Configure SSL Support

A production installation will almost always need SSL support, in order to be able to provide secure access to the Content Engine for remote users of Content Studio, Web Studio and so on.

To set up SSL support you must:

  1. Obtain a certificate from a Certificate Authority (CA) such as VeriSign or Thawte. (But see Using Self-Signed Certificates.)

  2. Install the certificate on every engine host for which you require HTTPS access. This means you should at least install the certificate on all your editorial hosts. You might, however, also want to install it on your presentation hosts in order to provide HTTPS access to some or all of your published content. For detailed instructions on how to install certificates for use by Tomcat, see http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.

  3. Open /opt/tomcat/conf/server.xml for editing.

  4. Somewhere in this file you will find a commented-out Connector element for configuring SSL connections on port 8443. Uncomment this element, and add keystoreFile, keystorePass and URIEncoding attributes to it as follows:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
      clientAuth="false" sslProtocol="TLS"
      keystoreFile="keystore-path" keystorePass="password" URIEncoding="UTF-8"/>

    keystore-path must be the path of the keystore you created in step 2. password must be the keystore/certificate password you created in step 2. The URIEncoding="UTF-8" attribute is required on all Connector elements in order to ensure that Content Engine search functionality works for non-Latin characters.

  5. Open the configuration layer file com/escenic/webstart/StudioConfig.properties for editing, and change the protocol name in the web service URL used by by Content Studio. That is, change the setting of property.com.escenic.client.webservice.url from something like this:

    property.com.escenic.client.webservice.url=http:host-name:port/webservice/index.xml

    to something like this:

    property.com.escenic.client.webservice.url=https:host-name:port/webservice/index.xml

    If you installed everything on one host, then you will need to do this in your common configuration layer (/etc/escenic/engine/common/com/escenic/webstart/StudioConfig.properties). If you have a multi-host installation, then you will need to do it in one or more host configuration layers (/etc/escenic/engine/host/host-name/com/escenic/webstart/StudioConfig.properties).

The above procedure ensures that the Content Engine can support HTTPS access, but it does not enforce it in any way. Enforcement of HTTPS access to specific resources from specific locations can be achieved in a variety of ways and is outside the scope of this manual.