You can secure RMI communications by transmitting them over SSL. The Oracle ATG Web Commerce platform includes a class, atg.net.ssl.SSLRMISocketFactory, for creating secure sockets for RMI, and a Nucleus component that is an instance of this class, /atg/dynamo/service/socket/SSLRMISocketFactory. To enable RMI over SSL, set the RMISocketFactory property of the /atg/dynamo/server/RmiInitialization component to point to the SSLRMISocketFactory component:

RMISocketFactory=/atg/dynamo/service/socket/SSLRMISocketFactory

Configuring Keys and Certificates

To use RMI over SSL, you configure public and private keys and wrap the public key in a self-signed certificate. In a development environment, you can use the default self-signed Oracle ATG Web Commerce certificate in your trust store. In a production environment, however, you must create a key store, trust store, and certificate, as described in Generating a New Certificate.

To use the default Oracle ATG Web Commerce certificate, use the JDK keytool utility to import the certificate into the trust store in your development environment:

  1. Go to your <ATG10dir>\home directory.

  2. Use the keytool utility to export the Oracle ATG Web Commerce certificate:

    keytool -export -alias atgkey –keystore ..\DAS\keystore\atg-ssl.jks
    -rfc –file ..\DAS\keystore\atg-ssl.cer

  3. Enter atgkey when prompted for the key store password:

    Enter password name: atgkey
    Certificate stored in file <..\das\keystore\atg-ssl.cer>

  4. Now import the Oracle ATG Web Commerce certificate:

    keytool -import -alias atgcert -file ..\DAS\keystore\atg-ssl.cer -keystore
    ..\DAS\keystore\cacerts.jks

    The key tool utility displays information about the certificate:

  5. Owner: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Issuer: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Serial number: 3eef2fc2
    Valid from: Tue Jun 17 11:12:02 EDT 2003 until: Thu May 04 14:50:08
    EDT 2006
    Certificate fingerprints:
             MD5:  95:0E:9A:3A:D7:C9:A6:CA:73:B5:CA:C0:44:DB:E0:1E
             SHA1: 32:38:3C:AD:57:BB:59:B7:9C:91:A3:79:03:56:9E:96:44:37:20:4C

  6. Answer yes when prompted whether to trust the certificate:

    Trust this certificate? [no]: yes
    Certificate was added to keystore

These settings match the default configuration settings of the component /atg/dynamo/security/BasicSSLConfiguration, so you do not need to modify the configuration of that component.

Generating a New Certificate

In a production environment, you should not use the default Oracle ATG Web Commerce certificate. Instead, you should use the keytool utility to generate a new private key and public key, and wrap the public key into a new self-signed certificate.

For more information about SSL keys and certificates, and for documentation about the Java Secure Socket Extension (JSSE) APIs, see the Oracle Web site.