CWebProxy channels and self-signed certs

OK. Just so I don’t forget this when I inevitably have to do it again.

We are starting to add some CWebProxy channels that access the portal web server via its external URL rather than one of the loopback interfaces (long story why, but there are a few issues with proxying to a localhost URL, particuraly WRT inline images). These channels go through SSL, as opposed to the loopback ones which use standard HTTP. Our test portal server uses a self-signed SSL cert. That causes some problems, because the portal doesn’t have access to the server’s cert to properly negotiate the SSL connection.

Solution: Create a local keystore containing the cert info, and point the JVM at this file via a command-line argument.

How to do it in 5 easy steps:

  1. Find the SSL cert for the web server. On the portal servers, this is located under server-root/conf/server-name.crt. Make a temporary copy of this file. Edit the copy and remove all lines except the actual cert data, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
  2. Use the cert file to create a Java keystore file. Assuming the keystore will live at /etc/umbc/ and the cert file copy is cert.txt:

    keytool -import -trustcacerts -keystore /etc/umbc/ -file cert.txt -alias uportal-test

    (Note: keytool is in JAVA_HOME/bin on recent versions of the Sun JVM.)

  3. Set permissions on the keystore file so that the portal web server can read it.
  4. Point the portal web server’s JVM at the custom keystore file. With Tomcat, this is done by setting the JAVA_OPTS environment variable prior to starting Tomcat. For UMBC web servers, the place to set this is server-root/bin/config-perl.
  5. Restart Tomcat.