• Document Up to Date

Configure SSL/TLS

To configure SSL/TLS for CrafterCMS authoring and delivery, do the following:

  • Step 1: Create a keystore file

    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
    

  • Step 2: Edit the tomcat file to use the keystore file by uncommenting or adding the “SSL HTTP/1.1 Connector” entry

  • Step 3: Test your setup

From tomcat.apache.org :

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are technologies which allow web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.*

CrafterCMS employs two deployment methods, traditional deployment and serverless deployment. Let’s take a look at an example of how to configure SSL/TLS in a traditional deployment and serverless (docker container) deployment:

Configuring SSL/TLS for CrafterCMS Authoring and Delivery in a Traditional Deployment

Step 1: Create a keystore file

Java’s keytool file allows the user to create self signed certificates. For this example, we will be using a self signed certificate. Please remember that self signed certificates are not suitable for production use.

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password:  password (it will be invisible)
Re-enter new password: password
What is your first and last name?
  [Unknown]:  {FIRST_LAST_NAME}
What is the name of your organizational unit?
  [Unknown]:  {ORGANIZATIONAL_UNIT}
What is the name of your organization?
  [Unknown]:  {ORGANIZATION_NAME}
What is the name of your City or Locality?
  [Unknown]:  {CITY}
What is the name of your State or Province?
  [Unknown]:  {STATE_PROVINCE}
What is the two-letter country code for this unit?
  [Unknown]:  {COUNTRY_CODE}
Is CN={FIRST_LAST_NAME}, OU={ORGANIZATIONAL_UNIT}, O={ORGANIZATION_NAME}, L={CITY}, ST={STATE_PROVINCE}, C={COUNTRY_CODE} correct?
  [no]:  yes

Enter key password for
    (RETURN if same as keystore password):  password
Re-enter new password: password

The command above will generate a file named .keystore in the users home directory. Take note of the location as it will be used in the next step.

Step 2: Configure tomcat to use the keystore file

The next step is to configure SSL/TLS Connector in the authoring/delivery tomcat file by uncommenting/adding the following:

CRAFTER_HOME/bin/apache-tomcat/conf/server.xml
 1<Connector port="8443"
 2  SSLEnabled="true"
 3  clientAuth="false"
 4  maxThreads="150"
 5  protocol="org.apache.coyote.http11.Http11NioProtocol"
 6  keystoreFile="/path/to/your/keystore"
 7  keystorePass="yourKeystorePassword"
 8  scheme="https"
 9  secure="true"
10  sslProtocol="TLS"
11/>

where:

  • port : port number to be secured by your new keystore file

  • keystoreFile : path to your keystore file created from the previous step

  • keystorePass : password used when keystore file was created from the previous step

We’ll use the above values for our CrafterCMS authoring example. Save the changes and restart CrafterCMS authoring/delivery.

For more information on configuring SSL/TLS on Tomcat, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Step 3: Test your setup

To test your CrafterCMS authoring, open your browser and type in:

localhost:8443/studio

Since we are using a self-signed certificate, you’ll get a message similar to this depending on your browser:

Connection not private message using a self signed certificate

From the above screen, just click on Advanced, then allow it to proceed to localhost::8443, and you will then be taken to the login screen of Crafter Studio

Connection not private message using a self signed certificate

Configuring SSL/TLS for CrafterCMS Authoring and Delivery in a Docker Container

Setting up SSL/TLS for CrafterCMS authoring and delivery in a Docker Container is similar to the steps done for CrafterCMS Authoring and Delivery installed in a server, which just a few differences.

  • Step 1: Create a keystore file

    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
    

  • Step 2: Edit the tomcat file to use the keystore file by uncommenting or adding the “SSL HTTP/1.1 Connector” entry

  • Step 3: Edit your docker-compose.yml file to setup connector port and certificate

  • Step 4: Test your setup

Let’s take a look at an example of a CrafterCMS authoring running in a docker container. For reference, here’s the instruction for Running CrafterCMS in a Docker Container

Step 1: Create keystore file

Follow the step above Step 1: Create a keystore file to create your keystore file. For convenience, copy the .keystore file where your docker-compose.yml files is, so your directory structure looks like:

CrafterCMS authoring
  |-- docker-compose.yml
  |-- .keystore

Step 2: Configure tomcat to use the keystore file

Get a copy of the server.xml file from your container by running the following command:

docker cp tomcat_1:/opt/crafter/bin/apache-tomcat/conf/server.xml .

The command above will copy the server.xml file from your docker container to your current directory. Follow the step above Step 2: Configure tomcat to use the keystore file to configure SSL/TLS Connector in the server.xml file you just copied from the docker container.

Your directory should now contain the following:

CrafterCMS authoring
  |-- docker-compose.yml
  |-- .keystore
  |-- server.xml

See https://docs.docker.com/engine/reference/commandline/cp/ for more information on docker cp

Step 3: Setup connector port and keystore file in docker-compose.yml

In your docker-compose.yml file, under tomcat:

  • Add port 8443

  • Add the keystore file and the edited server.xml file to volumes

Your docker-compose.yml should look like below:

 1version: '3.7'
 2 services:
 3   elasticsearch:
 4     image: docker.elastic.co/elasticsearch/elasticsearch:6.6.0
 5     ports:
 6       - 9201:9200
 7     environment:
 8       - discovery.type=single-node
 9       - bootstrap.memory_lock=true
10       - "ES_JAVA_OPTS=-Xss1024K -Xmx1G"
11     ulimits:
12       memlock:
13         soft: -1
14         hard: -1
15     volumes:
16       - elasticsearch_data:/usr/share/elasticsearch/data
17       - elasticsearch_logs:/usr/share/elasticsearch/logs
18   tomcat:
19     image: craftercms/authoring_tomcat:3.1.3 # craftercms version flag
20     depends_on:
21       - elasticsearch
22       - deployer
23     ports:
24       - 8080:8080
25       - 8443:8443
26     volumes:
27       - crafter_data:/opt/crafter/data
28       - crafter_logs:/opt/crafter/logs
29       - crafter_temp:/opt/crafter/temp
30       # Elastic Search dirs needed for backup/restore
31       - elasticsearch_data:/opt/crafter/data/indexes-es
32       - elasticsearch_logs:/opt/crafter/logs/elasticsearch
33       # SSL/TLS certificate
34       - ./.keystore:/etc/ssl/certs/.keystore
35       - ./server.xml:/opt/crafter/bin/apache-tomcat/conf/server.xml
36     environment:
37       - DEPLOYER_HOST=deployer
38       - DEPLOYER_PORT=9191
39       - ES_HOST=elasticsearch
40       - ES_PORT=9200

Restart your docker container.

Step 4: Test your setup

To test your CrafterCMS authoring, open your browser and type in:

localhost:8443/studio

You should see similar screens as shown above when we setup SSL/TLS for a traditional deployment.