Expand my Community achievements bar.

SOLVED

Website Http to HTTPS movement

Avatar

Level 3

Hi,

 

Could you please provide your inputs on the below

 

1> what is adavantage of Configuring Mutual SSL Between Dispatcher and AEM as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#par_title_2.

trying to understand the reason, when user browser hits dispacther say https://www.abb.com it https by then ,
now what is the need to make request from dispacther from dispacther to AEM again ssl??

2> should i get spearate CA certificates for dispacther and cq instance, or just one certifacte for both will do??
https://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#CREATING OR OBTAINING CA-SIGNED CERTIFICATES

If I have purchased ssl certificate from CA, THEN IN the folder

/usr/local/ssl/misc.

should i run the command ./CH.sh -newreq if not what are the exacat commands if I have thrid party CA certificate with me


3> Where does dispkey.pem present in Apache server

docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Configuring SSL for the Dispatcher Module


4>http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Adding the CA Cert to the Render's Truststore

What is the need of adding CA certificate to JVM???

 


5>I need to re-direct 301 at dispacther,i looking at when client browsers hit the dspacther it can redirect to https. 
so what is the exact entry i will do for this activity in dispacther.any or any apache config files.could you provide the sinnpet.??

Things i have done:-
I have setup an redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port

Click the /etc/map/http folder and click Create > Create Node:


Name: localhost.4502
Type: sling:mapping
Create the following property for this node:

Name: sling:redirect
Type: String
Value: https://localhost:5433

Name: sling:status
Type: Long


So i see that when the hit the url http://localhost:4502 it redirects to https://localhost:5433.

But I see that this is happening at AEM instance ,but instead want it at dispatcher level.how to do it??

6>
I have the CA certificate for SSL. as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#OBTAIN A CREDENTIAL FOR USE IN PRODUCTION

Now what is the order i should execute the commands the commands under the folder [quickstart_dir]/ssl 

can i just run the below commands

command1
keytool -importcert -trustcacerts -file rootcert.pem -keystorekeystorename.keystore -alias root

command2
keytool -importcert -trustcacerts -file CACertificateName.crt -keystore keystorename.keystore

Or do I have run the below commands (command3 and command4) and then run the (command1 and command2) ,please suggest

command3
keytool -genkeypair -keyalg RSA -validity 3650 -alias cqse -keystore [quickstart_dir]/ssl/keystorename.keystore -keypass key_password -storepass storepassword -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country_ Code"

command4
keytool -certreq -alias "LC Cert" -keystorekeystorename.keystore -file LCcertRequest.csr

7.I need to move all the js , css and DAM images present in instance http://localhost to https://localhost ,how do i acheive it?

1 Accepted Solution

Avatar

Correct answer by
Level 10
  1. It deponds on your requirement
    • Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network. Majority of customer falls here.
    • If you still want to secure till the end. There are two ways
      • AEM configure https & dispatcher usl ssl package and in render section set a flag secure to 1.  Very few customer use this.  (I hope for you this might be a fir)
      • Another option is Mutual SSL that is two way & less than 1% customer I have see using this.
  2. If you are still planning for mutual SSL then you need 2 certificate and you can't use the same.
  3. If you are still planning for mutual SSL you can place pem anywhere but in dispatcher config specify accordingly
  4. When secure request comes in aem deponds on jvm to check the certificate.  For the jvm to validate you need to add into trust store. Most customer have own ca & good to add into jvm trust store.
  5. In the render section of dispatcher.any for secure port add additional entry /secure to 1
  6. The output of 3 & 4 you pass to ca to certify & then execute 1 & 2. Ideally you will use all commands unless you get from different departments.   It really deponds on your security process.
  7. Genrally both secure and non secure use same cache directory & no need to move anything. The validation happens on security layer.

View solution in original post

5 Replies

Avatar

Correct answer by
Level 10
  1. It deponds on your requirement
    • Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network. Majority of customer falls here.
    • If you still want to secure till the end. There are two ways
      • AEM configure https & dispatcher usl ssl package and in render section set a flag secure to 1.  Very few customer use this.  (I hope for you this might be a fir)
      • Another option is Mutual SSL that is two way & less than 1% customer I have see using this.
  2. If you are still planning for mutual SSL then you need 2 certificate and you can't use the same.
  3. If you are still planning for mutual SSL you can place pem anywhere but in dispatcher config specify accordingly
  4. When secure request comes in aem deponds on jvm to check the certificate.  For the jvm to validate you need to add into trust store. Most customer have own ca & good to add into jvm trust store.
  5. In the render section of dispatcher.any for secure port add additional entry /secure to 1
  6. The output of 3 & 4 you pass to ca to certify & then execute 1 & 2. Ideally you will use all commands unless you get from different departments.   It really deponds on your security process.
  7. Genrally both secure and non secure use same cache directory & no need to move anything. The validation happens on security layer.

