White Paper Abstract This white paper explains the configuration of Distributed Content (ACS, BOCS and DMS) in SSL mode and monitors the logs for content transfer operations. This guide describes the end-to-end SSL configuration steps for each component ACS, BOCS, DMS and WDK-based client level and troubleshooting tips as well. February 2013
Copyright 2013 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. VMware is a registered trademark of VMware, Inc. All other trademarks used herein are the property of their respective owners. Part Number H11452 2
Table of Contents Executive summary... 4 Audience... 4 Abbreviation... 4 Distributed Content SSL Configuration... 4 Secure Socket Layer... 4 ACS Configuration In SSL Mode... 5 BOCS Configuration In SSL Mode... 7 DMS Configuration In SSL Mode... 9 WDK-based Client Configuration In SSL Mode... 11 Other Required Configuration... 13 Verify SSL Configuration... 18 Monitor Logs During Content Transfer over SSL... 19 ACS read request... 19 ACS write request... 20 BOCS read request... 22 BOCS write synchronous request... 24 Asynchronous write request... 27 Predictive Caching request... 31 Useful Points... 33 Troubleshooting Tips... 34 Conclusion... 35 References... 35 3
Executive summary This white paper covers the following points for Distributed Content configuration to support SSL ACS, BOCS and DMS configuration in SSL mode. WDK-based Client configuration in SSL mode. Monitor UCF client, WDK and BOCS logs during content transfer for each read and write request. Troubleshooting. Audience This white paper is intended for developers and testers who needs to configure the Distributed Content in SSL environment. This paper will help reader to understand the ACS, BOCS, DMS configuration to support SSL and to monitor the HTTPS URLs during content transfer operations. It assumes that the reader possess the knowledge of Content Server, DA and Distributed content (ACS, BOCS and DMS) functionality. Abbreviation Special terms, abbreviations and acronyms that may appear in this guide are defined below. 1. CS Content Server 2. ACS Accelerated Content Server 3. BOCS Branch Office Caching Server 4. DMS Documentum Messaging Server 5. GR Global Repository 6. SSL Secure Socket Layer 7. DC Distributed Content 8. DFC Documentum Foundation Classes 9. DA Documentum Administrator 10. WDK Web Development Kit Distributed Content SSL Configuration Secure Socket Layer Secure Socket Layer is a protocol designed to enable applications to transmit information back and forth between client and server securely. SSL uses a cryptographic system that uses two keys to encrypt/decrypt data a public key known to everyone and a private or secret key known only to the recipient of the message. A public key can be used to encrypt the message and a corresponding private key can be used to decrypt them. 4
Documentum release 7.0 onwards, all components ACS, BOCS, DMS have the java certified with FIPS compliance as bundled with documentum. User may use the documentum bundled java or any external java to create the keystores and import the certificates. With regard to SSL, another particular change in documentum 7.0 is Ciphers attribute with limiting the size 128 have been added in server.xml for JBOSS application server to restrict the key size 128 bits to be used by java. If user wants to use this guide for pre Documentum 7.0 release, then they do not need to worry about ciphers attribute to add in JBOSS config file server.xml. They may ignore the ciphers setting in server.xml for SSL configuration. ACS Configuration In SSL Mode To configure ACS in SSL mode 1. Create a keystore for JBOSS application server by executing the below command through command line. It can be created by using the java keytool utlity. From <Java_home>\bin- keytool.exe -genkey -alias acskey -keyalg RSA -keystore acs.keystore (Here, alias name is acskey and keystore name is acs.keystore. User can choose anything for these names.) Note: Keystore can be created from any java like Documentum bundled java (<Documentum>/ java64) or any external java. 2. This command will prompt for some details mentioned below. Type the full hostname of the ACS server machine for common name (first and last name). Give other details accordingly. Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: acsmachine.dnsname.com What is the name of your organizational unit? [Unknown]: emc What is the name of your organization? [Unknown]: emc What is the name of your City or Locality? [Unknown]: Pleasanton What is the name of your State or Province? [Unknown]: CA 5
