This article covers a Bloomreach Experience Manager version 12. There's an updated version available that covers our most recent release.

Configure Cargo for SSL/TLS

Introduction

Goal

Configure your local Cargo-based development environment to use SSL/TLS.

Background

A standard implementation project created using the Bloomreach Experience Manager Maven archetype is configured to run in a local Cargo-based development environment. By default, the Tomcat container in this environment is configured to use an unencrypted HTTP connection, which is sufficient for most local development use cases. This page explains how you can configure Cargo to use an encrypted HTTPS connection instead, in case you need to develop or test an SSL/TLS setup locally.

The configuration described on this page should only be used for local development and testing purposes.

Instructions

Prepare Keystore, Certificate, and Truststore

From within your project's root directory, change to the conf directory:

cd conf

Use the Java keytool command to create a keystore inside the conf directory:

keytool -keystore tomcatkeystore -genkey -alias 127.0.0.1 -keyalg RSA

When answering the questions asked by keytool, make sure to use the name (CN) "127.0.0.1":

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  127.0.0.1
What is the name of your organizational unit?
  [Unknown]:  Infra
What is the name of your organization?
  [Unknown]:  Hippo
What is the name of your City or Locality?
  [Unknown]:  Boston
What is the name of your State or Province?
  [Unknown]:  MA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=127.0.0.1, OU=Infra, O=Hippo, L=Boston, ST=MA, C=US correct?
  [no]:  yes

Enter key password for <127.0.0.1>
        (RETURN if same as keystore password):
Re-enter new password:

There should now be a file called tomcatkeystore in your project's conf directory.

Next, use keytool to export a certificate from the keystore:

keytool -keystore tomcatkeystore -exportcert -alias 127.0.0.1 -file tomcat.cert

Finally, use keytool to create a truststore and import the certificate into it: 

keytool -import -file tomcat.cert -alias 127.0.0.1 -keystore tomcattruststore

When asked to trust the certificate, answer 'yes':

Trust this certificate? [no]:  yes

There should now be a file called tomcattruststore in your project's conf directory.

Configure Cargo Plugin

In your project's root pom.xml, find the cargo.run profile.

Inside the cargo.run profile, find the cargo-maven2-plugin plugin configuration properties.

Add the following plugin configuration properties to plugin/configuration/configuration/properties:

<cargo.servlet.port>8443</cargo.servlet.port>
<cargo.protocol>https</cargo.protocol>
<cargo.tomcat.connector.clientAuth>false</cargo.tomcat.connector.clientAuth>
<cargo.tomcat.connector.sslProtocol>TLS</cargo.tomcat.connector.sslProtocol>
<cargo.tomcat.connector.keystoreFile>${project.basedir}/conf/tomcatkeystore</cargo.tomcat.connector.keystoreFile>
<cargo.tomcat.connector.keystorePass>changeit</cargo.tomcat.connector.keystorePass>
<cargo.tomcat.connector.keyAlias>127.0.0.1</cargo.tomcat.connector.keyAlias>
<cargo.tomcat.httpSecure>true</cargo.tomcat.httpSecure>

Still inside the cargo.run profile, add the following system properties to plugin/configuration/container/systemProperties:

<javax.net.ssl.trustStore>${project.basedir}/conf/tomcattruststore</javax.net.ssl.trustStore>
<javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>

Build your project.

Configure Hippo's Delivery Tier

Run your project.

Point your web browser to the console at:

https://localhost:8443/cms/console/

Login as admin and browse to the node /hst:hst/hst:hosts.

Set the property hst:scheme to https:

/hst:hst/hst:hosts
  - hst:scheme = https

Browse to the node /hst:hst/hst:hosts/dev-localhost.

Update the hst:cmslocation and hst:defaultport properties to use the HTTPS protocol and port 8443.

/hst:hst/hst:hosts/dev-localhost
  - hst:cmslocation = https://localhost:8443/cms
  - hst:defaultport = 8443

Browse to the node /hippo:configuration/hippo:frontend/cms/cms-services/hstRestProxyService.

Update the rest.uri property to use the HTTPS protocol and port 8443:

/hippo:configuration/hippo:frontend/cms/cms-services/hstRestProxyService
  - rest.uri = https://127.0.0.1:8443/site/_cmsrest

Write your changes to the repository.

Point your browser to the CMS at:

https://localhost:8443/cms/

Verify that the channel manager is working. If not double-check the hstRestProxyService configuration.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?