yml file located at [LCC_home]/content-service/config/application.yml for editing.
    2. Add the following.
      server:
        ssl:
          enabled: true
          key-store: the path name of the new SSL connector keystore
          key-store-password: ENC(your key-store password)
          key-store-type: pkcs12
          key-alias: alias name used when the certificate is imported into keystore
          #key-password: your key password
      
      lcs:
        discovery:
          base-url: https://[FQDN]:2045
          webServerRedirectUri: https://[FQDN]:${server.port}/login
      
    3. Save and close the application.yml file.
  3. Configure the Publish Service.
    1. Open the application.yml file located at [LCC_home]/publish-service/config/application.yml for editing.
    2. Add the following.
      server:
        ssl:
          enabled: true
          key-store: the path name of the new SSL connector keystore
          key-store-password: your key-store password
          key-store-type: pkcs12
          key-alias: alias name used when the certificate is imported into keystore
          #key-password: ENC(your key password)
      
      lcs:
        discovery:
          base-url: https://[FQDN]:2045
      
        distribution:
          base-url: https://[FQDN]:2445
        deployer:
          base-url: https://[FQDN]:2345
        service:
          base-url: [FQDN]:${server.port}${server.servlet.context-path}
          
      
    3. Save and close the application.yml file.
  4. Configure the Deployer Service.
    1. Open the application.yml file located at [LCC_home]/deployer-service/config/application.yml for editing.
    2. Add the following.
      server:
        ssl:
          enabled: true
          key-store: the path name of the new SSL connector keystore
          key-store-password: your key-store password
          key-store-type: pkcs12
          key-alias: alias name used when the certificate is imported into keystore
          #key-password: ENC(your key password)
      
      lcs:
        discovery:
          base-url: https://[FQDN]:2045
        distribution:
          base-url: https://[FQDN]:2445
        service:
          base-url: [FQDN]:2345    
      
    3. Save and close the application.yml file.
  5. Configure the Distribution Service.
    1. Open the application.yml file located at [LCC_home]/distribution-service/config/application.yml for editing.
    2. Add the following.
      server:
        ssl:
          enabled: true
          key-store: the path name of the new SSL connector keystore
          key-store-password: your key-store password
          key-store-type: pkcs12
          key-alias: alias name used when the certificate is imported into keystore
          #key-password: ENC(your key password)
      
      lcs:
        discovery:
          base-url: https://[FQDN]:2045
      
        service:
          base-url: [FQDN]:${server.port}${server.servlet.context-path}
    3. Save and close the application.yml file.
  6. Configuring JDBC connectors with SSL
    1. To secure your JDBC connection, specify the path to the root certificate in the application.yml file for each of the services.
      spring:
        datasource:
          sslrootcert: the path to your certificate store, typically root.crt 
      
    2. Make sure the following configurations in the postgresql.conf file are not commented and that they have appropriate values.
      ssl = on
      ssl_cert_file = 'server.crt'
      ssl_key_file = 'server.key'
      sl_ca_file = ''
      ssl_crl_file = ''
      ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
      ssl_prefer_server_ciphers = on
      Refer to the PostgreSQL official documentation for more information on securing your database connectors.
    3. Make sure the pg_hba.conf file includes the following configurations.
      host    all             all             0.0.0.0/0            md5
      hostssl all             all             0.0.0.0/0            md5
      Refer to the PostgreSQL official documentation for more information on securing your database connectors.
  7. After you have configured the services, use the following scripts to clean up the database.
    --Clear oauth tables
    TRUNCATE discovery.oauth_access_token CASCADE;
    TRUNCATE discovery.oauth_client_details CASCADE;
    TRUNCATE discovery.oauth_refresh_token CASCADE;
  8. Restart all services.
  9. To configure the Publish tool for use with HTTPS, review the configurations listed in the config.xml file. This file is located at [LCC_home]/publish-service/PublishUI .
    1. Make sure that you have the accurate host and port information for Discovery service. If you have successfully set up the application.yml files to use HTTPS, then the value for DiscoveryServiceHost may resemble https://<hostname>:2045.
    2. Set enableHTTPS to true.
    Refer to Configuring the Publish service and Publish tool file locations for a list of configurations used with the LiveContent Central Publish tool.
  10. To configure the LiveContent Central IETP packaging tool for use with HTTPS, review the configurations listed in the lcccollectionpub.properties file. This file is located at [LCC_home]/distribution-service/config.
    1. Make sure that you have the accurate host and port information for Discovery service. If you have successfully set up the application.yml files to use HTTPS, then the value for discoveryServiceHost may resemble https://<hostname>:2045.
    2. Set httpProtocol to https.
    3. If you configured the Content service and Discovery service archives located at [LCC_home]/distribution-service to use HTTPS, then make sure to update the following configurations in lcccollectionpub.properties.
      • zippedServiceHost :[FQDN]
      • zippedHttpProtocol: https