FileNet P8 Application Engine, FileNet P8 Content Engine, Version 5.0.+              

Enabling SSL for Content Engine

When you enable SSL, a server certificate is added to the Directory Services server (for authentication). In addition, the CA certificate is added in two different locations on the Content Engine server (the JDK path location is for authorization). Take care to ensure that the proper certificate is added to each of the three locations.

To enable SSL for Content Engine:

  1. Obtain and install a server certificate and a CA certificate on the directory service. These certificates are available from independent certificate authorities, such as VeriSign, or you can generate your own certificates if you have the necessary certificate management software installed.
  2. Enable SSL on the directory service and set the SSL port number. The default SSL port number is 636; however, if you have more than one directory service that is using SSL on the server, you might need to use a non-default port number. See your directory server documentation for instructions.
  3. On the Content Engine server, add the CA certificate to the application server keystore, if it does not already contain it.
  4. On the Content Engine server, add the CA certificate to the JDK (Java™) keystore, if it does not already contain it. You can use the default key store, or create your own key store in a custom location.
    • To use the JDK default Java key store, do the following:
      1. Determine the Java version your application server uses and the JAVA_HOME location.
      2. Use the keytool to import the CA certificate to the Java keystore at %JAVA_HOME%\jre\lib\security\cacerts.
      3. To improve security, change the default password.
    • To use your own key store (rather than the JDK default key store), do the following:
      1. Add the following system parameters to the Java command line in your application server startup script:
        -Djavax.net.ssl.trustStore= path_to_your_keystore_file
        -Djavax.net.ssl.trustStorePassword= password_of_your_keystore
      2. Use the Java keytool to import the CA certificate to your own keystore.
  5. Use Enterprise Manager to enable SSL for Content Engine and set the port number to match the SSL port on the directory server.
  6. Obtain another server and CA certificate for the Content Engine.
  7. Create a custom identity keystore on the Content Engine server, and add the server certificate to the custom keystore.
  8. Using the application server administration tool, enable SSL and point to the custom identity keystore. Directions vary by application server type; see your application server documentation for detailed procedures.
    Option Description
    WebSphere® Application Server Configure an SSL repertoire. In the left pane of the WebSphere administrative console, navigate to Security > SSL. In the right pane, select your Java Secure Socket Extension (JSSE) repertoire and specify key and trust file names and passwords.
    Oracle WebLogic Server Set up a custom identity keystore. In the left pane of the WebLogic Administration Console, navigate to DomainName > Servers > ServerName. In the right pane, select Keystores and SSL and specify the keystore information.
    JBoss Application Server See your application server documentation.
    Important: (WebLogic only) The name in your certificate must match the host name specified in your WebLogic application server. If the name in the certificate is fully qualified (for example, Host1.filenet.com), the same fully qualified host name must appear in the Host field (WebLogic > Authentication Provider > Active Directory tab > Host field).
  9. Configure clients to use a particular URL for connecting to Content Engine based on the application server type and the client transport (protocol) type. The following table provides the default ports and sample URLs:
    Protocol SSL Default Port App Server Sample URL
    HTTP no 9080 WebSphere Application Server http://mycorp.com:9080/wsi/FNCEWS40MTOM/
    HTTPS yes 9443 WebSphere Application Server https://mycorp.com:9443/wsi/FNCEWS40MTOM/
    IIOP no 2809 WebSphere Application Server iiop://mycorp.com:2809/FileNetEngine
    IIOP yes 2809 WebSphere Application Server

    iiop://mycorp.com:2809/FileNetEngine (defautl)

    While the default port for IIOP with SSL is port 9403, use port 2809. The web application server resolves the SSL port number correctly.

    HTTP no 7001 WebLogic http://mycorp.com:7001/wsi/FNCEWS40MTOM/
    HTTPS yes 7002 WebLogic https://mycorp.com:7002/wsi/FNCEWS40MTOM/
    T3 (IIOP) no 7001 WebLogic t3://mycorp.com:7001/FileNet/Engine
    T3S (IIOP) yes 7002 WebLogic t3s://mycorp.com:7002/FileNet/Engine
    HTTP no 8080 JBoss http://mycorp.com:8080/wsi/FNCEWS40MTOM/
    HTTPS yes 8443 JBoss https://mycorp.com:8443/wsi/FNCEWS40MTOM/
    JNP no 1099 JBoss jnp://mycorp.com:1099/FileNet/Engine

    The port values in the table are default values. If you change the port that your application server listens on, you might need to change the port number used by the Content Engine client.



Feedback

Last updated: November 2010


© Copyright IBM Corporation 2010.
This information center is powered by Eclipse technology. (http://www.eclipse.org)