You can secure RMI communications by transmitting them over SSL. The ATG platform includes a class,, for creating secure sockets for RMI, and a Nucleus component that is an instance of this class, /atg/dynamo/service/socket/SSLRMISocketFactory. To enable RMI over SSL, set the RMISocketFactory property of the /atg/dynamo/server/RmiInitialization component to point to the SSLRMISocketFactory component:


Configuring Keys and Certificates

To use RMI over SSL, you configure public and private keys and wrap the public key in a self-signed certificate. In a development environment, you can use the default self-signed ATG certificate in your truststore. In a production environment, however, you must create a keystore, truststore, and certificate, as described in Generating a New Certificate.

To use the default ATG certificate, use the JDK keytool utility to import the certificate into the truststore in your development environment:

  1. Go to your <ATG9dir>\home directory.

  2. Use the keytool utility to export the ATG certificate:

    keytool -export -alias atgkey –keystore ..\DAS\keystore\atg-ssl.jks
    -rfc –file ..\DAS\keystore\atg-ssl.cer

  3. Enter atgkey when prompted for the keystore password:

    Enter password name: atgkey
    Certificate stored in file <..\das\keystore\atg-ssl.cer>

  4. Now import the ATG certificate:

    keytool -import -alias atgcert -file ..\DAS\keystore\atg-ssl.cer -keystore

    The keytool utility displays information about the certificate:

    Owner: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Issuer: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Serial number: 3eef2fc2
    Valid from: Tue Jun 17 11:12:02 EDT 2003 until: Thu May 04 14:50:08
    EDT 2006
    Certificate fingerprints:
             MD5:  95:0E:9A:3A:D7:C9:A6:CA:73:B5:CA:C0:44:DB:E0:1E
             SHA1: 32:38:3C:AD:57:BB:59:B7:9C:91:A3:79:03:56:9E:96:44:37:20:4C

  5. Answer yes when prompted whether to trust the certificate:

Trust this certificate? [no]: yes
Certificate was added to keystore

These settings match the default configuration settings of the component /atg/dynamo/security/BasicSSLConfiguration, so you do not need to modify the configuration of that component.

Generating a New Certificate

In a production environment, you should not use the default ATG certificate. Instead, you should use the keytool utility to generate a new private key and public key, and wrap the public key into a new self-signed certificate.

For more information about SSL keys and certificates, and for documentation about the Java Secure Socket Extension (JSSE) APIs, see the Oracle Web site.

loading table of contents...