SSL Installation on an Application Server Instance
You can install Portal Server in SSL mode which ensures a secure communication. You need to create a SSL-enabled instance of Application Server. You can install Portal Server using the Java ES installer, and point to the instance of the Application Server as the web container.
To Create an Application Server Instance on SSL Mode
-
Install Application Server and Directory Server using the Java ES installer.
-
Add valid certificates to the Application Server.
The certificate database is available in the /var/SUNWappserver/domains/domain1/config directory. The database files are key3.db and cert8.db.
-
Change to the config directory.
cd /var/SUNWappserver/domains/domain1/config
-
Create a password file, password, and specify the password.
-
Create a certificate signing request.
certutil -R -s "CN=node1.domain-name,OU=People,O=Portal, L=location,ST=state,C=country" -o certreq.pem -g 512 -d /var/SUNWappserver/domains/domain1/config -f password -a
This command creates a certificate request in the certreq.pem file. The certutil utility is located in the /usr/sfw/bin directory.
-
Send this certificate request to a Certificate Management Server (CMS) for approval.
-
After the certificate is approved, paste the contents of the approved certificate in a flat file on the Application Server machine. For example, the servercert.pem file.
-
Add this certificate to the database.
-
Change to the config directory of the Application Server.
cd /var/ApplicationServer_base/SUNWappserver/domains/domain1/config
Note –The servercert.pem file is also in the config directory.
-
Run the command:
certutil -A -n servercert -t "u,u,u" -d ApplicationServer_base/SUNWappserver/domains/domain1/config -a -i servercert.pem -f password
-
Add root ca to the database.
certutil -A -n rootca -t "TCu,TCu,TCuw" -d ApplicationServer_base/SUNWappserver/domains/domain1/config -a -i path_to_root_ca -f password
-
-
Log in to administrator console of the Application Server.
https://host.domain-name:4849
-
Select Configuration -> server-config -> HTTP Service -> HTTP Listeners -> http-listener-2.
Perform the following tasks:
-
Verify whether the security is enabled.
-
Verify whether the certificate nickname is servercert.
-
Enable SSL3.
-
Enable Transport Layer Security (TLS).
-
Select the All Cipher suites checkbox.
-
-
Restart the Application Server.
Because the Application Server is SSL enabled, you start the Java ES installer, Portal Server will not communicate with Application Server. You need to install root ca in the Java Development Kit (JDK) keystore of the hostname.
-
Install root ca in the JDK keystore of the hostname.
cd /usr/jdk/entsys-j2se/jre/lib/security /usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias hostname -storepass store-password -file root-ca-CA
-
Invoke the Java ES installer and select Access Manager and Portal Server.
-
Specify valid protocol and port values wherever prompted.
To Install Portal Server on a Non-Default Application
Server 8.2 Instance
If you install Portal Server on Application Server using the Java ES installer, Portal Server is installed on a default instance of the Application Server on port 8080. This procedure describes to create a non-default Application Server instance and install Portal Server on it.
-
Run the Java ES installer to install Directory Server and Application Server.
-
Start Directory Server and Application Server.
-
Create a node agent, nodeagent.
ApplicationServer_base/SUNWappserver/bin/asadmin start-node-agent --user admin --password password --savemasterpassword=true nodeagent
-
Start the node agent.
ApplicationServer_base/SUNWappserver/bin/asadmin start-node-agent --user admin --password password nodeagent
-
Create the server instance server-instance on port 38080.
ApplicationServer_base/SUNWappserver/bin/asadmin create-instance --user admin --password password --node agent=nodeagent --port=38080 server-instance
-
Start the server instance.
ApplicationServer_base/SUNWappserver/bin/asadmin start-instance --user admin --password password server-instance
-
Start the Java ES installer and install Access Manager and Portal Server in the Configure Later mode.
-
Modify the amsamplesilent file and configure Access Manager.
On Solaris platform, the amsamplesilent file is located at the AccessManager_base/SUNWam/bin directory. In Linux, the file is located at the AccessManager_base/SUN/identity/bin directory.
-
Run the amconfig command.
See Appendix for more details on the amconfig file.
-
Restart the server instance.
-
Access the administrator console of the Access Manager.
http://host.domain-name:38080/amconsole
-
Modify the example14.xml file.
See Appendix for more details on the example14.xml file.
-
Configure the common agent container.
PortalServer_base/SUNWportal/bin/psconfig --config example14.xml
-
Restart Directory Server, Access Manager, Application Server, and Portal Server.
To Convert Portal Server to the Secure Mode on Application
Server 8.2
If you have already installed Directory Server, Access Manager, Web Server, and Portal Server on Application Server 8.2, use this procedure to convert Portal Server installation to the secure mode. In the Secure mode, the communication between the user and Portal Server is through the https protocol.
-
Install Directory Server, Access Manager, Web Server, Portal Server, and Application Server 8.2.
-
Create a password file password and specify the password that has been provided for Application Server.
-
Create a certificate signing request.
certutil -R -s "CN=HOSTNAME.domain-name,OU=People,O=Portal,L=Location,ST=State,C=Country" -o certreq.pem -g 512 -d /var/opt/SUNWappserver/domains/domain1/config -f password -a
This command creates a certificate request in the certreq.pem file. The certutil file is present in the /usr/sfw/bin directory.
-
Send the certificate signing request to the CMS.
-
Paste the contents of the approved certificate in an empty file on the Application Server machine.
For example, the file name is servercert.pem.
-
Add this certificate in the database.
-
Add the CMS root ca to the database.
certutil -A -n rootca -t "TCu,TCu,TCuw" -d /var/opt/SUNWappserver/domains/domain1/config -a -i path-to-cert -f password
-
Log in to the administrator console of Application Server.
https://hostname.domain-name:4849
-
Click Configurations -> server-config -> HTTP Service -> HTTP Listeners -> http-listener-2.
Perform the following tasks:
-
Verify whether the security is enabled.
-
Verify whether the certificate nickname is servercert.
-
Enable SSL3.
-
Enable TLS.
-
Select Cipher Suites option.
-
-
Restart the Application Server.
-
Log in to the Access Manager administrator console.
http://host.domain-name:8080/amconsole
-
Open the AMConfig.properties file.
The AMConfig.properties file is located in the AccessManager_base/SUNWam/lib directory.
-
Change com.iplanet.am.server.protocol to https. Add com.sun.identity.liberty.authnsvc.url= https://host.domain-name:8181/amserver/Liberty/authnsvc.
com.iplanet.am.server.protocol=https com.iplanet.am.server.host=host.domain-name com.iplanet.am.server.port=8181 com.iplanet.am.console.protocol=https com.iplanet.am.console.host=host.domain-name com.iplanet.am.console.port=8181 com.iplanet.am.profile.host=host.domain-name com.iplanet.am.profile.port=8181 com.iplanet.am.naming.url=https://host.domain-name:8181 /amserver/namingservice com.iplanet.am.notification.url=https://host.domain-name:8181 /amserver/notificationservice com.sun.identity.liberty.interaction.wspRedirectHandler= https://host.domain-name:8181/amserver/WSPRedirectHandler com.sun.identity.loginurl=https://host.domain-name:8181 /amserver/UI/Login com.sun.identity.liberty.authnsvc.url= https://host.domain-name:8181/amserver/Liberty/authnsvc
-
Restart Directory Server, Access Manager, Application Server, and Portal Server.
- © 2010, Oracle Corporation and/or its affiliates