Skip to main content
Version: 8.2405.x.x RR

Integration of a content provider using HTTPS

Accessing a content provider using HTTPS requires exactly the same procedure as using HTTP. There is only one additional requirement: The HTTPS connector servlet needs additional security attributes to configure the TLS layer.

These attributes include:

  • Optional CA or node certificates for peer verification
  • An optional node certificate to send to the content provider for node authentication
  • Customization of the security constraints by selecting TLS ciphers and TLS session caching.

To configure the content provider using HTTPS, proceed as described in the chapter Scaling, but use an HttpsConnectorServlet instead.

To set up client authentication on the HTTPS connection, perform the following steps to establish a key store:

  • Install or create a node certificate to use on the HTTPS connection. The certificate needs to be installed on a HSM, or a soft certificate as a PEM file (containing certificate and private key) needs to be provided. An HSM login password or private key decryption passphrase needs to be provided by installing a corresponding password getter. The default password getter is environment aware.
  • Configure the HttpsConnectorServlet to use the node certificate for client authentication.

To set up peer verification on the HTTPS connection, perform the following steps to establish a trust store:

  • Get the CA or node certificate (public key only) for the peer's node certificate.
  • Configure the HttpsConnectorServlet to use the CA bundle for peer verification.

These configuration steps lead to the following entries in the web.xml file (using nevisproxy config webapp to edit it and assuming to use nevisKeybox for certificate administration). The content provider is mapped below the /appl3 location and is assumed to be proxy unaware (AutoRewrite = all):

<servlet>
<servlet-name>Appl3Connector</servlet-name>
<servlet-
class>ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet</servlet-class>

<init-param>
<param-name>InetAddress</param-name>
<param-value>svappl3.company.com:430430 fallback.company.com:443</param-value>
</init-param>
<init-param>
<param-name>SSLClientCertificateFile</param-name>
<param-value>/var/spool/keybox/default/node_keystore.pem</param-value>
</init-param>
<init-param>
<param-name>SSLCACertificateFile</param-name>
<param-value>/var/spool/keybox/default/node_truststore.pem</param-value>
</init-param></servlet>

<servlet-mapping>
<servlet-name>Appl3Connector</servlet-name>
<url-pattern>/appl3/{*}</url-pattern>
</servlet-mapping>

See the chapters HttpConnectorServlet for fine tuning the connector and HttpsConnectorServlet for TLS configuration issues.