Configuring SSL

Preparing the Certificate Keystore

Note: this documentation is based on Apache Tomcat SSL Documentation.

Using SSL with Silverpeas is quite transparent since most of the work is on JBoss configuration. First, you have to create a keystore to hold your certificates. JBoss supports the following formats : JKS and PKCS12.
To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like:

Importing an existing certificate
openssl pkcs12 -export -in mycert.crt -inkey mykey.key \
                        -out mycert.p12 -name tomcat -CAfile myCA.crt \
                        -caname root -chain
        

For more advanced cases, consult the OpenSSL documentation. To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:

Windows
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore
Unix
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/my/keystore

After executing this command, you will first be prompted for the keystore password. The default password used by JBoss is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file, as described later.
Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.br/> Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)
If everything was successful, you now have a keystore file with a Certificate that can be used by your server.

Configuring JBoss

The final step is to configure the Connector in the $JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml file. An example <Connector> element for an SSL connector is included in the default server.xml file installed with Silverpeas. It should look something like this:

SSL Connector
<Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" clientAuth="false" 
        disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" 
        keystoreFile="/home/ehugonnet/programs/silverpeas/bin/truststore.jks" keystorePass="changeit" 
        port="8443" scheme="https" secure="true" sslProtocol="TLS"/>

Secure Authentication with clear site

With Silverpeas you can have an HTTPS login, thus authentication is secured, with an HTTP intranet (for performance). This feature is activated by configuration. First, you have to enable SSL (following the preceding instructions) then you have to configure Silverpeas using the following XML block into your CustomerSettings.xml

CustomerSettings.xml
<silverpeas-settings>
  ...
  <fileset root="${SILVERPEAS_HOME}/properties/com/stratelia/webactiv/">
    <configfile name="general.properties">
      <parameter key="server.ssl">false</parameter><!-- we don't want to stay in SSL mode -->
       <parameter key="server.http.port">8000</parameter>
  </configfile>
  </fileset>
  <fileset root="${SILVERPEAS_HOME}/jar/silverpeas.ear/war-ic.war/WEB-INF/">
    <xmlfile name="web.xml">
      <parameter key="//security-constraint/user-data-constraint/transport-guarantee" mode="update">
	<value>CONFIDENTIAL</value>
      </parameter>
    </xmlfile>
  </fileset>
  ...
</silverpeas-settings>