Enable HTTPS, configure HTTP and HTTPS ports and redirect HTTP requests to HTTPS

Enabling SSL

Updated for Patch level 732_20171007b.

Enabling SSL on Jetty requires the enablement of the jetty ssl and https modules. Prior to enabling these modules, stop the jetty service if it is running.

Linux:

service rxjetty stop

Windows

net stop rxjetty

Enabling the SSL and HTTPS modules:

cd {RHYTHMYX_HOME}\jetty\
StartJetty.bat --add-to-start=ssl,https
cd {RHYTHMYX_HOME}\jetty\
StartJetty.sh --add-to-start=ssl,https
 

These commands should return similar output to that below:

[root@rhythmyx jetty]# ./StartJetty.sh --add-to-start=ssl,https

Found Jetty service rxjetty in /etc/default/rxjetty pointing to jetty base /opt/Rhythmyx/jetty/base

This instance is currently installed as service rxjetty

/var/run/rxjetty/rxjetty

INFO : https initialized in ${jetty.base}/start.d/https.ini

INFO : ssl initialized in ${jetty.base}/start.d/ssl.ini

COPY : ${jetty.home}/modules/ssl/keystore to ${jetty.base}/etc/keystore

INFO : Base directory was modified

Existing Java Keystore Under JBOSS

If you have an existing java keystore with an SSL certificate installed under JBoss, the keystore file must be copied to the <InstallDir>/jetty/base/etc folder. You can identify an existing JBoss keystore file location by scanning the AppServer\server\rx\deploy\jboss-web.deployer\server.xml file for the keystoreFile attribute. The location of the keystore file will be whatever value "keystoreFile" is set to.

For example if keystoreFile="AppServer/server/rx/conf/identity.jks" , move:

AppServer/server/rx/conf/identity.jks

to

jetty/base/etc/

Example Java Keystore

When the ssl and https jetty modules are installed an example keystore is created in the jetty/base/etc/keystore location if one does not exist. The example keystore is configured with a self signed certificate and will show security errors from the browser when trying to access the site, but is a good way to check that ssl is enabled.

Creating a new Keystore With an Existing Valid Certificate

Example 1: OpenSSL (PEM) Public & Private Key

cd <InstallDir>/jetty/base/etc

openssl pkcs12 -export -chain -in /path/to/cert/my.crt -inkey /path/to/key/my.key.pem -out keystore.p12 -name training.percussion.com -CAfile /path/to/bundle/bundle.crt

This command will generate a PKS12 standards based keystore, which can now be imported to a J2SE keystore.

cd <InstallDir>/JRE/bin
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

You may receive the following warning, this can be ignored.

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

Example 2: PFX (X.509) File

keytool -importkeystore -srckeystore mycert.pfx -srcstoretype PKCS12 -destkeystore keystore.jks

One the keystore is generated and your certificate imported. Update the following properties in the jetty/base/etc/installation.properties file:

jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=percussion
jetty.sslContext.trustStorePassword=percussion
jetty.sslContext.keyManagerPassword=percussion

SSL Configuration

The location of the SSL configuration properties are located in the jetty/base/etc/installation.properties file. This file is a Java properties file, and follows Java Property file syntax rules.

Windows Server users can use the RhythmyxServerPropertiesEditor.exe located in the installation directory on the server to configure SSL properties. This tool will configure both Jetty and JBoss with the same configuration unless/until JBoss directories are manually removed.

For Linux server users the /jetty/base/etc/installation.properties file may be edited directly. A reference configuration is provided below.

installation.properties

jetty.sslContext.keyStorePassword=percussion
jetty.ssl.port= 9543
jetty.sslContext.trustStorePassword=percussion
jetty.sslContext.keyManagerPassword=percussion
perc.ssl.protocols=TLSv1. 2
jetty.http.port= 9892
perc.ssl.includeCiphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore

In the example configuration above, we have defined a default set of secure ciphers, and by default Jetty will only enable the TLSv1.2 protocol. These ciphers work well with all modern browsers, however these ciphers may not work for connections from some older browsers. If you need to support specific ciphers or SSL protocols for older browsers or client tools, you can enable them by changing the SSL protocols property in installation.properties (perc.ssl.protocols and perc.ssl.includeCiphers).

Once the installation.properties are configured, the Jetty service may be restarted and Rhythmyx should now be accessible via HTTPS on the configured jetty.ssl.port.

Disabling HTTPS after it is enabled

To disable HTTPS on Rhythmyx you must first shut down the Rhythmyx server.

After the server is shutdown, delete these files:

{Rhythmyx_home}/jetty/base/start.d/ssl.ini
{Rhythmyx_home}/jetty/base/start.d/https.ini
{Rhythmyx_home}/jetty/base/start.d/perc-ssl.ini (if it exists)

The next startup will have Rhythmyx running in HTTP.

Redirecting HTTP requests to HTTPS

For Rhythmyx Content Explorer, DCE, and all tools:

Update <Rhythmyx_Home>/rxconfig/Server/server.properties to include

requireHTTPS=true

For Rhythmyx landing page: Update/Add <Rhythmyx_Home>\jetty\base\webapps\root\WEB-INF\web.xml file with below listed section before </web-app> end node:

<security-constraint> <web-resource-collection> <web-resource-name>Root</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> A restart of the service is required after making these changes.