You can secure RMI communications by transmitting them over SSL. The Oracle Commerce Platform includes a class, atg.net.ssl.SSLRMISocketFactory, for creating secure sockets for RMI, and a Nucleus component that is an instance of this class, /atg/dynamo/service/socket/. To enable RMI over SSL, set the
SSLRMISocketFactoryRMISocketFactory property of the /atg/dynamo/server/RmiInitialization component to point to the SSLRMISocketFactory component:
RMISocketFactory=/atg/dynamo/service/socket/SSLRMISocketFactoryTo use RMI over SSL, configure public and private keys and wrap the public key in a self-signed certificate. Use the keytool utility to generate a new private key and public key, and wrap the public key into a new self-signed certificate.
Create a key store and trust store for each server.
Use the JDK
keytoolutility with the–genkeyflag to generate a new self-signed certificate that wraps the public key.Import the certificate into the trust store of each server.
Configure the
/atg/dynamo/security/BasicSSLConfigurationcomponent on each server. You must set thekeyStoreandtrustStoreproperties to point to your new key store and trust store file locations. You must also set thekeyStorePasswordandtrustStorePasswordproperties to the values that you used when creating the key store and trust store.
For more information about SSL keys and certificates, and for documentation about the Java Secure Socket Extension (JSSE) APIs, see the Oracle Web site.
Enabling Client Authentication
Whenever an SSL session begins, a handshake occurs, which enables server authentication to the client. By default, the client does not authenticate, however, you can configure mandatory client authentication by setting the needClientAuth property to true in the /atg/dynamo/security/.
BasicSSLConfiguration
Using the ACC with RMI over SSL
If you have configured RMI to work over SSL, the ACC requires additional information to connect using SSL. First, configure the BasicSSLConfiguration file to connect using SSL:
Add the following parameters in the
/atg/dynamo/security/file:
BasicSSLConfigurationtrustStore- The location of the SSL trust store that holds the public key for the server’s key storetrustStorePassword– The password of the SSL trust storetrustStoreType– The type of trust store, for example JKSkeyStore– The location of the key storekeyStorePassword– The password of the key storekeyStoreType– The type of key store, for example JKSneedClientAuth– Set mandatory client authentication by setting this property totrue
For example:
keyStore={appModuleResource?moduleID=DAS&resourceURI=keystore/
my-keystore.jks}
keyStoreType=jceks
keyStorePassword=mykeystorepassword
trustStore={java.home}/mylib/security/mycerts
trustStoreType=JKS
trustStorePassword=mytruststorepassword
needClientAuth=trueSet the
RMISocketFactoryparameter of the/atg/dynamo/server/file to call the
RmiInitialiationSSLRMISocketFactory. For example:# A reference to a component that is an instance of an
# RMISocketFactory to utilize (e.g. for SSL)
RMISocketFactory=/atg/dynamo/service/socket/SSLRMISocketFactoryRestart the server.
Once you have configured the BasicSSLConfiguration file, modify the startClient script for your server as described below:
Server-Side Authentication
To enable the ACC to perform one-way authentication, provide the name of the trustStore and the trustStorePassowrd arguments in the startClient script:
- Djavax.net.ssl.trustStore=trustStore_location
- Djavax.net.ssl.trustStorePassword=trustStore_password
- Drmi.socket.factory.class=atg.applauncher.AppSSLRMISocketFactory
Client-Server Authentication
To enable the ACC to perform two-way authentication, provide the name of the trustStore, trustStorePassowrd, keyStore and the keyStorePassowrd arguments in the startClient script:
- Djavax.net.ssl.trustStore=trustStore_location
- Djavax.net.ssl.trustStorePassword=trustStore_password
- Drmi.socket.factory.class=atg.applauncher.AppSSLRMISocketFactory
- Djavax.net.ssl.keyStore=keyStore_location
- Djavax.net.ssl.keyStorePassword=keyStore_password
