Preparing the Certificate Keystore

Note: this documentation is based on Apache Tomcat SSL Documentation.

Using SSL with Silverpeas is quite transparent since most of the work is on JBoss configuration. First, you have to create a keystore to hold your certificates. JBoss supports the following formats : JKS and PKCS12.
To import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key \
                        -out mycert.p12 -name tomcat -CAfile myCA.crt \
                        -caname root -chain
        

For more advanced cases, consult the OpenSSL documentation. To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/my/keystore

After executing this command, you will first be prompted for the keystore password. The default password used by JBoss is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file, as described later.
Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.br/> Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)
If everything was successful, you now have a keystore file with a Certificate that can be used by your server.

Configuring JBoss

The next step is to configure the Connector for SSL connections in the configuration file of the web server embedded in JBoss:

• on Unix: $JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml
• on Windows: %JBOSS_HOME%\server\default\deploy\jbossweb.war\server.xml

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" clientAuth="false" 
    disableUploadTimeout="true" enableLookups="false" keyAlias="tomcat" 
    keystoreFile="/path/to/my/keystore" keystorePass="THE_PASSWORD_PROTECTING_YOUR_KEYSTORE" 
    port="8443" scheme="https" secure="true" sslProtocol="TLS"/>

Configuring Silverpeas

The final step is to configure Silverpeas to run behind only SSL accesses. For doing, add the following XML block into your CustomerSettings.xml

<silverpeas-settings>
  ...
  <fileset root="${SILVERPEAS_HOME}/properties/org/silverpeas/">
    <configfile name="general.properties">
      <parameter key="server.ssl">false</parameter> <!-- we want to stay in SSL mode after authentication -->
       <parameter key="server.http.port">8443</parameter> <!-- the web SSL port used in JBoss -->
    </configfile>
  </fileset>
  <fileset root="${SILVERPEAS_HOME}/jar/silverpeas.ear/war-ic.war/WEB-INF/">
    <xmlfile name="web.xml">
      <parameter key="//security-constraint/user-data-constraint/transport-guarantee" mode="update">
	      <value>CONFIDENTIAL</value>
      </parameter>
      <parameter key="//session-config/cookie-config/secure" mode="update">
        <value>true</value>
      </parameter>
    </xmlfile>
  </fileset>
  ...
</silverpeas-settings>