October 14, 2022 Configuring SSL step by step for Liferay DXP Cloud & Liferay DXP

Liferay DXP Cloud:

DXP Cloud accepts only keys and certificates in proper PEM format with Base64 encoding which must include encapsulation boundaries.

To add a single SSL certificate to the LCP.json file:

1. Add secret variables for crt and key values to your chosen environment.
2. In the LCP.json file of your project repository’s webserver, add an object of SSL inside the load balancer object with crt and key values refering to the secret keys you have added:

3. { 
       "loadbalancer": { 
          “ssl": { 
             "key": "@ssl-key-secret", 
             "crt": "@ssl-crt-secret" 
          } 
       }               
   }

4. This ssl object will create a single custom SSL certificate mapping to all the custom domains in this specific environment.

Mapping multiple SSL certificates to custom domains:

You can use the certs property instead of ssl object to map different SSL certificates to multiple custom domains.

Create a list of certificates you want to use in the certs property.

Group the crt and key values for each certificate with their respective custom domains:

{ 
"loadbalancer": { 
"certs": [ 
{ 
"customDomains": ["acme.liferay.cloud"], 
"key": "...", 
"crt": "..." 
}, 
{ 
"customDomains": ["acme2.liferay.cloud"], 
"key": "...", 
"crt": "..." 
} 
] 
} 
}

Liferay DXP with Nginx:

If you are using Liferay DXP with Nginx, you must configure the SSL in your nginx server.

To configure HTTPS server through Nginx, the ssl parameter must be enabled on listening sockets in the server block and the locations of the crt and key file should be specified:

server { 
    listen                         443 ssl; 
    server_name            www.example.com; 
    ssl_certificate           www.example.com.crt; 
    ssl_certificate_key   www.example.com.key; 
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers               HIGH:!aNULL:!MD5; 
    ... 
}

The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access, however, it must be readable by nginx’s master process. The private key may alternately be stored in the same file as the certificate:

ssl_certificate www.example.com.cert; 
ssl_certificate_key www.example.com.cert; 

in which case the file access rights should also be restricted. Although the certificate and the key are stored in one file, only the certificate is sent to a client.

The directives ssl_protocols and ssl_ciphers can be used to limit connections to include only the strong versions and ciphers of SSL/TLS. By default nginx uses “ssl_protocols TLSv1 TLSv1.1 TLSv1.2” and “ssl_ciphers HIGH:!aNULL:!MD5”, so configuring them explicitly is generally not needed. Note that default values of these directives were changed several times.

Generating an SSL Certificate:

You will need to convert the pfx file of the certificate to the crt and key files

Generating an SSL Certificate:

You will need to convert

Convert pfx to crt:

< openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt] >

Convert pfx to private key:

< openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key] >

Decrypt the private key:

< openssl rsa -in [drlive.key] -out [drlive-decrypted.key] >

For DXP cloud, you need to convert the crt and decrypted key to base64 format:

< openssl base64 -in originalkeyfile.key -out base64keyfile.key > 
< openssl base64 -in originalcertfile.crt -out base64certfile.crt > 

Here concludes the process of configuring the Liferay DXP SSL server. Check out our repository to learn about the challenging Liferay DXP programming questions that may help programmers.

Reach out to us if there is any consultation and implementation need.