Adobe Experience Manager Sites & More

chandra_cq5 · 10/15/15

Hi,

Could you please provide your inputs on the below

1> what is adavantage of Configuring Mutual SSL Between Dispatcher and AEM as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#par_title_2.

trying to understand the reason, when user browser hits dispacther say https://www.abb.com it https by then ,
now what is the need to make request from dispacther from dispacther to AEM again ssl??

2> should i get spearate CA certificates for dispacther and cq instance, or just one certifacte for both will do??
https://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#CREATING OR OBTAINING CA-SIGNED CERTIFICATES

If I have purchased ssl certificate from CA, THEN IN the folder

/usr/local/ssl/misc.

should i run the command ./CH.sh -newreq if not what are the exacat commands if I have thrid party CA certificate with me

3> Where does dispkey.pem present in Apache server

docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Configuring SSL for the Dispatcher Module

4>http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Adding the CA Cert to the Render's Truststore

What is the need of adding CA certificate to JVM???

5>I need to re-direct 301 at dispacther,i looking at when client browsers hit the dspacther it can redirect to https.
so what is the exact entry i will do for this activity in dispacther.any or any apache config files.could you provide the sinnpet.??

Things i have done:-
I have setup an redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port

Click the /etc/map/http folder and click Create > Create Node:

Name: localhost.4502
Type: sling:mapping
Create the following property for this node:

Name: sling:redirect
Type: String
Value: https://localhost:5433

Name: sling:status
Type: Long

So i see that when the hit the url http://localhost:4502 it redirects to https://localhost:5433.

But I see that this is happening at AEM instance ,but instead want it at dispatcher level.how to do it??

6>
I have the CA certificate for SSL. as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#OBTAIN A CREDENTIAL FOR USE IN PRODUCTION

Now what is the order i should execute the commands the commands under the folder [quickstart_dir]/ssl

can i just run the below commands

command1
keytool -importcert -trustcacerts -file rootcert.pem -keystorekeystorename.keystore -alias root

command2
keytool -importcert -trustcacerts -file CACertificateName.crt -keystore keystorename.keystore

Or do I have run the below commands (command3 and command4) and then run the (command1 and command2) ,please suggest

command3
keytool -genkeypair -keyalg RSA -validity 3650 -alias cqse -keystore [quickstart_dir]/ssl/keystorename.keystore -keypass key_password -storepass storepassword -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country_ Code"

command4
keytool -certreq -alias "LC Cert" -keystorekeystorename.keystore -file LCcertRequest.csr

7.I need to move all the js , css and DAM images present in instance http://localhost to https://localhost ,how do i acheive it?

Sham_HC · 10/15/15

It deponds on your requirement
- Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network. Majority of customer falls here.
- If you still want to secure till the end. There are two ways
  - AEM configure https & dispatcher usl ssl package and in render section set a flag secure to 1. Very few customer use this. (I hope for you this might be a fir)
  - Another option is Mutual SSL that is two way & less than 1% customer I have see using this.
If you are still planning for mutual SSL then you need 2 certificate and you can't use the same.
If you are still planning for mutual SSL you can place pem anywhere but in dispatcher config specify accordingly
When secure request comes in aem deponds on jvm to check the certificate. For the jvm to validate you need to add into trust store. Most customer have own ca & good to add into jvm trust store.
In the render section of dispatcher.any for secure port add additional entry /secure to 1
The output of 3 & 4 you pass to ca to certify & then execute 1 & 2. Ideally you will use all commands unless you get from different departments. It really deponds on your security process.
Genrally both secure and non secure use same cache directory & no need to move anything. The validation happens on security layer.

View solution in original post

Sham_HC · 10/15/15

It deponds on your requirement
- Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network. Majority of customer falls here.
- If you still want to secure till the end. There are two ways
  - AEM configure https & dispatcher usl ssl package and in render section set a flag secure to 1. Very few customer use this. (I hope for you this might be a fir)
  - Another option is Mutual SSL that is two way & less than 1% customer I have see using this.
If you are still planning for mutual SSL then you need 2 certificate and you can't use the same.
If you are still planning for mutual SSL you can place pem anywhere but in dispatcher config specify accordingly
When secure request comes in aem deponds on jvm to check the certificate. For the jvm to validate you need to add into trust store. Most customer have own ca & good to add into jvm trust store.
In the render section of dispatcher.any for secure port add additional entry /secure to 1
The output of 3 & 4 you pass to ca to certify & then execute 1 & 2. Ideally you will use all commands unless you get from different departments. It really deponds on your security process.
Genrally both secure and non secure use same cache directory & no need to move anything. The validation happens on security layer.

chandra_cq5 · 10/15/15

Thanks Sham . Your above answers gave me a good overview.I have few more questions ,if you could help me on the same.

