Native support for SSL communication
Rosetta 6.0 supports native SSL communication for non-load-balancer topologies. To install and configure SSL support, please follow the next steps for each server.
1. Prepare the Certificate Keystore
In order to implement SSL, Rosetta needs a JKS format keystore. To create a new JKS from scratch, containing a single self-signed certificate, execute the following command:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <path/to/keystoreFile.jks>
You will be prompted for general information about this Certificate, such as company, contact name, and so on. In the “first and last name” field, please insert the server name. This command will create a keystoreFile.jks file which stores the server’s private key and a self-signed certificate. This is only good for testing scenarios. In order to obtain a certificate and import it into the keystore, please follow the introductions here. If you already have a certificate, you will need to import it into a JKS. For example try:
- Export your private key, certificate and ca-certificate into a PKCS12 file by executing the following command:
openssl pkcs12 -export -in <certFile.crt> -inkey <keyFile.key> -chain -CAfile <caCertFile.crt> -out <keystoreFile.p12> -name tomcat -caname root
When you execute the command, you’ll be asked for a password for the PKCS12 keystore. changeit is the default password that Tomcat expects. Once the command has completed executing, verify that keyStoreFile.p12 exists.
- Import the PKCS12 file into a new JKS by executing the following command:
keytool -importkeystore -deststorepass <keystorePassword> -destkeystore <path/to/keystoreFile.jks> -srckeystore <keystoreFile.p12> -srcstoretype PKCS12 -alias tomcat
Now your JKS (keystoreFile.jks) is ready.
2. Update the global.properties
Under /exlibris/dps/d4_1/system.dir/conf, edit the following properties in the global.properties file:
# Native SSL properties native.ssl=true native.ssl.keystore.path=<path/to/keystoreFile.jks> native.ssl.keystore.password=<keystorePassword> # HTTPS Protocol protocol.del=https protocol.dep=https protocol.per=https protocol.rep=https # Port 8443 ssl.port=8443 load.balancer.del= load.balancer.del.host\:8443 load.balancer.del.port=8443 load.balancer.dep= load.balancer.dep.host\:8443 load.balancer.dep.port=8443 load.balancer.idx= load.balancer.idx.host\:8443 load.balancer.idx.port=8443 load.balancer.per= load.balancer.per.host\:8443 load.balancer.per.port=8443 load.balancer.rep= load.balancer.rep.host\:8443 load.balancer.rep.port=8443 # For PDS Use ssl.flag=Y
3. Run Rosettings
>> dps_bin >> rosettings.csh What would you like to do? [1] Update gateway details <---- [2] Update server name [3] Update pds server details [4] Update database passwords [5] Exit.
Choose option [1].
Once all servers are configured, you may start each server and you should be able to access Rosetta via SSL. For example : https://rosetta-example:8443/mng.
Good Luck!