Content Management and Capture

 View Only
  • 1.  How to change a non-SSL FileNet setup to SSL

    Posted Mon July 24, 2023 10:17 AM


    Hello everyone,

    I need to figure out a solid way to change a basic distributed FileNet installation (CPE-Navigator-DB on WAS) to SSL from a non SLL environment and perhaps vice-versa. (Apart from adding the certificates in WAS) 

    There are certain points in the installation/configuration that involve ports and SSL enabling flags (as check boxes).

    I believe that, unless we know, where all this information is stored or which parameters are affected in the Application Server with each check box selection, there is no way we can perform such task. 

    First, in the CPE installer:
    URL used in WcmApiConfig.properties file: http://localhost:port/wsi/FNCEWS40MTOM/
    Can I change the port from 9080 to 9443 in the file sometime after the deployment is done?
    As the file is located in <CPE Home>\tools\PE\config, I suppose we need to re-build and re-deploy the CPE .ear file after the change, correct?

    Then, in the CMUI:
    1. Application server properties dialog. This seems to be the most important setting. There is a check box, 'Use SSL certificates for server communication'
    - Tooltip help says 'changes WebSphere settings for communcating with other (WebSphere) servers like AE (and Navigator?)'
    - Does this check box sets some parameter(s) in WebSphere? Which parameter(s) is that? Checking-Unchecking this combo box, changes 'SSL server communication' on pressing button "Finish" and sets/resets the WAS parameters? 
    2. Task 'Configure LDAP'. Another check box 'SSL enabled'. When checked, what changes on running the task? Which WAS parameters are affected? I would expect that Ldap server and port should be enough.
    3. Database connections. There is no check box here, but db server and port is probably enough. For DB2,  I know a custom property sslConnection must be created and set to 'true'. No sure about other databases.

    Anyone can shed some light here? 

    BR



    ------------------------------
    Christos Chorattides
    Datatech
    ------------------------------


  • 2.  RE: How to change a non-SSL FileNet setup to SSL

    Posted Tue July 25, 2023 02:48 AM

    Figured out the LDAP part. There is an SSL checkbox in WAS repository configuration.



    ------------------------------
    Christos Chorattides
    Datatech
    ------------------------------



  • 3.  RE: How to change a non-SSL FileNet setup to SSL

    Posted Tue July 25, 2023 08:05 AM

    Hi Christos, in WAS you can redirect 9080 to 9443 or remove 9080. You will need to import a certificate for your FileNet CPE/ICN node(s) into websphere key/trust store and exchange certificates between nodes if > 1. You can use a wildcard certificate and I have found online documentation to require keyman but the process is much simpler. Open WAS admin, go to certificates and create a certificate request or update your wildcard to include the host name / DNS you are using. Certificates will allow for CA signed certificates but they are not required. For ICN you will want signed certificates from CA or domain certificate store. Next you will want to secure your JDBC connections which requires a few steps. First retrieve the certificates from your DB host SSL endpoint and bring into the keystone.  If your SSL certificates are not fully trusted or do not match host name you need to set java properties on the DB connection to override host name validation. Once you have WAS SSL, JDBC SSL, LDAP SSL the last step is in ACCE change your LDAP realm/repo to SSL. 

    Consider client tools for CPE should be configured for SSL if remote, if used on the host you do not need to force SSL.  Examples process designer, FDM, configuration tools. 



    ------------------------------
    Jay Bowen
    ------------------------------