Documentation changes for MMS OnPrem 1.3 (DOCS-2087)

[DOCS-2255] OnPrem1.3: Instructions for configuring Jetty to run HTTPS Created: 20/Nov/13  Updated: 11/Jan/17  Resolved: 05/Dec/13

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Sub-task Priority: Major - P3
Reporter: Cailin Nelson Assignee: Sam Kleinman (Inactive)
Resolution: Done Votes: 0
Labels: mms, on-prem-1.3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 10 years, 11 weeks ago

 Description   

This should be a separate page, linked in the main install flow. Please make sure that it is clear that this is optional.

### Existing certificate already signed by trusted 3rd-party (wildcard or exact domain):
 
Proceed to “Preparing Your Certificate” section below.
 
### New certificate and Signing Request for trusted 3rd-party
 
$ openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key
[Specify a private key password]
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
[Refer to your trusted 3rd-party’s procedure for any content they may require in the ‘extra’ attributes.]
 
* Submit your new CSR to the trusted 3rd-party so they may return a signed certificate. 
Note that this procedure varies by provider. Some trusted 3rd-parties will generate the private key, CSR, and signed certificate for you.
 
Proceed to “Preparing Your Certificate” section below.
 
### Self-Signed Certificate
 
$ openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt
[Specify a private key password]
[Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl]
 
#### Preparing Your Certificate
 
* If the signed certificate is not in PEM format, you may convert it as follows:
$ openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt
 
* If your 3rd-party uses a certificate chain, concatenate the certificates together to create a unified certificate:
$ cat mms-ssl.crt [intermediate-3rdparty-ca-cert.crt] 3rdparty-root-ca-cert.crt > mms-ssl-unified.crt
 
#### Creating Your Java Keystore
 
* Combine your private key and signed certificate (or certificate chain) into a PKCS12-formatted keystore:
$ openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12
[Provide your private key password]
[Specify a new password for the exported PKCS12 keystore]
 
* Convert the PKCS12 keystore into a Java Keystore:
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
E.g.,
$ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks
[Specify new password for the Java keystore. Can be same as PKCS12 keystore password since after this step mms-ssl.pkcs12 can be deleted.]
[Provide PKCS12 keystore password]
 
#### Configuring MMS for Java keystore
 
$ sudo cp -a mms-keystore.jks /etc/mongodb-mms/
$ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks
$ sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks
$ [mms-install-dir]/bin/credentialstool --username keystore --password
Enter Password: [keystore-password]
 
Generating credentials pair...
 
Your encrypted credentials pair:
Username: abcdef1234567890-76d41ae0a98c
Password: abcdef1234567890-2cc28e525d1f543464
 
* Edit your mms.conf to specify the path to your keystore and the encrypted keystore password:
$ sudo vi [mms-install-dir]/conf/mms.conf
 
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks"
JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464"
 
* Edit your conf-mms.properties file to specify the https protocol and SSL port 8443 on mms.centralUrl:
mms.centralUrl=https://mms.acmewidgets.com:8443
 
* Start up the MMS server and visit your mms.centralUrl
$ sudo /etc/init.d/mongodb-mms start
 
* Browse to https://mms.acmewidgets.com:8443



 Comments   
Comment by Githook User [ 04/Dec/13 ]

Author:

{u'username': u'tychoish', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-2255: installation instructions for jetty HTTPS
Branch: master
https://github.com/10gen/mms-docs/commit/0638cd807ee37765cf854425d75f65f5bc70ec4d

Comment by Githook User [ 04/Dec/13 ]

Author:

{u'username': u'tychoish', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-2255: installation instructions for jetty HTTPS
Branch: v1.3
https://github.com/10gen/mms-docs/commit/9b3071de5df0b4a599c8ee261adac12ca5ce9c14

Generated at Thu Feb 08 07:43:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.