Apply an SSL Certificate to Percussion

Apply an SSL Certificate to Percussion

Setting up https in Percussion CMS is based upon standard procedures in the Jetty application server.  This can be found here: https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-ssl.  Custom configuration paramters can be placed in {installation root}/jetty/base/etc/installation.properties instead of ssl.ini file described in this documentation

Place your keystore file (public/private key pair) and certificate file in the directory {installation root}/jetty/base/etc

Enable https in jetty

cd {installation root}/jetty

StartJetty.bat --add-to-start=https,ssl

This will create a default non-secure self-signed keystore in {installation root}/jetty/base/etc/keystore that can be used on startup to test but should be replaced with actual keystore.

Create a keystore file

See the following jetty documentation that describes how to create a certificate and keystore for use in the server. 

https://www.eclipse.org/jetty/documentation/jetty-9/index.html#generating-key-pairs-and-certificates

Place your keystore file (public/private key pair) and certificate file in the directory {installation root}/jetty/base/etc add configuration properties in {installation root}/jetty/base/etc/installation.properties.  See below for configuration options

Standard configuration options

Below are the main configuration options.  The path specified is relative to {installation root}/jetty/base directory.  The keystore password can be entered in plain text but is recommended to obfuscate the password as is indicated in the default below with the OBF: prefix.  The next section describes how to create obfuscated passwords for jetty.

jetty.sslContext.keyStorePath=etc/keystore

jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g

perc.ssl.includeCiphers=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256


perc.ssl.protocols=TLSv1.2

Other configuration options may be available and provided by jetty and current options can be found in {installation root}\jetty\upstream\modules\ssl.mod

Obfuscating passwords for jetty configuration

java -cp {installation root}\jetty\upstream\lib\jetty-util-9.4.10.v20180503.jar org.eclipse.jetty.util.security.Password {password}

The version number may change, confirm the current version of jetty-util-*.jar

This command should produce a line starting with "OBF:"  copy the encoded password including the prefix into the configuration file.

See the Jetty documentation on this topic for more information:

https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-security-secure-passwords

Restart the CMS service for the changes to take effect.

Ensure that you can login through the https protocol and your SSL port.  You may need to re-configure your Dashboard gadgets (edit settings) the first time that you login via SSL if you previously logged in via http protocol.