Note: this is for eXist-2.2 only! For eXist-3.0 the HTTPS port is enabled by default on port 8443.
It is not very difficult to enable HTTPS for exist. Basically the process of enabling SSL in jetty consists of three steps:
- Edit the Jetty configuration
- Create SSL Certficates
- Read the additional notes
Edit the Jetty configuration
- Open
EXIST_HOME/tools/jetty/etc/jetty.xmlin your favourite text editor (jEdit?) - Scroll down to line 69, uncomment line 74 - 93 (element "Call")
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SunJsseListener">
<Set name="Port">8443</Set>
<Set name="PoolName">P1</Set>
<Set name="MaxIdleTimeMs">30000</Set>
<Set name="lowResources">30</Set>
<Set name="LowResourcePersistTimeMs">2000</Set>
<Set name="Keystore">
<SystemProperty name="jetty.home"
default="."/>/etc/demokeystore</Set>
<Set name="Password">secret</Set>
<Set name="KeyPassword">secret</Set>
<Set name="HttpHandler">
<New class="org.mortbay.http.handler.MsieSslHandler">
<Set name="UserAgentSubString">MSIE 5</Set>
</New>
</Set>
</New>
</Arg>
</Call>
Create SSL Certficates
- Generate the SSL certificates with
./build.sh -f build/scripts/jarsigner.xml jetty-keygen
<!-- Generate FAKE CERTIFICATE for SSL -->
<target name="jetty-keygen" description="Generate keystore for jetty.">
<genkey alias="jetty" storepass="${keystore.password}"
keystore="tools/jetty/etc/demokeystore"
validity="${keystore.validity}">
<dname>
<param name="CN" value="eXist XML database"/>
<param name="OU" value="Anonymous"/>
<param name="O" value="exist-db.org"/>
<param name="C" value="DE"/>
</dname>
</genkey>
</target>
Additional notes
Now you are actually ready!
Please note only the http traffic to port 8443 is encrypted. Other ports are still unsecure. Check for the following logging in the console:
05 Dec 2008 22:40:16,713 [main] INFO (Container.java [start]:74) - Started WebApplicationContext[/exist,eXist XML Database]
05 Dec 2008 22:40:16,719 [main] INFO (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8080
05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:185) - jetty.ssl.keystore=/Users/drfoobar/eXist/tools/jetty/etc/demokeystore
05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:189) - jetty.ssl.password=******
05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:195) - jetty.ssl.keypassword=******
05 Dec 2008 22:40:16,720 [main] INFO (SunJsseListener.java [createFactory]:200) - jetty.ssl.keystore.type=jks
05 Dec 2008 22:40:16,721 [main] INFO (SunJsseListener.java [createFactory]:225) - jetty.ssl.keystore.provider.name=[DEFAULT]
05 Dec 2008 22:40:16,735 [main] INFO (SunJsseListener.java [createFactory]:248) - SSLServerSocketFactory=com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl@95575f
05 Dec 2008 22:40:16,945 [main] INFO (JsseListener.java [newServerSocket]:200) - JsseListener.needClientAuth=false
05 Dec 2008 22:40:16,946 [main] INFO (SocketListener.java [start]:205) - Started SocketListener on 0.0.0.0:8443
05 Dec 2008 22:40:16,946 [main] INFO (Container.java [start]:74) - Started org.mortbay.jetty.Server@eb41e5
-----------------------------------------------------
Server has started on port 8080. Configured contexts:
http://localhost:8080/exist
-----------------------------------------------------
05 Dec 2008 22:40:28,891 [P1-9] INFO (Container.java [start]:74) - Started HttpContext[/,/]
If you have a 'real' x509 certificate (free at e.g. Thawte) you might consider to convert your x509 certificate using KeyTool IUI into a Java KeyStore (jks)