Avatar

Level 3

Thanks Sham . Your above answers gave me a good overview.I have few more questions ,if you could help me on the same.

1>I would take this approach which in general people follow .
So like you mentioned if i take the approach  "Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network."

 1.1>Then all the security or rules must be added or tied only to webserver??
 1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
     i.e both "One-way SSL or Mutual SSL" is not required.

 1.3> Please let me know if my understanding is correct , if i use above  mentioned approach
   request from browser to AEM
   [ user Browser] ->HTTPS ....->[webserver or proxy setting configured  with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]

   REQUEST FROM AEM to Browser
   [ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured  with CA certificate Https] -> HTTPS....-> [ user Browser]  
 
 1.4> What about rever replication data that go from Publish to  author. so should we confgiure rever replication  as HTTPS???
    [AEM Publish] -> [HTTP...] -> [AEM Author]
 
 
4>Should i still  add CA certificate to JVM???
5.1>Then I would have write re-direct 301 at webserver  level and not at dispacther??
 So refering to url  http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html   or  https://www.sslshopper.com/apache-redirect-http-to-https.html  this should be enough??
5.2>Then creating  /etc/map/http and  redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
   mentioned in my previous thread will not required.
   
 
6> Then I need not do any  of this steps mentioned in my previous thread.
7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??
8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.
  

Avatar

Level 10

1.1>Then all the security or rules must be added or tied only to webserver??

  • Yes that is right webserver takes care of it.

 1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
     i.e both "One-way SSL or Mutual SSL" is not required.

  • That is correct.  

 1.3> Please let me know if my understanding is correct , if i use above  mentioned approach
   request from browser to AEM
   [ user Browser] ->HTTPS ....->[webserver or proxy setting configured  with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]

   REQUEST FROM AEM to Browser
   [ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured  with CA certificate Https] -> HTTPS....-> [ user Browser]  

  •  That is correct

 1.4> What about rever replication data that go from Publish to  author. so should we confgiure rever replication  as HTTPS???
    [AEM Publish] -> [HTTP...] -> [AEM Author]

  •  No need

4>Should i still  add CA certificate to JVM???

  • Not required to add jvm because certificate is truncated at webserver.

5.1>Then I would have write re-direct 301 at webserver  level and not at dispacther??
 So refering to url  http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html   or  https://www.sslshopper.com/apache-redirect-http-to-https.html  this should be enough??

  • Yes it is at webserver level.

5.2>Then creating  /etc/map/http and  redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
   mentioned in my previous thread will not required.

  •    That is correct

6> Then I need not do any  of this steps mentioned in my previous thread.

  • That is correct

7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??

  • Yes

8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.

  • Yes it take more but it is very negligible.

Note:- 

  • With above config based on aem version you might hit an issue some times https is converted into http. There were some known issue but is fixed & reach out to daycare if you encounter such issue. 
  • Make sure to validate with your customers or your security department. The policy are taken care and not violating any rules.

Avatar

Level 3

Thanks Sham for answering point to point.

Could you please provide your views on my below quries

1> For  the configuration

[ user Browser] ->HTTPS ....->[Apache reverse  proxy server (CA certificate added here)] ->HTTP...-> [Apache web server  ] -> HTTP..[Dispatcher]

 1.1>Since I thought of adding CA certificate to Apache proxy server so adding the redirect rule ( http to https ) in Proxy server is it the best way ?? or moving to Apache  web-server is  better way ??

1.2>  In case we go with Proxy server  301 redirect ,now as per http://wiki.apache.org/httpd/RedirectSSL  where they have suggested  Using virtual hosts (using redirect) instead of mod_rewrite is better

Do you see if the rules  mentioned at    http://nefaria.com/2014/01/redirect-http-to-https-for-multiple-virtualhosts-in-apache/ should be enough

2> If the site had 3 domain mentioned   mapped on proxy server rule where  user hits the url 
 
 

I have SSL certitificate that I am planning to add it to http://www.ccc.com  ,should  I need to buy separate SSL certificate for  http://aa.bb.com  and http://hh.kk.com to make  it SSL??

 

3> I was going through the article  about SPDY  mentioned below. Has it do anything with HTTP to HTTPS movement ?? or is it a better protocol??

http://blog.teamtreehouse.com/making-the-web-faster-with-spdy

Also  i see that it is going to get   replaced with http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html  -

 

Avatar

Level 3

Any inputs on my below query??