Skip to content

Custom integration for Secure Socket Layer (SSL) communication

Configuring SSL for HTTPS access from Web Clients

The recommended method of configuring HTTPS access to Web Clients is using the -ssl options of the Setup utility as explained in Server Installation and Configuration. ** [{ -s | --ssl }] SSL: enable or disable ssl [{ -sc | --ssl-cert-file }] SSL: the X.509 file containing the SSL certificate [{ -sk | --ssl-key-file }] SSL: the X.509 file containing the SSL key [{ -sp | --ssl-key-password }] SSL: the password for the SSL key file [{ -sr | --ssl-root-chain-file }] SSL: the X.509 file containing the SSL certificate chain For example: ** $MM_HOME/Setup.sh -s true -sk MyPrivateKeyFile -sp MyPrivateKeyPassword

If the above method fails, you may manually update the server keystore location and password, by editing $MM_HOME/tomcat/conf/server.xml to change the value of certificateKeystoreFile and certificateKeystorePassword within the <Certificate> section.

Configuring SSL to access Remote Servers

There are multiple use cases of using SSL to access remote server:

  • Configuring HTTPS for Remote Metadata Harvesting Agents (Remote MetaKarta Server)

  • Configuring SSL for Harvesting Metadata with API based bridges (e.g. a database server via JDBC)

  • Configuring SSL for Repository Storage (database server via JDBC)

  • Configuring LDAPS for Enterprise Directory

In all above uses cases, no extra setup is needed when using an official certificate signed by a Certificate Authority (CA), as using the https based URL is enough.

However, when using a self signed certificate, then such a certificate needs to be explicitly imported in the java environment of your server. The recommended method to import such a certificate is using the -certificate options of the Setup utility as explained in Server Installation and Configuration. ** [{ -ch | --certificate-host }] Certificate: the host name to retrieve the certificate for [{ -cp | --certificate-port }] Certificate: the port number to connect to For example: ** $MM_HOME/Setup.sh -ch MyServer.MyDomain.com -cp 443 If the above method fails, you may manually import the certificate into the java environment keystore as follows: ** **cd $MM_HOME/jre/lib/security mv jssecacerts jssecacerts.old $MM_HOME/bin/keytool -importkeystore -srckeystore YourSelfSignedCertificate -keystore jssecacerts $MM_HOME/RestartServerApplication.sh (or RestartServerService.bat on Windows) Note that the above import steps have to be repeated for the self signed certificate of every remote servers.

Use of Wildcard Certificates

While, one may wish to use wildcard certificates as it is convenient for dev and test environments to share certificates.

However, the fundamental issue is that one should NOT use a wildcard certificate in production as it does not contain the Fully Qualified Domain Name (FQDN) and one can use it for any purpose. Most DevOps and InfoSec teams would never tolerate that. Thus, the automatic Setup does not support wildcard certificates as the software cannot guess the FQDN and it is not recommended or directly supported.