RMI Over SSL

You can secure RMI communications by transmitting them over SSL. The Oracle ATG Web Commerce platform includes a class, atg.net.ssl.SSLRMISocketFactory, for creating secure sockets for RMI, and a Nucleus component that is an instance of this class, /atg/dynamo/service/socket/SSLRMISocketFactory. To enable RMI over SSL, set the RMISocketFactory property of the /atg/dynamo/server/RmiInitialization component to point to the SSLRMISocketFactory component:

RMISocketFactory=/atg/dynamo/service/socket/SSLRMISocketFactory

Configuring Keys and Certificates

To use RMI over SSL, you configure public and private keys and wrap the public key in a self-signed certificate. In a development environment, you can use the default self-signed Oracle ATG Web Commerce certificate in your trust store. In a production environment, however, you must create a key store, trust store, and certificate, as described in Generating a New Certificate.

To use the default Oracle ATG Web Commerce certificate, use the JDK keytool utility to import the certificate into the trust store in your development environment:

  1. Go to your <ATG10dir>\home directory.

  2. Use the keytool utility to export the Oracle ATG Web Commerce certificate:

    keytool -export -alias atgkey –keystore ..\DAS\keystore\atg-ssl.jks
    -rfc –file ..\DAS\keystore\atg-ssl.cer

  3. Enter atgkey when prompted for the key store password:

    Enter password name: atgkey
    Certificate stored in file <..\das\keystore\atg-ssl.cer>

  4. Now import the Oracle ATG Web Commerce certificate:

    keytool -import -alias atgcert -file ..\DAS\keystore\atg-ssl.cer -keystore
    ..\DAS\keystore\cacerts.jks

    The key tool utility displays information about the certificate:

  5. Owner: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Issuer: CN=Snorthog, OU=Dynamo, O=Art Techonology Group, L=Cambridge,
    ST=MA, C=US
    Serial number: 3eef2fc2
    Valid from: Tue Jun 17 11:12:02 EDT 2003 until: Thu May 04 14:50:08
    EDT 2006
    Certificate fingerprints:
             MD5:  95:0E:9A:3A:D7:C9:A6:CA:73:B5:CA:C0:44:DB:E0:1E
             SHA1: 32:38:3C:AD:57:BB:59:B7:9C:91:A3:79:03:56:9E:96:44:37:20:4C

  6. Answer yes when prompted whether to trust the certificate:

    Trust this certificate? [no]: yes
    Certificate was added to keystore

These settings match the default configuration settings of the component /atg/dynamo/security/BasicSSLConfiguration, so you do not need to modify the configuration of that component.

Generating a New Certificate

In a production environment, you should not use the default Oracle ATG Web Commerce certificate. Instead, you should use the keytool utility to generate a new private key and public key, and wrap the public key into a new self-signed certificate.

  1. Create a key store and trust store for each server.

  2. Use the JDK keytool utility with the –genkey flag to generate a new self-signed certificate that wraps the public key.

  3. Import the certificate into the trust store of each server.

  4. Configure the /atg/dynamo/security/BasicSSLConfiguration component on each server. You must set the keyStore and trustStore properties to point to your new key store and trust store file locations. You must also set the keyStorePassword and trustStorePassword properties to the values that you used when creating the key store and trust store.

For more information about SSL keys and certificates, and for documentation about the Java Secure Socket Extension (JSSE) APIs, see the Oracle Web site.

Copyright © 1997, 2012 Oracle and/or its affiliates. All rights reserved.

Legal Notices