Configure SSL/TLS
To configure SSL/TLS for CrafterCMS authoring and delivery, do the following:
Step 1: Create a keystore file
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Step 2: Edit the tomcat file to use the keystore file by uncommenting or adding the “SSL HTTP/1.1 Connector” entry
Step 3: Test your setup
From tomcat.apache.org
:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are technologies which allow web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.*
CrafterCMS employs two deployment methods, traditional deployment and serverless deployment. Let’s take a look at an example of how to configure SSL/TLS in a traditional deployment and serverless (docker container) deployment:
Configuring SSL/TLS for CrafterCMS Authoring and Delivery in a Traditional Deployment
Step 1: Create a keystore file
Java’s keytool
file allows the user to create self signed certificates. For this example, we will be using a self signed certificate. Please remember that self signed certificates are not suitable for production use.
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password: password (it will be invisible)
Re-enter new password: password
What is your first and last name?
[Unknown]: {FIRST_LAST_NAME}
What is the name of your organizational unit?
[Unknown]: {ORGANIZATIONAL_UNIT}
What is the name of your organization?
[Unknown]: {ORGANIZATION_NAME}
What is the name of your City or Locality?
[Unknown]: {CITY}
What is the name of your State or Province?
[Unknown]: {STATE_PROVINCE}
What is the two-letter country code for this unit?
[Unknown]: {COUNTRY_CODE}
Is CN={FIRST_LAST_NAME}, OU={ORGANIZATIONAL_UNIT}, O={ORGANIZATION_NAME}, L={CITY}, ST={STATE_PROVINCE}, C={COUNTRY_CODE} correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password): password
Re-enter new password: password
The command above will generate a file named .keystore
in the users home directory. Take note of the location as it will be used in the next step.
Step 2: Configure tomcat to use the keystore file
The next step is to configure SSL/TLS Connector in the authoring/delivery tomcat file by uncommenting/adding the following:
1<Connector port="8443"
2 SSLEnabled="true"
3 clientAuth="false"
4 maxThreads="150"
5 protocol="org.apache.coyote.http11.Http11NioProtocol"
6 keystoreFile="/path/to/your/keystore"
7 keystorePass="yourKeystorePassword"
8 scheme="https"
9 secure="true"
10 sslProtocol="TLS"
11/>
where:
port : port number to be secured by your new keystore file
keystoreFile : path to your keystore file created from the previous step
keystorePass : password used when keystore file was created from the previous step
We’ll use the above values for our CrafterCMS authoring example. Save the changes and restart CrafterCMS authoring/delivery.
For more information on configuring SSL/TLS on Tomcat, see https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Step 3: Test your setup
To test your CrafterCMS authoring, open your browser and type in:
localhost:8443/studio
Since we are using a self-signed certificate, you’ll get a message similar to this depending on your browser:
From the above screen, just click on Advanced
, then allow it to proceed to localhost::8443
, and you will then be taken to the login screen of Crafter Studio
Configuring SSL/TLS for CrafterCMS Authoring and Delivery in a Docker Container
Setting up SSL/TLS for CrafterCMS authoring and delivery in a Docker Container is similar to the steps done for CrafterCMS Authoring and Delivery installed in a server, which just a few differences.
Step 1: Create a keystore file
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Step 2: Edit the tomcat file to use the keystore file by uncommenting or adding the “SSL HTTP/1.1 Connector” entry
Step 3: Edit your
docker-compose.yml
file to setup connector port and certificateStep 4: Test your setup
Let’s take a look at an example of a CrafterCMS authoring running in a docker container. For reference, here’s the instruction for Running CrafterCMS in a Docker Container
Step 1: Create keystore file
Follow the step above Step 1: Create a keystore file to create your keystore file. For convenience, copy the .keystore
file where your docker-compose.yml
files is, so your directory structure looks like:
CrafterCMS authoring
|-- docker-compose.yml
|-- .keystore
Step 2: Configure tomcat to use the keystore file
Get a copy of the server.xml
file from your container by running the following command:
docker cp tomcat_1:/opt/crafter/bin/apache-tomcat/conf/server.xml .
The command above will copy the server.xml
file from your docker container to your current directory.
Follow the step above Step 2: Configure tomcat to use the keystore file to configure SSL/TLS Connector in the server.xml
file you just copied from the docker container.
Your directory should now contain the following:
CrafterCMS authoring
|-- docker-compose.yml
|-- .keystore
|-- server.xml
See https://docs.docker.com/engine/reference/commandline/cp/ for more information on docker cp
Step 3: Setup connector port and keystore file in docker-compose.yml
In your docker-compose.yml
file, under tomcat
:
Add port
8443
Add the keystore file and the edited
server.xml
file to volumes
Your docker-compose.yml
should look like below:
1version: '3.7'
2 services:
3 elasticsearch:
4 image: docker.elastic.co/elasticsearch/elasticsearch:6.6.0
5 ports:
6 - 9201:9200
7 environment:
8 - discovery.type=single-node
9 - bootstrap.memory_lock=true
10 - "ES_JAVA_OPTS=-Xss1024K -Xmx1G"
11 ulimits:
12 memlock:
13 soft: -1
14 hard: -1
15 volumes:
16 - elasticsearch_data:/usr/share/elasticsearch/data
17 - elasticsearch_logs:/usr/share/elasticsearch/logs
18 tomcat:
19 image: craftercms/authoring_tomcat:3.1.3 # craftercms version flag
20 depends_on:
21 - elasticsearch
22 - deployer
23 ports:
24 - 8080:8080
25 - 8443:8443
26 volumes:
27 - crafter_data:/opt/crafter/data
28 - crafter_logs:/opt/crafter/logs
29 - crafter_temp:/opt/crafter/temp
30 # Elastic Search dirs needed for backup/restore
31 - elasticsearch_data:/opt/crafter/data/indexes-es
32 - elasticsearch_logs:/opt/crafter/logs/elasticsearch
33 # SSL/TLS certificate
34 - ./.keystore:/etc/ssl/certs/.keystore
35 - ./server.xml:/opt/crafter/bin/apache-tomcat/conf/server.xml
36 environment:
37 - DEPLOYER_HOST=deployer
38 - DEPLOYER_PORT=9191
39 - ES_HOST=elasticsearch
40 - ES_PORT=9200
Restart your docker container.
Step 4: Test your setup
To test your CrafterCMS authoring, open your browser and type in:
localhost:8443/studio
You should see similar screens as shown above when we setup SSL/TLS for a traditional deployment.