Follow these steps to enable secure SSL communication between the Deployment Template and the EAC Central Server, the ECR, the Assembler, the Dgraph (the MDEX engine) and the Content Acquisition System (CAS) version 3.0.x and later:
Create a Java keystore and truststore to contain your certificates. For information about how to do this, see Storing generateSSLCertificates Credentials.
Upload a copy of these certificates to the server on which your Deployment Template scripts will run.
Update
runcommand[.bat|.sh]
to load your SSL keystore and truststore.On Windows, edit
runcommand.bat
to contain the following lines:... set JAVA_ARGS=%JAVA_ARGS% "-Djava.util.logging.config.file=%~dp0..\config\script\logging.properties" if exist [\path\to\truststore] ( set TRUSTSTORE=[\path\to\truststore] ) else ( echo WARNING: Cannot find truststore at [path\to\truststore]. Secure EAC communication may fail. ) if exist [\path\to\keystore] ( set KEYSTORE=[\path\to\keystore] ) else ( echo WARNING: Cannot find keystore at [\path\to\keystore]. Secure EAC com¬ munication may fail. ) set JAVA_ARGS=%JAVA_ARGS% "-Djavax.net.ssl.trustStore=%TRUSTSTORE%" "-Djavax.net.ssl.trustStoreType=JKS" set JAVA_ARGS=%JAVA_ARGS% "-Djavax.net.ssl.keyStore=%KEYSTORE%" "-Djavax.net.ssl.keyStoreType=JKS" set JAVA_ARGS=%JAVA_ARGS% "-Djavax.net.ssl.trustStorePassword=TS-password" set JAVA_ARGS=%JAVA_ARGS% "-Djavax.net.ssl.keyStorePassword=KS-password" set OCS_ARGS="-Dcom.endeca.ssl.jpsConfigPath=[\path\to\jps-config.xml]" "-Dcom.endeca.ssl.storeMapName=[Map Name]" "-Dcom.endeca.ssl.trustStoreKeyName=[TS-Passphrase]" "-Dcom.endeca.ssl.keyStoreKeyName=[KS-Passphrase]" set JAVA_ARGS=%JAVA_ARGS% %OCS_ARGS% set CONTROLLER_ARGS=--app-config AppConfig.xml ...
Note
In
runcommand[.bat|.sh]
, set commands must not contain line breaks. In the preceding example, the set commands are wrapped only to fit the page size of this document.On UNIX, edit
runcommand.sh
to contain the following lines:... JAVA_ARGS="${JAVA_ARGS} -Djava.util.logging.config.file=${WORKING_DIR}/../config/script/logging.properties" if [ -f "[/path/to/truststore]" ] ; then if [ -f "[/path/to/keystore]" ] ; then TRUSTSTORE=[/path/to/truststore] KEYSTORE=[/path/to/keystore] JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.trustStore=${TRUSTSTORE}" JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.trustStoreType=JKS" JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.keyStore=${KEYSTORE}" JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.keyStoreType=JKS" JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.trustStorePassword=TS-password" JAVA_ARGS="${JAVA_ARGS} -Djavax.net.ssl.keyStorePassword=KS-password" OCS_ARGS="-Dcom.endeca.ssl.jpsConfigPath=[/path/to/jps-config.xml]" "-Dcom.endeca.ssl.storeMapName=[Map Name]" "-Dcom.endeca.ssl.trustStoreKeyName=[TS-Passphrase]" "-Dcom.endeca.ssl.keyStoreKeyName=[KS-Passphrase]" JAVA_ARGS=${JAVA_ARGS} ${OCS_ARGS} else echo "WARNING: Cannot find keystore at [/path/to/keystore]. Secure EAC communication may fail." fi else echo "WARNING: Cannot find truststore at [/path/to/truststore]. Secure EAC communication may fail." fi CONTROLLER_ARGS="--app-config AppConfig.xml" ...
In the app element of the
AppConfig.xml
document, update thesslEnabled
attribute totrue
.The
sslEnabled
attribute is a application-wide setting that applies to the EAC and to CAS (if used in your application).Specify the SSL-enabled port for the EAC.
The Endeca HTTP Service uses a separate port to communicate securely. For example, the default non-SSL connector is on port 8888 and the default SSL connector listens on port 8443. The SSL port should be specified in the
eacPort
attribute of the app element in theAppConfig.xml
document.If you are using Discover-data-cas, specify the SSL-enabled port for CAS in
DataIngest.xml
andinitialize_services[.bat|.sh]
.The CAS Service uses a separate port to communicate securely. For example, the default non-SSL port is 8500 and the default SSL port is 8505. The SSL port should be specified in the
value
attribute ofcasPort
.The following example shows a sample configuration for an SSL-enabled application.
<!-- ######################################################################## # EAC Application Definition # --> <app appName="test" eacHost="slcw5dd.us.oracle.com" eacPort="8443" dataPrefix="test" sslEnabled="true" lockManager="LockManager"> <working-dir>${ENDECA_PROJECT_DIR}</working-dir> <log-dir>./logs</log-dir> </app> <!-- ######################################################################## # Lock Manager - Used to set/remove/test flags and obtain/release locks # --> <lock-manager id="LockManager" releaseLocksOnFailure="true" /> <!-- ######################################################################## # Content Acquisition System Server # <custom-component id="CAS" host-id="CASHost" class="com.Oracle Endeca.eac.toolkit.component.cas.ContentAcquisitionServerComponent"> <properties> <property name="casHost" value="slcw5dd.us.oracle.com" /> <property name="casPort" value="8505" /> </properties> </custom-component> -->
In
AuthoringDgraphCluster.xml
, set theuseSsl
property of the<host>
element to "false" or "true" to disable or enable SSL communication:Disable SSL:
<host id="AuthoringMDEXHost" hostName="FullyQualifiedHostName" port="8888" useSsl="false"/>
Enable SSL:
<host id="AuthoringMDEXHost" hostName="FullyQualifiedHostName" port="8443" useSsl="true"/>
In
LiveAppServerCluster
.xml
, set theuseSsl
property of the<web-app>
element under the<app-server>
element to "false" or "true" to disable or enable SSL communication:Disable SSL:
<app-server id="LiveDiscover" hostName="FullyQualifiedHostName" port="8006"> <web-app id="DiscoverWebApp1" contextPath="/discover" sslEnabled="false"/> ... </app-server>
Enable SSL:
<app-server id="LiveDiscover" hostName="FullyQualifiedHostName" port="8446"> <web-app id="DiscoverWebApp1" contextPath="/discover" sslEnabled="true"/> ... </app-server>
In
LiveDgraphCluster.xml
, set theuseSsl
property of the host element to "true
":<host id="LiveMDEXHostA" hostName="FullyQualifiedHostName " port="8888" useSsl="true"/>
In
DataIngest.xml
, set theuseSsl
property of the host element to "true
":<host id="ITLHost" hostName="FullyQualifiedHostName" port="8888" useSsl="true"/>
In
ReportGeneration.xml
, set theuseSsl
property of the<host>
elements shown below to "false" or "true" to disable or enable SSL communication:Disable SSL:
<host id="ReportGenerationHost" hostName="FullyQualifiedHostName" port="8888" useSsl="false"/> <host id="WorkbenchHost" hostName="FullyQualifiedHostName" port="8888" useSsl="false"> . . . </host>
Enable SSL:
<host id="ReportGenerationHost" hostName="FullyQualifiedHostName" port="8443" useSsl="true"/> <host id="WorkbenchHost" hostName="FullyQualifiedHostName" port="8443" useSsl="true"> . . . </host>