Versions Compared

Version Old Version 1 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Excerpt

Enabling SSL for Services

Warning

Do not use the Web Administration Console to SSL enable the 

Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
services. While the Web Administration Console's Pax Web Runtime offers this configuration option, it has proven to be unreliable and may crash the system.

 

Edit the provided configuration file <DDF_INSTALL_DIR>/etc/org.ops4j.pax.web.cfg with the settings for the desired configuration.

Pax Web Configuration Settings

Property

Sample Value

Description

org.osgi.service.http.enabledfalse Set this to false to disable HTTP without SSL 

org.osgi.service.http.secure.enabled

true

Set this to true to SSL enable the 

Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
services

org.osgi.service.http.port.secure

8993

Set this to the HTTPS port number.
(Verify this port does not conflict with any other secure ports being used in the network. For example, JBoss and other application servers use port 8443 by default)

org.ops4j.pax.web.ssl.keystore.type

jks

Set this to the type of keystore (most likely jks)

org.ops4j.pax.web.ssl.keystore

/opt/ddf/keystore.jks

Set this to the fully-qualified path to the SSL keystore file

org.ops4j.pax.web.ssl.keypassword

password1

Set this to the password for the user's private key

org.ops4j.pax.web.ssl.password

password2

Set this to the password for overall keystore integrity checking

Here is an example .cfg file:

Code Block
######################
# HTTP settings
######################

# Disable HTTP
org.osgi.service.http.enabled=false

# HTTP port number
org.osgi.service.http.port=8181


######################
# HTTPS settings
######################

# Enable HTTPS
org.osgi.service.http.secure.enabled=true

# HTTPS port number
# (Verify this port does not conflict with any other secure ports being used in the
# network. For example, JBoss and other application servers use port 8443 by default)

org.osgi.service.http.port.secure=8993

# Fully-qualified path to the SSL keystore
org.ops4j.pax.web.ssl.keystore=/opt/ddf/keystore.jks

# SSL Keystore Type
org.ops4j.pax.web.ssl.keystore.type=jks

# Keystore Integrity Password
org.ops4j.pax.web.ssl.password=abc123

# Keystore Password
org.ops4j.pax.web.ssl.keypassword=abc123

 

 

Note

All .cfg files follow a strict formatting structure in that every entry is a key=value pair. There should be no whitespace before the key, around the equals sign (=), or after the value. Otherwise, the key or value may be misinterpreted.

Also take care if .cfg files originated on an operating system other than the operating system 

Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
is currently running on. Hidden characters, e.g., ^M, can be added during the file transfer between the operating systems. This occurs often when a 
Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
zip install file from a Unix operating system is transferred to a Windows operating system and installed.

Note

Optional: Disable HTTP for the 

Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
services and only use HTTPS by setting the org.osgi.service.http.enabled property to false. After this, all 
Insert excerpt
ApplicationName
ApplicationName
nopaneltrueApplicationName
clients need to pass the appropriate certificates.

Info
titleReference

Configuring a Java Keystore for Secure Communications

Additional Pax-Web SSL configuration info: http://team.ops4j.org/wiki/display/paxweb/SSL+Configuration