Configure SSL Support

A production installation will almost always need SSL support, in order to be able to provide secure access to the Content Engine for remote users of Content Studio, Web Studio and so on.

To set up SSL support you must:

Obtain a certificate from a Certificate Authority (CA) such as VeriSign or Thawte. (But see Using Self-Signed Certificates.)
Install the certificate on every engine host for which you require HTTPS access. This means you should at least install the certificate on all your editorial hosts. You might, however, also want to install it on your presentation hosts in order to provide HTTPS access to some or all of your published content. For detailed instructions on how to install certificates for use by Tomcat, see http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html.
Open /opt/tomcat-engine1/conf/server.xml for editing.
Somewhere in this file you will find a commented-out Connector element for configuring SSL connections on port 8443. Uncomment this element, and add keystoreFile, keystorePass and URIEncoding attributes to it as follows:
```
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="keystore-path" keystorePass="password" URIEncoding="UTF-8"/>
```
keystore-path must be the path of the keystore you created in step 2. password must be the keystore/certificate password you created in step 2. The URIEncoding="UTF-8" attribute is required on all Connector elements in order to ensure that Content Engine search functionality works for non-Latin characters.
Open the configuration layer file com/escenic/webstart/StudioConfig.properties for editing, and change the protocol name in the web service URL used by by Content Studio. That is, change the setting of property.com.escenic.client.webservice.url from something like this:
```
property.com.escenic.client.webservice.url=http:host-name:port/webservice/index.xml
```
to something like this:
```
property.com.escenic.client.webservice.url=https:host-name:port/webservice/index.xml
```
If you installed everything on one host, then you will need to do this in your common configuration layer (/etc/escenic/engine/common/com/escenic/webstart/StudioConfig.properties). If you have a multi-host installation, then you will need to do it in one or more host configuration layers (/etc/escenic/engine/host/host-name/com/escenic/webstart/StudioConfig.properties).

The above procedure ensures that the Content Engine can support HTTPS access, but it does not enforce it in any way. Enforcement of HTTPS access to specific resources from specific locations can be achieved in a variety of ways and is outside the scope of this manual.

Using a front-end SSL server

Instead of setting up Tomcat to act as the SSL server, as described in step 4 above, you may want to configure Nginx, Apache or some other front end server to act as the SSL end point, and forward requests to the Content Engine via a normal HTTP connection. For this to work, the Tomcat connector must be configured as a proxy connector. This tells Tomcat (and ultimately the Content Engine) that the public server URI is the URI of the front-end proxy, and not the URI of Tomcat itself.

The following example shows a minimal connector configuration that works in this way, with the differences highlighted:

<Connector port="8443" protocol="HTTP/1.1" 
  maxThreads="150" URIEncoding="UTF-8" 
  SSLEnabled="false" secure="true" 
  proxyName="editorial.mydomain.com" 
  proxyPort="443" scheme="https" />

The proxyName property may not be necessary (if, for example, the front-end proxy forwards the Host header). After setting up a proxy connector, like this, you will need to configure your front-end proxy to use this connector on port 8443.