Tech Blog

Native support for SSL communication

Avatarby Adi Kozar Ex Libris January 14, 2019
ROSETTA

Rosetta 6.0 supports native SSL communication for non-load-balancer topologies. To install and configure SSL support, please follow the next steps for each server.

1. Prepare the Certificate Keystore

In order to implement SSL, Rosetta needs a JKS format keystore. To create a new JKS from scratch, containing a single self-signed certificate, execute the following command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <path/to/keystoreFile.jks>

You will be prompted for general information about this Certificate, such as company, contact name, and so on.  In the “first and last name” field, please insert the server name. This command will create a keystoreFile.jks file which stores the server’s private key and a self-signed certificate. This is only good for testing scenarios. In order to obtain a certificate and import it into the keystore, please follow the introductions here. If you already have a certificate, you will need to import it into a JKS. For example try:

  • Export your private key, certificate and ca-certificate into a PKCS12 file by executing the following command:
    openssl pkcs12 -export 	-in <certFile.crt> -inkey <keyFile.key> -chain -CAfile <caCertFile.crt> 
                        -out <keystoreFile.p12>  -name tomcat -caname root

    When you execute the command, you’ll be asked for a password for the PKCS12 keystore. changeit is the default password that Tomcat expects. Once the command has completed executing, verify that  keyStoreFile.p12 exists.

  • Import the PKCS12 file into a new JKS by executing the following command:
     keytool -importkeystore -deststorepass <keystorePassword> -destkeystore <path/to/keystoreFile.jks> 
         -srckeystore <keystoreFile.p12> -srcstoretype PKCS12 -alias tomcat

Now your JKS (keystoreFile.jks) is ready.

2. Update the global.properties

Under /exlibris/dps/d4_1/system.dir/conf, edit the following properties in the global.properties file:

# Native SSL properties

native.ssl=true
native.ssl.keystore.path=<path/to/keystoreFile.jks>
native.ssl.keystore.password=<keystorePassword>

# HTTPS Protocol 

protocol.del=https
protocol.dep=https
protocol.per=https
protocol.rep=https

# Port 8443

ssl.port=8443
load.balancer.del= load.balancer.del.host\:8443
load.balancer.del.port=8443
load.balancer.dep= load.balancer.dep.host\:8443
load.balancer.dep.port=8443
load.balancer.idx= load.balancer.idx.host\:8443
load.balancer.idx.port=8443
load.balancer.per= load.balancer.per.host\:8443
load.balancer.per.port=8443
load.balancer.rep= load.balancer.rep.host\:8443
load.balancer.rep.port=8443

# For PDS Use

ssl.flag=Y
3. Run Rosettings
>> dps_bin
>> rosettings.csh 
What would you like to do? 
[1] Update gateway details  <----
[2] Update server name
[3] Update pds server details
[4] Update database passwords
[5] Exit.

Choose option [1].

Once all servers are configured, you may start each server and you should be able to access Rosetta via SSL. For example :  https://rosetta-example:8443/mng.

Good Luck!

Leave a Reply