What is the two-letter country code for this unit? [Unknown]: US Is CN= acsmachine.dnsname.com, OU=emc, O=emc, L=Pleasanton, ST=CA, C=US correct? [no]: yes Enter key password for <acskey> (RETURN if same as keystore password): 3. Modify server.xml in JBOSS to enable SSL and server to use HTTPS protocol. Uncomment the below lines in <JBOSS_HOME>\server\DctmServer_MethodServer\deploy\jbossweb.sar\server.x ml <Connector protocol="http/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientauth="false" keystorefile="${jboss.server.home.dir}/conf/acs.keystore" keystorepass="password" sslprotocol = "TLS" ciphers="tls_rsa_with_aes_128_cbc_sha"/> Give the path for acs.keystore file created in step2 for keystorefile attribute. Give the keystore password for keystorepass attribute which is set in step2 during keystore creation. HTTPS Port (9082) is referred from bindings-jboss-beans.xml file. User can change the port value. <JBOSS_HOME>\server\DctmServer_MethodServer\conf\bindingservice.beans\M ETA-INF\bindings-jboss-beans.xml 4. Restart ACS. 5. Access ACS url with https protocol and 9082 port. https://<acsmachine.dnsname.com>:9082/acs/servlet/acs 6. Generate the acs certificate by exporting acs.keystore. Use the below command through command line. From <java_home>/bin keytool.exe -export -alias acskey -file acs.cer -keystore acs.keystore 7. Import acs certificate (exported in step6) into each running java in ACS and BOCS machines by using the below command through command line. 6
keytool.exe -import -noprompt -trustcacerts -alias acscert -file "C:\certificate\acs.cer" -keystore "<java>/jre/lib/security/cacerts" In ACS machine, import this certificate into documentum bundled java (<Documentum>\java64, <Documentum>\java) and any other external java if that is running. In BOCS machine, import this certificate into documentum bundled java (<Documentum>\java64, <C:\ProgramFiles\Documentum>\java) and any other external java if that is running. It will prompt for keystore password. Give the default password for java truststore cacerts that is changeit. BOCS Configuration In SSL Mode To configure BOCS in SSL mode 1. Create a keystore for JBOSS application server by executing the below command through command line. It can be created by using the java keytool utlity. From <Java_home>\binkeytool.exe -genkey -alias bocskey -keyalg RSA -keystore bocs.keystore (Here, alias name is bocskey and keystore name is bocs.keystore. User can choose anything for these names.) Note: Keystore can be created from any java like Documentum bundled java (<Documentum>/ java64) or any external java. 2. This command will prompt for some details mentioned below. Type the full hostname of the BOCS server machine for common name (first and last name). Give other details accordingly. Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bocsmachine.dnsname.com What is the name of your organizational unit? [Unknown]: emc What is the name of your organization? [Unknown]: emc What is the name of your City or Locality? [Unknown]: Pleasanton What is the name of your State or Province? 7
[Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN= bocsmachine.dnsname.com, OU=emc, O=emc, L=Pleasanton, ST=CA, C=US correct? [no]: yes Enter key password for <bocskey> (RETURN if same as keystore password): 3. Modify server.xml in JBOSS to enable SSL and server to use HTTPS protocol. Uncomment the below lines in <JBOSS_HOME>\server\ DctmServer_BOCS \deploy\jbossweb.sar\server.xml <Connector protocol="http/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientauth="false" keystorefile="${jboss.server.home.dir}/conf/bocs.keystore" keystorepass="password" sslprotocol = "TLS" ciphers="tls_rsa_with_aes_128_cbc_sha"/> Give the path for bocs.keystore file created in step2 for keystorefile attribute. Give the keystore password for keystorepass attribute which is set in step2 during keystore creation. HTTPS Port (8088) is referred from bindings-jboss-beans.xml file. User can change the port value. <JBOSS_HOME>\server\DctmServer_BOCS\conf\bindingservice.beans\META- INF\bindings-jboss-beans.xml 4. Restart BOCS. 5. Access BOCS url with https protocol and 8088 port. https://<bocsmachine.dnsname.com>:8088/bocs/servlet/acs 6. Generate the bocs certificate by exporting bocs.keystore. Use the below command through command line. From <java_home>/bin Keytool.exe -export -alias bocskey -file bocs.cer -keystore bocs.keystore 7. Import bocs certificate (exported in step6) into each running java in BOCS and DMS machines by using the below command through command line. 8
