RMI Over SSL

You can secure RMI communications by transmitting them over SSL. The ATG platform includes a class, atg.net.ssl.SSLRMISocketFactory, for creating secure sockets for RMI, and a Nucleus component, /atg/dynamo/service/socket/SSLRMISocketFactory, that is an instance of this class. To enable RMI over SSL, set the RMISocketFactory property of the /atg/dynamo/server/RmiInitialization component to point to the SSLRMISocketFactory component:

RMISocketFactory=/atg/dynamo/service/socket/SSLRMISocketFactory
Configuring Keys and Certificates

To use RMI over SSL, you configure public and private keys and wrap the public key in a self-signed certificate. In a development environment, you can use the default self-signed ATG certificate in your truststore. In a production environment, however, you must create a new keystore, truststore, and certificate, as described in Generating a New Certificate.

To use the default ATG certificate, use the JDK keytool utility to import the certificate into the truststore in your development environment:

  1. Go to your <ATG2007.3dir>\home directory.

  2. Use the keytool utility to export the ATG certificate:

    keytool -export -alias atgkey –keystore ..\DAS\keystore\atg-ssl.jks
    -rfc –file ..\DAS\keystore\atg-ssl.cer

  3. Enter atgkey when prompted for the keystore password:

    Enter password name: atgkey
    Certificate stored in file <..\das\keystore\atg-ssl.cer>

  4. Now import the ATG certificate:

    keytool -import -alias atgcert -file ..\DAS\keystore\atg-ssl.cer -keystore
    ..\DAS\keystore\cacerts.jks

    The keytool utility displays information about the certificate:

    Owner: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Issuer: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Serial number: 3eef2fc2
    Valid from: Tue Jun 17 11:12:02 EDT 2003 until: Thu May 04 14:50:08
    EDT 2006
    Certificate fingerprints:
             MD5:  95:0E:9A:3A:D7:C9:A6:CA:73:B5:CA:C0:44:DB:E0:1E
             SHA1: 32:38:3C:AD:57:BB:59:B7:9C:91:A3:79:03:56:9E:96:44:37:20:4C

  5. Answer yes when prompted whether to trust the certificate:

Trust this certificate? [no]: yes
Certificate was added to keystore

Note that these settings match the default configuration settings of the /atg/dynamo/security/BasicSSLConfiguration component, so you do not need to modify the configuration of that component.

Generating a New Certificate

In a production environment, you should not use the default ATG certificate. Instead, you should use the keytool utility to generate a new private key and public key, and wrap the public key into a new self-signed certificate.

  1. Create a keystore and truststore for each server.

  2. Use the JDK keytool utility with the –genkey flag to generate a new self-signed certificate that wraps the public key.

  3. Import the certificate into the truststore of each server.

  4. Configure the /atg/dynamo/security/BasicSSLConfiguration component on each server. You will need to set the keyStore and trustStore properties to point to your new keystore and truststore file locations. You also need to set the keyStorePassword and trustStorePassword properties to the values that you used when creating the keystore and truststore.

For more information about SSL keys and certificates, and for documentation about the Java Secure Socket Extension (JSSE) APIs, see the java.sun.com web site.

 
loading table of contents...