Enable SSL in Jetty

Note: this is for eXist-2.2 only! For eXist-3.0 the HTTPS port is enabled by default on port 8443.

It is not very difficult to enable HTTPS for exist. Basically the process of enabling SSL in jetty consists of three steps:

  1. Edit the Jetty configuration
  2. Create SSL Certficates
  3. Read the additional notes

Edit the Jetty configuration

  1. Open EXIST_HOME/tools/jetty/etc/jetty.xml in your favourite text editor (jEdit?)
  2. Scroll down to line 69, uncomment line 74 - 93 (element "Call")
<Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">8443</Set> <Set name="PoolName">P1</Set> <Set name="MaxIdleTimeMs">30000</Set> <Set name="lowResources">30</Set> <Set name="LowResourcePersistTimeMs">2000</Set> <Set name="Keystore"> <SystemProperty name="jetty.home" default="."/>/etc/demokeystore</Set> <Set name="Password">secret</Set> <Set name="KeyPassword">secret</Set> <Set name="HttpHandler"> <New class="org.mortbay.http.handler.MsieSslHandler"> <Set name="UserAgentSubString">MSIE 5</Set> </New> </Set> </New> </Arg> </Call>

Create SSL Certficates

  1. Generate the SSL certificates with ./build.sh -f build/scripts/jarsigner.xml jetty-keygen
<!-- Generate FAKE CERTIFICATE for SSL --> <target name="jetty-keygen" description="Generate keystore for jetty."> <genkey alias="jetty" storepass="${keystore.password}" keystore="tools/jetty/etc/demokeystore" validity="${keystore.validity}"> <dname> <param name="CN" value="eXist XML database"/> <param name="OU" value="Anonymous"/> <param name="O" value="exist-db.org"/> <param name="C" value="DE"/> </dname> </genkey> </target>

Additional notes

Now you are actually ready!

  1. Start the server with bin/startup.sh
  2. Point your browser to

Please note only the http traffic to port 8443 is encrypted. Other ports are still unsecure. Check for the following logging in the console:

05 Dec 2008 22:40:16,713 [main] INFO (Container.java [start]:74) - Started WebApplicationContext[/exist,eXist XML Database] 05 Dec 2008 22:40:16,719 [main] INFO (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8080 05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:185) - jetty.ssl.keystore=/Users/drfoobar/eXist/tools/jetty/etc/demokeystore 05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:189) - jetty.ssl.password=****** 05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:195) - jetty.ssl.keypassword=****** 05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:200) - jetty.ssl.keystore.type=jks 05 Dec 2008 22:40:16,721 [main] INFO (SunJsseListener.java [createFactory]:225) - jetty.ssl.keystore.provider.name=[DEFAULT] 05 Dec 2008 22:40:16,735 [main] INFO (SunJsseListener.java [createFactory]:248) - SSLServerSocketFactory=com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl@95575f 05 Dec 2008 22:40:16,945 [main] INFO (JsseListener.java [newServerSocket]:200) - JsseListener.needClientAuth=false 05 Dec 2008 22:40:16,946 [main] INFO (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8443 05 Dec 2008 22:40:16,946 [main] INFO (Container.java [start]:74) - Started org.mortbay.jetty.Server@eb41e5 ----------------------------------------------------- Server has started on port 8080. Configured contexts: http://localhost:8080/exist ----------------------------------------------------- 05 Dec 2008 22:40:28,891 [P1-9] INFO (Container.java [start]:74) - Started HttpContext[/,/]

If you have a 'real' x509 certificate (free at e.g. Thawte) you might consider to convert your x509 certificate using KeyTool IUI into a Java KeyStore (jks)