To enable SSL communication for the LogServer, Dgraph, and Forge, you must edit the appropriate configuration files items to reference the following items:
Root authentication certificates and host certificates generated by the
generateSSLCertificates
utility. For information about this utility, see Creating SSL Certificates.An encryption algorithm such as
AES128-SHA
that has been approved for use by Oracle, Inc. A complete list of the encryption algorithms approved by Oracle can be obtained from Oracle customer support.
To enable SSL communication for LogServer, Dgraph, and Forge, follow these steps:
Configure the
sslConfig
Java bean with global SSL configuration parameters. ThesslConfig
java bean should be created for each host separately if any of the components (Dgraph, Forge, or Log Server) are hosted on another machine.Pass SSL configuration parameters to the Log Server, Dgraph, and Forge by editing their respective configuration files to reference the sslConfig Java bean, or to specify the global SSL configuration parameters individually.
The following sections explain these steps in detail.
Configure the sslConfig Java Bean with Global SSL Configuration Parameters
To enable LogServer, Dgraph, and Forge for SSL communication, you must
supply appropriate values for the properties of the
<ssl-config>
element in the
AppConfig.xml
file. Supplying properties values for
<ssl-config>
configures the Java bean
sslConfig
, which is the source of SSL configuration data
for the LogServer, Dgraph, and
Forge.
In the
<ssl-config>
element, specify the global SSL
configuration parameters by supplying values for the following element
properties:
The following example illustrates how to specify global SSL
configuration parameters in the
<ssl-config>
element of the
AppConfig.xml
file:
<!-- ###################################################################### # Configure the Java bean sslConfig with values that you can then pass # to Forge, Dgraph, LogServer, and custom components. # --> <ssl-config id="globalSslConfig"> <property name="certFile" value="/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/slcw5dd.us.example.com.pem"/> <property name="caFile" value="/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/ca-cert.pem"/> <property name="cipher" value="AES128-SHA"/> </ssl-config>
Passing SSL Configuration Parameters to the Log Server
To enable SSL communication for the Log Server, you must edit the
<logserver>
element
of the
ReportGeneration.xml
file to reference
the Java bean (sslConfig) that contains the global SSL configuration
parameters. In the
<logserver>
element, you must specify appropriate
values for the properties of the
<ssl-config>
subelement, as follows:
The following example illustrates how to reference the Java bean that contains the global SSL communication parameters:
<logserver id="LogServer" host-id="ReportGenerationHost" port="15010"> . . . . <gzip>false</gzip> <ssl-config bean="sslConfig" ref="globalSslConfig"/> </logserver>
Passing SSL Configuration Parameters to Dgraph
To enable SSL communication for the Dgraph, you can modify the
<Dgraph>
element of
the
AuthoringDgraph.xml
configuration file
in either of two ways:
The following example illustrates how to edit the
<ssl-config>
element to reference the sslConfig
Java bean. Note that the
ref
property of
<ssl-config>
must be set to the value of the
id
property in the
<ssl-config>
element of the
AppConfig.xml
file:
<dgraph id="AuthoringDgraph" host-id="AuthoringMDEXHost" port="15002" post-startup-script="AuthoringDgraphPostStartup"> . . . . <input-dir>./data/dgraphs/AuthoringDgraph/dgraph_input</input-dir> <update-dir>./data/dgraphs/AuthoringDgraph/dgraph_input/updates</update-dir> <ssl-config bean="sslConfig" ref="globalSslConfig"/> </dgraph>
The following example illustrates how to edit the
<dgraph>
element to specify the
sslConfig
parameters individually, without referencing
sslConfig
itself:
<dgraph id="AuthoringDgraph" host-id="AuthoringMDEXHost" port="15002" post-startup-script="AuthoringDgraphPostStartup"> . . . <input-dir>./data/dgraphs/AuthoringDgraph/dgraph_input</input-dir> <update-dir>./data/dgraphs/AuthoringDgraph/dgraph_input/updates</update-dir> <cert-file>/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl /slcw5dd.us.example.com.pem</cert-file> <ca-file>/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl /ca-cert.pem</ca-file> <cipher>AES128-SHA</cipher> </dgraph>
Passing SSL Configuration to Forge
In the same way, you can pass SSL configuration parameters to Forge by
editing the
<forge>
element of the
DataIngest.xml
configuration file either to reference the Java bean sslConfig
or to specify the
sslConfig
parameters individually, without referencing
sslConfig
itself.
The following example illustrates how to edit the
<ssl-config>
subelement of the
<forge>
element to reference the
sslConfig
Java bean. Note that the
ref
property of the
<ssl-config>
element must be set to the value of
the
id
property in the
<ssl-config>
element of the
AppConfig.xml
file:
<forge id="Forge" host-id="ITLHost"> . . . <pipeline-file>./data/processing/pipeline.epx</pipeline-file> <ssl-config bean="sslConfig" ref="globalSslConfig"/> </forge>
The following example illustrates how to edit the
<forge>
element to specify the
sslConfig
parameters individually, without referencing
sslConfig itself:
<forge id="Forge" host-id="ITLHost"> . . . . <pipeline-file>./data/processing/pipeline.epx</pipeline-file> <cert-file>/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/slcw5dd.us.example.com.pem</cert-file> <ca-file>/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/ca-cert.pem</ca-file> <cipher>AES128-SHA</cipher> </forge>
Running Parallel Forge Processes in SSL and non-SSL Modes
To increase the efficiency with which your application processes source data, you can create groups of separate Forge processes that run in parallel with each other. Parallel Forge processing can increase processing efficiency when there is a large amount of source data to process or when the source data comes from multiple sources.
You can enable SSL communication for parallel Forge processes by specifying values for the following flags in the Forge commands that start the Forge server and each of the Forge clients:
sslcertfile: The root authentication certificate generated by
generateSSLCertificates
. (Specify full pathname; for example:/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/slcw5dd.us.example.com.pem
.sslcafile: The authentication certificate generated for this host by
generateSSLCertificates
. (Specify full pathname; for example:/localdisk/endeca/ToolsAndFrameworks/11.1.0/deployment_template/ssl_certs_utility/bin/ssl/ca-cert.pem
.)
Only certificates generated by the
generateSSLCertificates
utility can be used for
sslcertfile
and
sslcafile
. For information about how to use the
generateSSLCertificates
utility, see
Creating SSL
Certificates.
The following examples illustrate Forge commands that start a Forge server and two Forge clients in SSL mode. For information about Forge command flags, refer to the Oracle Commerce Forge Guide.
Command to run Forge server
forge -vi -o out.log_server --dtdInHeader false -c "client_val=server" --usingManager --javaArgument -Xmx256m --logLevel DEBUG --server <server-port> --numClients 2 --sslcertfile <server host cert> --sslcafile <root ca cert> --outputDir <output directory location> --stateDir <state directory location> pipeline.epx
Command to run first Forge client
forge -vi -o out.log_0 --dtdInHeader false --usingManager --javaArgument -Xmx256m --logLevel DEBUG -c "client_val=instance0" --client 10.152.105.73:1234 --clientNum 0 --sslcertfile <client host cert> --sslcafile <root ca cert> --outputDir <output directory location> --stateDir <state directory location> pipeline.epx
Command to run second Forge client
forge -vi -o out.log_1 --dtdInHeader false --usingManager
--javaArgument -Xmx256m --logLevel DEBUG -c "client_val=instance1" --client
10.152.105.73:1234 --clientNum 1
--sslcertfile <client host cert>
--sslcafile <root ca cert>
--outputDir <output directory location>
--stateDir <state directory location> pipeline.epx