You may wish to secure your microservice using Secure Socket Layer (SSL), so that an HTTPS connection is required to interact with the service. Refer to SDL documentation for more details Link
You need Open SSL for generating key store so you can use following tools
For more information about OpenSSL and the openssl command line tool, refer to https://www.openssl.org/docs/man1.0.2/apps/openssl.html.
You can use CYGWIN – https://www.cygwin.com/
Step 1) Generate the PFX file using IIS or you can generate using Windows start menu, type mmc and open it n the Console window, in the top menu, click File > Add/Remove Snap-in. Please refer to the Link. Please keep a note of the password.
Step 2) Generate ( BAse-64 encoded X.509(.CER) File using IIS
Step 3) Use one of the OPEN SSL tool to execute following commands
Step 4) GENERATE keystore ( microservices.key using the PFX file)
openssl pkcs12 -in /home/user/tridion_services-o.pfx -nocerts -out microservices_o.key
enter the same password that was created during PFX export
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Step 5) Run the following OpenSSL tool command to turn your private key and CA certificate into an export file:GENERATE P12 file using ( cer and keystore)
$ openssl pkcs12 -export -in /home/user/tridion_services-o.cer -inkey /home/user/microservices_o.key -name "cds-microservices_o" -out /home/user/microservices_o.P12
Enter pass phrase for /home/user/microservices_o.key:
Enter Export Password:
Verifying - Enter Export Password:
Step 6) Copy the files generated under ( /home/user) to a different directory – example D:\Cert
Step 7) The keytool command line tool is included with Java. For more information about this tool, refer to http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html.
Step 8) Add C:\Program Files\Java\jdk1.8.0_271\bin ( Example )To the PATH ( this will allow you to run the keytool command from any path
Step 9) Run the following keytool command (on one line) to import your file into a keystore file:
D:\Cert>keytool -importkeystore -deststorepass ***** -destkeypass Welkom01 -destkeystore cds-microservices_o.JKS -srckeystore microservices_o.P12 -srcstoretype PKCS12 -srcalias cds-microservices_o
Importing keystore microservices_o.P12 to cds-microservices_o.JKS...
Enter source keystore password:
Step 11) add the keystore to the Java runtime security cacerts
Step 12) before adding the keystore to the Java runtime security cacert you can List all the certs added to the Java runtine using following command
keytool -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" -storepass changeit –listStep 13) Import the cert to the Java runtime security , plesae note chageit is the default password
keytool -importcert -file tridion_services-o.cer -alias tridion_services-o -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" -storepass changeitStep 14) copy the JKS file to installed tridion micoservices folder example : D:\SDL_TridionServices\Cert
Step 15) If you have installed the micro services with HTTP , you can un install the service
Step 16)
go to D:\SDL_TridionServices\Discovery\config and Edit application.properties
Add following Entry
server.ssl.enabled=true
server.ssl.protocol=TLS
server.ssl.key-alias= cds-microservices_o
server.ssl.key-store= D:/SDL_TridionServices/Cert/cds-microservices_o.JKS
server.ssl.key-password=****
Step 17) go to D:\SDL_TridionServices \Discovery\config and Edit cd_storage_conf.xml and change the discovery URL with new domain and https for both discovery and token service URL
Step 18) Install the Discovery Service again if you have installed service with HTTP or you can do a fresh install of the discovery service
Step 19) open windows command and run the discovery register command – from go to D:\SDL_TridionServices \Discovery\config
Java –jar discovery-registration.jar read
Java –jar discovery-registration.jar update
Step 20) Generate CER file from the Root Certificate if you multi level certificate – access the HTTPS discovery URL using the browser on the Content Delivery Server and open the certificate and go to the details and copy the file and Select Base-64 encoded X.509(.CER) – export the CER successfully
Step 21) Convert CER to CRT using OPEN SSL command – for multi level root certificate
$ openssl x509 -inform PEM -in "/home/user/Root_CA.cer" -out /home/user/Root_CA.crt
$ openssl x509 -inform PEM -in "/home/user/Sub_Root_CA.cer" -out /home/user/Sub_Root_CA.crtStep 22) add the CRT file to the Java runtime security cacerts on the Content Manager Server
Step 23) Logon to the content manager server using TridionAdmin User and add the JRE to the Environment Variables PATH à C:\Program Files\Java\jre1.8.0_271\bin
Step 24) Copy the crt and cer files from C:\cygwin64\user\ to : D:\Cert
Step 25) go to D:\Cert and run the following command
D:\Cert>keytool -importcert -file Root_CA.crt -alias Root_CA -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts"
D:\Cert>keytool -importcert -file Sub_Root_CA.crt -alias Sub_Root_CA -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts"
Enter keystore password:changeit
Enter “yes”to trust the certificate Step 26)
Verify if the certificate is added
keytool -keystore “C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts” -storepass changeit -list
Step 27) Access the Discovery and Deployer HTTPS URL from Content Manager Server
Step 28) Transport Service changes on Content Manager Server go to D:\SDL Web\config or to the Tridion Installed Path and backup cd_transport_conf and add the following
<Sender Type="DiscoveryService" Class="com.tridion.transport.connection.connectors.DiscoveryServiceTransportConnector">
<KeyStore Path="C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" Secret="changeit" />
</Sender>
Step 29) Restart the transport and publisher Service
Step 30) Updating the Topology https discovery URL
Get-TtmCdEnvironment ( Get All Content Delivery Environment from Topology)
Set-TtmCdEnvironment -ID StagingCdEnvironment -DiscoveryEndpointUrl “https://localhost:8082/discovery.svc” -EnvironmentPurpose “Staging” -AuthenticationType OAuth -ClientId cmuser -ClientSecret ‘*****’
***** IF YOU GET FOLLOWING ERROR ************************
The underlying connection was closed: An unexpected error occurred on a receive.
The client and server cannot communicate, because they do not possess a common algorithm
Solution : refer à http://hem-kant.blogspot.com/2018/07/sdl-web-and-tls-12-or-higher.html
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]”SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]”SchUseStrongCrypto”=dword:00000001