Enable HTTPS, configure HTTP and HTTPS ports and redirect HTTP requests to HTTPS

Enabling SSL

Updated for Patch level 732_20171007b.
Enabling SSL on Jetty requires the enablement of the jetty ssl and https modules.   Prior to enabling these modules, stop the jetty service if it is running.
Linux:
service rxjetty stop
Windows
net stop rxjetty 
Enabling the SSL and HTTPS modules:
cd {RHYTHMYX_HOME}\jetty\
StartJetty.bat --add-to-start=ssl,https
cd {RHYTHMYX_HOME}\jetty\
StartJetty.sh --add-to-start=ssl,https
 
These commands should return similar output to that below:

[root@rhythmyx jetty]# ./StartJetty.sh --add-to-start=ssl,https

Found Jetty service rxjetty in /etc/default/rxjetty pointing to jetty base /opt/Rhythmyx/jetty/base

This instance is currently installed as service rxjetty

/var/run/rxjetty/rxjetty

INFO  : https           initialized in ${jetty.base}/start.d/https.ini

INFO  : ssl             initialized in ${jetty.base}/start.d/ssl.ini

COPY  : ${jetty.home}/modules/ssl/keystore to ${jetty.base}/etc/keystore

INFO  : Base directory was modified

Existing Java Keystore Under JBOSS
If you have an existing java keystore with an SSL certificate installed under JBoss, the keystore file must be copied to the <InstallDir>/jetty/base/etc folder.  You can identify an existing JBoss keystore file location by scanning the AppServer\server\rx\deploy\jboss-web.deployer\server.xml file for the keystoreFile attribute.  The location of the keystore file will be whatever value "keystoreFile" is set to.

For example if keystoreFile="AppServer/server/rx/conf/identity.jks" , move:

  • AppServer/server/rx/conf/identity.jks
 to 
  • jetty/base/etc/
Example Java Keystore
When the ssl and https jetty modules are installed an example keystore is created in the jetty/base/etc/keystore location if one does not exist.  The example keystore is configured with a self signed certificate and will show security errors from the browser when trying to access the site, but is a good way to check that ssl is enabled. 
Creating a new Keystore With an Existing Valid Certificate
Example 1:  OpenSSL (PEM) Public & Private Key 
cd <InstallDir>/jetty/base/etc

openssl pkcs12 -export -chain -in /path/to/cert/my.crt -inkey /path/to/key/my.key.pem -out keystore.p12 -name training.percussion.com -CAfile /path/to/bundle/bundle.crt

This command will generate a PKS12 standards based keystore, which can now be imported to a J2SE keystore.

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

You may receive the following warning, this can be ignored.

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

Example 2:  PFX (X.509) File
keytool -importkeystore -srckeystore mycert.pfx -srcstoretype PKCS12 -destkeystore keystore.jks
One the keystore is generated and your certificate imported.  Update the following properties in the jetty/base/etc/installation.properties file:
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=percussion
jetty.sslContext.trustStorePassword=percussion
jetty.sslContext.keyManagerPassword=percussion
 
SSL Configuration
The location of the SSL configuration properties are located in the jetty/base/etc/installation.properties file.  This file is a Java properties file, and follows Java Property file syntax rules. 
Windows Server users can use the  RhythmyxServerPropertiesEditor.exe located in the installation directory on the server to configure SSL properties.  This tool will configure both Jetty and JBoss with the same configuration unless/until JBoss directories are manually removed.
 
server properties editor
 

For Linux server users the /jetty/base/etc/installation.properties file may be edited directly.  A reference configuration is provided below.

installation.properties
jetty.sslContext.keyStorePassword=percussion
jetty.ssl.port= 9543
jetty.sslContext.trustStorePassword=percussion
jetty.sslContext.keyManagerPassword=percussion
perc.ssl.protocols=TLSv1. 2
jetty.http.port= 9892
perc.ssl.includeCiphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore

In the example configuration above, we have defined a default set of secure ciphers, and by default Jetty will only enable the TLSv1.2 protocol.  These ciphers work well with all modern browsers, however these ciphers may not work for connections from some older browsers.  If you need to support specific ciphers or SSL protocols for older browsers or client tools, you can enable them by changing the SSL protocols property in installation.properties (perc.ssl.protocols and perc.ssl.includeCiphers). 

Once the installation.properties are configured, the Jetty service may be restarted and Rhythmyx should now be accessible via HTTPS on the configured jetty.ssl.port.

Disabling HTTPS after it is enabled 

To disable HTTPS on Rhythmyx you must first shut down the Rhythmyx server.
After the server is shutdown, delete these files:
  • {Rhythmyx_home}/jetty/base/start.d/ssl.ini
  • {Rhythmyx_home}/jetty/base/start.d/https.ini
  • {Rhythmyx_home}/jetty/base/start.d/perc-ssl.ini (if it exists)

The next startup will have Rhythmyx running in HTTP.

Redirecting HTTP requests to HTTPS

For Rhythmyx Content Explorer, DCE, and all tools: 

Update <Rhythmyx_Home>/rxconfig/Server/server.properties to include

requireHTTPS=true 

 For Rhythmyx landing page:  Update/Add <Rhythmyx_Home>\jetty\base\webapps\root\WEB-INF\web.xml file with below listed section before </web-app> end node:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Root</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

A restart of the service is required after making these changes.