Securing the microservice with SSL

You may wish to secure your microservice using Secure Socket Layer (SSL), so that an HTTPS connection is required to interact with the service. Refer to SDL documentation for more details Link

You need Open SSL for generating key store so you can use following tools

For more information about OpenSSL and the openssl command line tool, refer to https://www.openssl.org/docs/man1.0.2/apps/openssl.html.

You can use CYGWIN – https://www.cygwin.com/

Step 1) Generate the PFX file using IIS or you can generate using Windows start menu, type mmc and open it n the Console window, in the top menu, click File > Add/Remove Snap-in. Please refer to the Link. Please keep a note of the password.

Step 2) Generate ( BAse-64 encoded X.509(.CER) File using IIS

Step 3) Use one of the OPEN SSL tool to execute following commands

Step 4) GENERATE keystore ( microservices.key using the PFX file)

openssl pkcs12 -in /home/user/tridion_services-o.pfx -nocerts -out microservices_o.key
enter the same password that was created during PFX  export 
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Step 5) Run the following OpenSSL tool command to turn your private key and CA certificate into an export file:GENERATE P12 file using ( cer and keystore)

$ openssl pkcs12 -export -in /home/user/tridion_services-o.cer -inkey /home/user/microservices_o.key -name "cds-microservices_o" -out /home/user/microservices_o.P12
Enter pass phrase for /home/user/microservices_o.key:
Enter Export Password:
Verifying - Enter Export Password:

Step 6) Copy the files generated under ( /home/user) to a different directory – example D:\Cert

Step 7) The keytool command line tool is included with Java. For more information about this tool, refer to http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html.

Step 8) Add C:\Program Files\Java\jdk1.8.0_271\bin ( Example )To the PATH ( this will allow you to run the keytool command from any path

Step 9) Run the following keytool command (on one line) to import your file into a keystore file:

D:\Cert>keytool -importkeystore -deststorepass ***** -destkeypass Welkom01 -destkeystore cds-microservices_o.JKS -srckeystore microservices_o.P12 -srcstoretype PKCS12 -srcalias cds-microservices_o
Importing keystore microservices_o.P12 to cds-microservices_o.JKS...
Enter source keystore password:

Step 11) add the keystore to the Java runtime security cacerts

Step 12) before adding the keystore to the Java runtime security cacert you can List all the certs added to the Java runtine using following command

keytool -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" -storepass changeit –list

Step 13) Import the cert to the Java runtime security , plesae note chageit is the default password

keytool -importcert -file tridion_services-o.cer -alias tridion_services-o -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" -storepass changeit

Step 14) copy the JKS file to installed tridion micoservices folder example : D:\SDL_TridionServices\Cert

Step 15) If you have installed the micro services with HTTP , you can un install the service

Step 16)

go to D:\SDL_TridionServices\Discovery\config  and Edit application.properties

Add following Entry

server.ssl.enabled=true
server.ssl.protocol=TLS
server.ssl.key-alias= cds-microservices_o
server.ssl.key-store= D:/SDL_TridionServices/Cert/cds-microservices_o.JKS
server.ssl.key-password=****

Step 17) go to D:\SDL_TridionServices \Discovery\config and Edit cd_storage_conf.xml  and change the discovery URL with new domain and https for  both discovery and token service URL

Step 18) Install the Discovery Service again if you have installed service with HTTP or you can do a fresh install of the discovery service

Step 19) open windows command and run the discovery register command – from go to D:\SDL_TridionServices \Discovery\config

Java –jar discovery-registration.jar read 
Java –jar discovery-registration.jar update

Step 20) Generate CER file from the Root Certificate if you multi level certificate – access the HTTPS discovery URL using the browser on the Content Delivery Server and open the certificate and go to the details and copy the file and Select Base-64 encoded X.509(.CER) – export the CER successfully

Step 21) Convert CER to CRT using OPEN SSL command – for multi level root certificate

$ openssl x509 -inform PEM -in "/home/user/Root_CA.cer" -out /home/user/Root_CA.crt
$ openssl x509 -inform PEM -in "/home/user/Sub_Root_CA.cer" -out /home/user/Sub_Root_CA.crt

Step 22) add the CRT file to  the Java runtime security cacerts on the Content Manager Server

Step 23) Logon to the content manager server using TridionAdmin User and  add the JRE to the Environment Variables PATH à C:\Program Files\Java\jre1.8.0_271\bin

Step 24) Copy the crt and cer files from C:\cygwin64\user\ to : D:\Cert

Step 25) go to D:\Cert  and run the following command

D:\Cert>keytool -importcert -file Root_CA.crt -alias Root_CA -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts"
D:\Cert>keytool -importcert -file Sub_Root_CA.crt -alias Sub_Root_CA -keystore "C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts"
Enter keystore password:changeit
Enter “yes”to trust the certificate 

Step 26)

Verify  if the certificate is added

keytool -keystore “C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts” -storepass changeit -list

Step 27) Access the Discovery and Deployer HTTPS URL from Content Manager Server

Step 28) Transport Service changes on Content  Manager Server go to D:\SDL Web\config  or to the Tridion Installed Path and backup cd_transport_conf and add the following

<Sender Type="DiscoveryService" Class="com.tridion.transport.connection.connectors.DiscoveryServiceTransportConnector">
		<KeyStore Path="C:\Program Files\Java\jre1.8.0_271\lib\security\cacerts" Secret="changeit" />
        </Sender>

Step 29) Restart the transport and publisher Service

Step 30) Updating the Topology https discovery URL

Get-TtmCdEnvironment ( Get All Content Delivery Environment from Topology)

Set-TtmCdEnvironment -ID StagingCdEnvironment -DiscoveryEndpointUrl “https://localhost:8082/discovery.svc” -EnvironmentPurpose “Staging” -AuthenticationType OAuth -ClientId cmuser -ClientSecret ‘*****’

***** IF YOU GET FOLLOWING ERROR ************************

The underlying connection was closed: An unexpected error occurred on a receive.

The client and server cannot communicate, because they do not possess a common algorithm

Solution : refer à  http://hem-kant.blogspot.com/2018/07/sdl-web-and-tls-12-or-higher.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]”SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]”SchUseStrongCrypto”=dword:00000001