/
SSL Enable Services

SSL Enable Services

Owned by Shaun Morris
Last updated: May 31, 2013 by Former user (Deleted)Version comment

Enabling SSL for Services

Do not use the Web Administration Console to SSL enable the DDF services. While the Web Administration Console's Pax Web Runtime offers this configuration option, it has proven to be unreliable and may crash the system.

 

Edit the provided configuration file <DDF_INSTALL_DIR>/etc/org.ops4j.pax.web.cfg with the settings for the desired configuration.

Pax Web Configuration Settings

Property

Sample Value

Description

org.osgi.service.http.enabledfalse Set this to false to disable HTTP without SSL 

org.osgi.service.http.secure.enabled

true

Set this to true to SSL enable the DDF services

org.osgi.service.http.port.secure

8993

Set this to the HTTPS port number.
(Verify this port does not conflict with any other secure ports being used in the network. For example, JBoss and other application servers use port 8443 by default)

org.ops4j.pax.web.ssl.keystore.type

jks

Set this to the type of keystore (most likely jks)

org.ops4j.pax.web.ssl.keystore

/opt/ddf/keystore.jks

Set this to the fully-qualified path to the SSL keystore file

org.ops4j.pax.web.ssl.keypassword

password1

Set this to the password for the user's private key

org.ops4j.pax.web.ssl.password

password2

Set this to the password for overall keystore integrity checking

Here is an example .cfg file:

######################
# HTTP settings
######################

# Disable HTTP
org.osgi.service.http.enabled=false

# HTTP port number
org.osgi.service.http.port=8181


######################
# HTTPS settings
######################

# Enable HTTPS
org.osgi.service.http.secure.enabled=true

# HTTPS port number
# (Verify this port does not conflict with any other secure ports being used in the
# network. For example, JBoss and other application servers use port 8443 by default)

org.osgi.service.http.port.secure=8993

# Fully-qualified path to the SSL keystore
org.ops4j.pax.web.ssl.keystore=/opt/ddf/keystore.jks

# SSL Keystore Type
org.ops4j.pax.web.ssl.keystore.type=jks

# Keystore Integrity Password
org.ops4j.pax.web.ssl.password=abc123

# Keystore Password
org.ops4j.pax.web.ssl.keypassword=abc123

 

 

All .cfg files follow a strict formatting structure in that every entry is a key=value pair. There should be no whitespace before the key, around the equals sign (=), or after the value. Otherwise, the key or value may be misinterpreted.

Also take care if .cfg files originated on an operating system other than the operating system DDF is currently running on. Hidden characters, e.g., ^M, can be added during the file transfer between the operating systems. This occurs often when a DDF zip install file from a Unix operating system is transferred to a Windows operating system and installed.

Optional: Disable HTTP for the DDF services and only use HTTPS by setting the org.osgi.service.http.enabled property to false. After this, all DDF clients need to pass the appropriate certificates.

Reference

Configuring a Java Keystore for Secure Communications

Additional Pax-Web SSL configuration info: http://team.ops4j.org/wiki/display/paxweb/SSL+Configuration