Hi,
Could you please provide your inputs on the below
1> what is adavantage of Configuring Mutual SSL Between Dispatcher and AEM as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#par_title_2.
trying to understand the reason, when user browser hits dispacther say https://www.abb.com it https by then ,
now what is the need to make request from dispacther from dispacther to AEM again ssl??
2> should i get spearate CA certificates for dispacther and cq instance, or just one certifacte for both will do??
https://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#CREATING OR OBTAINING CA-SIGNED CERTIFICATES
If I have purchased ssl certificate from CA, THEN IN the folder
/usr/local/ssl/misc.
should i run the command ./CH.sh -newreq if not what are the exacat commands if I have thrid party CA certificate with me
3> Where does dispkey.pem present in Apache server
docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Configuring SSL for the Dispatcher Module
4>http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#Adding the CA Cert to the Render's Truststore
What is the need of adding CA certificate to JVM???
5>I need to re-direct 301 at dispacther,i looking at when client browsers hit the dspacther it can redirect to https.
so what is the exact entry i will do for this activity in dispacther.any or any apache config files.could you provide the sinnpet.??
Things i have done:-
I have setup an redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
Click the /etc/map/http folder and click Create > Create Node:
Name: localhost.4502
Type: sling:mapping
Create the following property for this node:
Name: sling:redirect
Type: String
Value: https://localhost:5433
Name: sling:status
Type: Long
So i see that when the hit the url http://localhost:4502 it redirects to https://localhost:5433.
But I see that this is happening at AEM instance ,but instead want it at dispatcher level.how to do it??
6>
I have the CA certificate for SSL. as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#OBTAIN A CREDENTIAL FOR USE IN PRODUCTION
Now what is the order i should execute the commands the commands under the folder [quickstart_dir]/ssl
can i just run the below commands
command1
keytool -importcert -trustcacerts -file rootcert.pem -keystorekeystorename.keystore -alias root
command2
keytool -importcert -trustcacerts -file CACertificateName.crt -keystore keystorename.keystore
Or do I have run the below commands (command3 and command4) and then run the (command1 and command2) ,please suggest
command3
keytool -genkeypair -keyalg RSA -validity 3650 -alias cqse -keystore [quickstart_dir]/ssl/keystorename.keystore -keypass key_password -storepass storepassword -dname "CN=Host Name, OU=Group Name, O=Company Name,L=City Name, S=State, C=Country_ Code"
command4
keytool -certreq -alias "LC Cert" -keystorekeystorename.keystore -file LCcertRequest.csr
7.I need to move all the js , css and DAM images present in instance http://localhost to https://localhost ,how do i acheive it?
Solved! Go to Solution.
Views
Replies
Total Likes
Views
Replies
Total Likes
Views
Replies
Total Likes
Thanks Sham . Your above answers gave me a good overview.I have few more questions ,if you could help me on the same.
1>I would take this approach which in general people follow .
So like you mentioned if i take the approach "Generally browser to webserver or LB is secure afterwards it is non secure. since the request falls in your network."
1.1>Then all the security or rules must be added or tied only to webserver??
1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
i.e both "One-way SSL or Mutual SSL" is not required.
1.3> Please let me know if my understanding is correct , if i use above mentioned approach
request from browser to AEM
[ user Browser] ->HTTPS ....->[webserver or proxy setting configured with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]
REQUEST FROM AEM to Browser
[ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured with CA certificate Https] -> HTTPS....-> [ user Browser]
1.4> What about rever replication data that go from Publish to author. so should we confgiure rever replication as HTTPS???
[AEM Publish] -> [HTTP...] -> [AEM Author]
4>Should i still add CA certificate to JVM???
5.1>Then I would have write re-direct 301 at webserver level and not at dispacther??
So refering to url http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html or https://www.sslshopper.com/apache-redirect-http-to-https.html this should be enough??
5.2>Then creating /etc/map/http and redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
mentioned in my previous thread will not required.
6> Then I need not do any of this steps mentioned in my previous thread.
7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??
8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.
Views
Replies
Total Likes
1.1>Then all the security or rules must be added or tied only to webserver??
1.2>This means that i need not do any settings that is described as per http://docs.adobe.com/docs/en/dispatcher/disp-ssl.html,
i.e both "One-way SSL or Mutual SSL" is not required.
1.3> Please let me know if my understanding is correct , if i use above mentioned approach
request from browser to AEM
[ user Browser] ->HTTPS ....->[webserver or proxy setting configured with CA certificate Https] -> HTTP ...-> [Dispatcher]-> HTTP..-> [AEM ]
REQUEST FROM AEM to Browser
[ AEM] ->HTTP.. ->[Dispatcher] -> HTTP...->[webserver or proxy setting configured with CA certificate Https] -> HTTPS....-> [ user Browser]
1.4> What about rever replication data that go from Publish to author. so should we confgiure rever replication as HTTPS???
[AEM Publish] -> [HTTP...] -> [AEM Author]
4>Should i still add CA certificate to JVM???
5.1>Then I would have write re-direct 301 at webserver level and not at dispacther??
So refering to url http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html or https://www.sslshopper.com/apache-redirect-http-to-https.html this should be enough??
5.2>Then creating /etc/map/http and redirect rule as per https://docs.adobe.com/docs/en/cq/5-6-1/deploying/config-ssl.html#Forcing the Use of the SSL Port
mentioned in my previous thread will not required.
6> Then I need not do any of this steps mentioned in my previous thread.
7>The validation happens on security layer like you mentioned. With respect to my above approach mentioned in point 1 ,I need to have redirect rules at webserver and this will be taken care??
8> Incase I use one way or Mutual SSL i believe the round about time also takes more time compared to just HTTP.let me know your views.
Note:-
Views
Replies
Total Likes
Thanks Sham for answering point to point.
Could you please provide your views on my below quries
1> For the configuration
[ user Browser] ->HTTPS ....->[Apache reverse proxy server (CA certificate added here)] ->HTTP...-> [Apache web server ] -> HTTP..[Dispatcher]
1.1>Since I thought of adding CA certificate to Apache proxy server so adding the redirect rule ( http to https ) in Proxy server is it the best way ?? or moving to Apache web-server is better way ??
1.2> In case we go with Proxy server 301 redirect ,now as per http://wiki.apache.org/httpd/RedirectSSL where they have suggested Using virtual hosts (using redirect) instead of mod_rewrite is better
Do you see if the rules mentioned at http://nefaria.com/2014/01/redirect-http-to-https-for-multiple-virtualhosts-in-apache/ should be enough
I have SSL certitificate that I am planning to add it to http://www.ccc.com ,should I need to buy separate SSL certificate for http://aa.bb.com and http://hh.kk.com to make it SSL??
3> I was going through the article about SPDY mentioned below. Has it do anything with HTTP to HTTPS movement ?? or is it a better protocol??
http://blog.teamtreehouse.com/making-the-web-faster-with-spdy
Also i see that it is going to get replaced with http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html -
Views
Replies
Total Likes
Any inputs on my below query??
Views
Replies
Total Likes
Views
Likes
Replies
Views
Like
Replies