1>I would take this approach which in general people follow .
So like you mentioned if i take the approach "Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network."

1.1>Then all the security or rules must be added or tied only to webserver??
1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
i.e both "One-way SSL or Mutual SSL" is not required.

1.3> Please let me know if my understanding is correct , if i use above mentioned approach
request from browser to AEM
[ user Browser] ->HTTPS ....->[webserver or proxy setting configured with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]

REQUEST FROM AEM to Browser
[ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured with CA certificate Https] -> HTTPS....-> [ user Browser]

1.4> What about rever replication data that go from Publish to author. so should we confgiure rever replication as HTTPS???
[AEM Publish] -> [HTTP...] -> [AEM Author]

4>Should i still add CA certificate to JVM???
5.1>Then I would have write re-direct 301 at webserver level and not at dispacther??
So refering to url http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html or https://www.sslshopper.com/apache-redirect-http-to-https.html this should be enough??
5.2>Then creating /etc/map/http and redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
mentioned in my previous thread will not required.

6> Then I need not do any of this steps mentioned in my previous thread.
7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??
8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.

Sham_HC · 10/15/15

1.1>Then all the security or rules must be added or tied only to webserver??

Yes that is right webserver takes care of it.

1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
i.e both "One-way SSL or Mutual SSL" is not required.

That is correct.

1.3> Please let me know if my understanding is correct , if i use above mentioned approach
request from browser to AEM
[ user Browser] ->HTTPS ....->[webserver or proxy setting configured with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]

REQUEST FROM AEM to Browser
[ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured with CA certificate Https] -> HTTPS....-> [ user Browser]

That is correct

1.4> What about rever replication data that go from Publish to author. so should we confgiure rever replication as HTTPS???
[AEM Publish] -> [HTTP...] -> [AEM Author]

No need

4>Should i still add CA certificate to JVM???

Not required to add jvm because certificate is truncated at webserver.

5.1>Then I would have write re-direct 301 at webserver level and not at dispacther??
So refering to url http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html or https://www.sslshopper.com/apache-redirect-http-to-https.html this should be enough??

Yes it is at webserver level.

5.2>Then creating /etc/map/http and redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
mentioned in my previous thread will not required.

That is correct

6> Then I need not do any of this steps mentioned in my previous thread.

That is correct

7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??

Yes

8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.

Yes it take more but it is very negligible.

Note:-

With above config based on aem version you might hit an issue some times https is converted into http. There were some known issue but is fixed & reach out to daycare if you encounter such issue.
Make sure to validate with your customers or your security department. The policy are taken care and not violating any rules.

chandra_cq5 · 10/15/15

Thanks Sham for answering point to point.

Could you please provide your views on my below quries

1> For the configuration

[ user Browser] ->HTTPS ....->[Apache reverse proxy server (CA certificate added here)] ->HTTP...-> [Apache web server ] -> HTTP..[Dispatcher]

1.1>Since I thought of adding CA certificate to Apache proxy server so adding the redirect rule ( http to https ) in Proxy server is it the best way ?? or moving to Apache web-server is better way ??

1.2> In case we go with Proxy server 301 redirect ,now as per http://wiki.apache.org/httpd/RedirectSSL where they have suggested Using virtual hosts (using redirect) instead of mod_rewrite is better

Do you see if the rules mentioned at http://nefaria.com/2014/01/redirect-http-to-https-for-multiple-virtualhosts-in-apache/ should be enough

2> If the site had 3 domain mentioned mapped on proxy server rule where user hits the url

http://www.ccc.com it redirects to http://www.ccc.com/home.html
http://aa.bb.com it redirects to http://www.ccc.com/products/ooo.html
http://hh.kk.com it redirects to http://www.ccc.com/links/mmm.html

I have SSL certitificate that I am planning to add it to http://www.ccc.com ,should I need to buy separate SSL certificate for http://aa.bb.com and http://hh.kk.com to make it SSL??

3> I was going through the article about SPDY mentioned below. Has it do anything with HTTP to HTTPS movement ?? or is it a better protocol??

http://blog.teamtreehouse.com/making-the-web-faster-with-spdy

Also i see that it is going to get replaced with http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html -