OK. Just so I don’t forget this when I inevitably have to do it again.
We are starting to add some CWebProxy channels that access the portal web server via its external URL rather than one of the loopback interfaces (long story why, but there are a few issues with proxying to a localhost URL, particuraly WRT inline images). These channels go through SSL, as opposed to the loopback ones which use standard HTTP. Our test portal server uses a self-signed SSL cert. That causes some problems, because the portal doesn’t have access to the server’s cert to properly negotiate the SSL connection.
Solution: Create a local keystore containing the cert info, and point the JVM at this file via a command-line argument.
How to do it in 5 easy steps:
- Find the SSL cert for the web server. On the portal servers, this is located under
server-root/conf/server-name.crt. Make a temporary copy of this file. Edit the copy and remove all lines except the actual cert data, including the-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines. - Use the cert file to create a Java keystore file. Assuming the keystore will live at
/etc/umbc/uportal-test.umbc.edu.keystoreand the cert file copy iscert.txt:
keytool -import -trustcacerts -keystore /etc/umbc/uportal-test.umbc.edu.keystore -file cert.txt -alias uportal-test(Note: keytool is in
JAVA_HOME/binon recent versions of the Sun JVM.) - Set permissions on the keystore file so that the portal web server can read it.
- Point the portal web server’s JVM at the custom keystore file. With Tomcat, this is done by setting the
JAVA_OPTSenvironment variable prior to starting Tomcat. For UMBC web servers, the place to set this isserver-root/bin/config-perl. - Restart Tomcat.