Configuring the Repository to Use SSL

The HTTPS service of the Repository will not run unless a server certificate has been installed. Use the following procedure to set up a server certificate that can be used by the Repository to enable SSL.

Note - If you configure the Repository to use SSL, then NetBeans IDE users cannot connect to the Repository.

To enable the Repository to use SSL, perform the tasks in the following sections:

Generating a Key Pair and a Self-Signed Certificate
Obtaining a Signed Certificate
Importing the Certificate
Configuring the server.xml File
Testing the New SSL Connection

Note - The instructions in this topic use port number 8443 as the SSL port. The instructions in Configuring Enterprise Manager to Use SSL also use port number 8443 as the SSL port. If you are configuring the Repository and Enterprise Manager on the same computer, then ensure that the port numbers are different.

Generating a Key Pair and a Self-Signed Certificate

The genkey command of the keytool program enables you to generate a key pair.

To Generate a Key Pair and a Self-Signed Certificate

Navigate to the JAVA_HOME/bin directory, where JAVA_HOME is the installation directory of the Java SDK.

Enter the following command:

keytool -genkey -keyalg RSA -alias CAPS -keystore keystore_filename

When prompted, enter your keystore password.
When prompted, enter the Distinguished Name information.
1. What is your first and last name?
  
  Caution - When prompted for your first and last name, make sure you enter the machine hostname.
2. What is the name of your organizational unit?
3. What is the name of your organization?
4. What is the name of your City or Locality?
5. What is the name of your State or Province?
6. What is the two-letter country code for this unit?
7. Is CN=first_and_last_name, OU=organizational_unit, O=organization_name, L=city_or_locality, ST=state_or_province, C=two_letter_country_code correct?
When prompted, enter a password for the keystore entry. If the password is same as the keystore password, press Return.
Note - If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.

Obtaining a Signed Certificate

You must obtain either a digitally signed certificate from a certificate authority or a self-signed certificate from a local keystore.

To Obtain a Digitally Signed Certificate from a Certificate Authority

Enter the following command to generate a Certificate Signing Request (CSR):
keytool -certreq -alias CAPS -keyalg RSA -file csr_filename -keystore keystore_filename
Send the CSR for signing.
Store the signed certificate in a file.
Note - If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.

To Obtain a Self-Signed Certificate from a Local Keystore

Enter the following command to generate a self-signed certificate:
keytool -export -alias CAPS -keystore keystore_filename -rfc -file self_signed_cert_filename

Importing the Certificate

If you are using a self-signed certificate or a certificate signed by a CA that your browser does not recognize, a dialog box will appear the first time you try to access the server. You can then choose to trust the certificate for this session only or permanently.

To Import the Certificate

Enter the following command to install the certificate:
```
keytool -import -trustcacerts -alias CAPS -file ca-certificate-filename 
-keystore keystore_filename
```
Note - You must have the required permissions to modify the JAVA_HOME/jre/lib/security/cacerts file. You must import your certificate into the cacerts file also.
If you want to use a keystore, it is recommended to use the sbyn.keystore file in the JavaCAPS-install-dir/repository/repository/server directory.

Configuring the server.xml File

You now edit the server.xml file in the Repository to enable SSL support.

To Configure the server.xml File

If the Repository is running, then shut down the Repository.
Using a text editor, open the server.xml file in the JavaCAPS-install-dir/repository/repository/server/conf directory.
Within the <Service> element, comment out the first <Connector> element, which uses the non-SSL port (12000 by default).

Uncomment the second <Connector> element, which defines an SSL connector.

<!--  Define an SSL Coyote HTTP/1.1 Connector on port 8443  -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="8443" minProcessors="5" maxProcessors="75"
    enableLookups="true"
    acceptCount="100" debug="0" scheme="https" secure="true"
    useURIValidationHack="false" disableUploadTimeout="true">
<Factory
    className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
    clientAuth="false" protocol="TLS"
    keystoreFile="sbyn.keystore" keystorePass="changeit" />
</Connector>

Save the server.xml file.
Start the Repository.

Testing the New SSL Connection

This procedure verifies that SSL support has been correctly installed.

To Test the New SSL Connection

Load the default Repository server introduction page with the following URL:
```
https://localhost:8443/
```
The https portion indicates that the browser should use the SSL protocol.
The port 8443 is where the SSL Connector was created in Configuring the server.xml File.
The first time that you load this application, the New Site Certificate dialog box appears. Select Next to move through the series of New Site Certificate dialog boxes. Select Finish when you reach the last dialog box.
Note - You should still have the option to use HTTP to connect to the NetBeans IDE. System administrators should not block the HTTP port.

Skip Navigation Links
Exit Print View
	Configuring Oracle Java CAPS for SSL Support Java CAPS Documentation