« Back

Liferay DXP SSL Configuration Step By Step

General Blogs August 25, 2017 By Pradeep Sharma

Hello Fellow Liferay Folks,

Today I am writing this blog as I found there is no proper complete set of step by step to configure SSL Liferay DXP server and fellow developer has to spend hours and hours to accomplish it.

Please follow each steps : It will be done in few moment.

Step 1 :

Open Java Directory and Create folder E:/LiferayApp/ssl-dev-keystore and execute below command [Path of your Java Directory : C:\Java\jdk1.8.0_131\bin ] [Path you want to store your certificate and CSR : E:/LiferayApp/ssl-dev-keystore/ ]

C:\Java\jdk1.8.0_131\bin>keytool -genkey -alias myLiferay -keyalg RSA -keysize 2048 -keystore E:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.jks

Complete below form:

Enter keystore password: ? Note : Remember your password, needed while consuming the file.
Re-enter new password: ?
What is your first and last name?
  [Unknown]:  ssl-dev-keystore/current-url-where-you-want-to-publish.com
What is the name of your organizational unit?
  [Unknown]:  Your Company Name
What is the name of your organization?
  [Unknown]:  Your Company Name
What is the name of your City or Locality?
  [Unknown]:  Sunnyvale
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=current-url-where-you-want-to-publish.com, OU=Your Company Name, O=Your Company Name, L=Sunnyvale, ST=CA, C=US correct?
  [no]:  yes
 
Enter key password for <myLiferay>
        (RETURN if same as keystore password):
Re-enter new password: ? 
 
Step 2:

Now Create CSR to send to your company Security team to get certified SSL certificate.

C:\Java\jdk1.8.0_131\bin>keytool -certreq -keyalg RSA -alias myLiferay -file C:/LiferayApp/ssl-current-url-where-you-want-to-publish.com.csr -keystore C:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.jks

Enter keystore password: ?

Provide this CSR to you Certificate Authority team to generate certificate for you to consume for your portal.

Step 3:

Once you receive [ current-url-where-you-want-to-publish.com.pem ]the Certificate from CA team fromyour organization, Apply this step to make it root certificate:

C:\Java\jdk1.8.0_131\bin>keytool -import -alias root -keystore C:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.jks -trustcacerts -file C:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.pem

You will get this message

Enter keystore password:

Owner: CN=current-url-where-you-want-to-publish.com, OU=Your Company Name, O=Your Company Name, L=Sunnyvale, ST=CA, C=US
Issuer: CN=Your Company Name Issuing CA1 2016, DC=Sunnyvale, DC=mycompany, DC=net
Serial number: 1a00654635vcsbv7764f410047787767ee4
Valid from: Thu Aug 24 17:45:35 PDT 2017 until: Sun Aug 23 17:45:35 PDT 2020 ...
.....
 
...
Trust this certificate? [no]:  yes
Certificate was added to keystore
 

Step 4:

Again [ current-url-where-you-want-to-publish.com.pem ]the Certificate from CA team fromyour organization, Apply this step to make it alias[myLiferay] certificate:

C:\Java\jdk1.8.0_131\bin>keytool -import -alias myLiferay -keystore E:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.jks -file C:/LiferayApp/ssl-dev-keystore/current-url-where-you-want-to-publish.com.pem
Enter keystore password: ? [Use all password Same]
 
Top-level certificate in reply:
 

 

Owner: CN=Your Company Name Root CA 2016
...
...
... is not trusted. Install reply anyway? [no]:  yes
Certificate reply was installed in keystore
 
_________________ SSL Certification Creation and Application Done ____________
 
Step 5 :
Go to your Liferay Tomcat Server:
 
[Liferay_Home]/tomcat/conf/server.xml
 
Verify below and if missing add into it.
<Connector port="8080" protocol="HTTP/1.1" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
 
<!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
 
<Connector port="8443" maxThreads="150" scheme="https" 
   secure="true" SSLEnabled="true" 
   keystoreFile="C:/Liferay/ssl-poc-keystore/current-url-where-you-want-to-publish.com.jks" 
   keystorePass="changeit" 
   clientAuth="false" keyAlias="myLiferay" 
   sslProtocol="TLS"/>
 
Step 6 : 
Add below in Liferay root web.xml before closing of </web-app> 
 
<security-role>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
 
Step 7 :
Restart your Liferay Server you are ready to go :
Website will be accessible on 
        http://current-url-where-you-want-to-publish.com:8080 
Internally redirect to : https://current-url-where-you-want-to-publish.com:8443
 
Or
        https://current-url-where-you-want-to-publish.com:8443
 
In Production you can configure port 8080 to 80 and 8443 to 443
So no port required to access the site.
 
Happy Ready SSL Configuration Blog
 
Cheers !! Enjoy your Day.