Gentics CMS Documentation

Chapters

1. Using HTTPS

   • Virtual host configuration

   • Apache configuration

   • HTTPS only & Secure cookies

   • Restart

1 Using HTTPS

1.1 Virtual host configuration

To use HTTPS, you must add a corresponding virtual host to the httpd. You can do this by copying the original non-HTTPS-enabled virtual host:

cd /Node/apache/conf/sites-available
cp cms.conf cms_ssl.conf

Then adjust the VirtualHost directive to use the HTTPS port and add the mod_ssl configuration:

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /Node/apache/conf/ssl/server.crt
SSLCertificateKeyFile /Node/apache/conf/ssl/server.key

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

1.2 Apache configuration

Activate the virtual host and mod_ssl:

cd /Node/apache/config/sites-enabled/
ln -s ../sites-available/cms_ssl.conf 010-cms_ssl.conf
cd ../mods_enabled
ln -s ../mods_available/ssl.load

Create the /Node/apache/config/ssl directory and copy your certificate and key files there as mentioned in the virtual host configuration.

1.3 HTTPS only & Secure cookies

If the only means of access to both the backend and the REST API is HTTPS, the secure_cookie feature can be enabled to improve security.

To make sure everything works HTTPS only, you must check the following:

• Java processes accessing the HTTPS port (that can be the Tomcat of your Gentics CMS installation, or some application using the Java-REST-client) must trust the used certificate. (e.g. signed by a trusted authority or added to the JVM truststore)

• The $CN_LOCAL_SERVER variable in your node.conf is set to the HTTPS URL. It needs to be followed by this line:

$PORTAL_CONNECT['url'] = $CN_LOCAL_SERVER.$PORTLETAPP_PREFIX .'JavaParserInvoker';

• Put the certificate in PEM format into /usr/local/share/curl/curl-ca-bundle.crt

• Your browsers must trust the certificate.

1.4 Restart

Finally, restart Gentics CMS.

/Node/bin/nodectl restart