keytool.exe -import -noprompt -trustcacerts -alias bocscert -file "C:\certificate\bocs.cer" -keystore "<java>/jre/lib/security/cacerts" In BOCS machine, import this certificate into documentum bundled java (<Documentum>\java64, <C:\ProgramFiles\Documentum>\java) and any other external java if that is running. In DMS machine, import this certificate into documentum bundled java (<Documentum>\java64, <Documentum>\java) and any other external java if that is running. It will prompt for keystore password. Give the default password for java truststore cacerts that is changeit. DMS Configuration In SSL Mode To configure DMS in SSL mode 1. Create a keystore for JBOSS application server by executing the below command through command line. It can be created by using the java keytool utlity. From <Java_home>\binkeytool.exe -genkey -alias dmskey -keyalg RSA -keystore dms.keystore (Here, alias name is dmskey and keystore name is dms.keystore. User can choose anything for these names.) Note: Keystore can be created from any java like Documentum bundled java (<Documentum>/ java64) or any external java. 2. This command will prompt for some details mentioned below. Type the full hostname of the DMS server machine for common name (first and last name). Give other details accordingly. Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: dmsmachine.dnsname.com What is the name of your organizational unit? [Unknown]: emc What is the name of your organization? [Unknown]: emc What is the name of your City or Locality? [Unknown]: Pleasanton What is the name of your State or Province? 9
[Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN= dmsmachine.dnsname.com, OU=emc, O=emc, L=Pleasanton, ST=CA, C=US correct? [no]: yes Enter key password for <dmskey> (RETURN if same as keystore password): 3. Modify server.xml in JBOSS to enable SSL and server to use HTTPS protocol. Uncomment the below lines in <JBOSS_HOME>\ server\dctmserver_dms\deploy\jbossweb.sar\server.xml <Connector protocol="http/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientauth="false" keystorefile="${jboss.server.home.dir}/conf/dms.keystore" keystorepass="password" sslprotocol = "TLS" ciphers="tls_rsa_with_aes_128_cbc_sha"/> Give the path for dms.keystore file created in step2 for keystorefile attribute. Give the keystore password for keystorepass attribute which is set in step2 during keystore creation. HTTPS Port (8491) is referred from bindings-jboss-beans.xml file. User can change the port value. <JBOSS_HOME>\server\DctmServer_DMS\conf\bindingservice.beans\META- INF\bindings-jboss-beans.xml 4. Restart DMS. 5. Access DMS url with https protocol and 8491 port. https://<dmsmachine.dnsname.com>:8491/dms-ws 6. Generate the dms certificate by exporting dms.keystore. Use the below command through command line. From <java_home>/bin Keytool.exe -export -alias dmskey -file dms.cer -keystore dms.keystore 7. Import dms certificate (exported in step6) into each running java in BOCS, DMS and WDK client machines by using the below command through command line. 10
keytool.exe -import -noprompt -trustcacerts -alias dmscert -file "C:\certificate\dms.cer" -keystore "<java>/jre/lib/security/cacerts" In BOCS machine, import this certificate into documentum bundled java (<Documentum>\java64, <C:\ProgramFiles\Documentum>\java) and any other external java if that is running. In DMS machine, import this certificate into documentum bundled java (<Documentum>\java64, <Documentum>\java) and any other external java if that is running. In WDK client machine, import this certificate in that java where client application is running. It will prompt for keystore password. Give the default password for java truststore cacerts that is changeit. WDK-based Client Configuration In SSL Mode To configure WDK Client application server in SSL mode (User should have the WDK client application deployed on supported application server.) 1. Create a keystore for application server by executing the below command through command line. It can be created by using the java keytool utlity. From <Java_home>\binkeytool.exe -genkey -alias wdkkey -keyalg RSA -keystore wdk.keystore (Here, alias name is wdkkey and keystore name is wdk.keystore. User can choose anything for these names.) 2. This command will prompt for some details mentioned below. Type the full hostname of the WDK client machine for common name (first and last name). Give other details accordingly. Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: wdkmachine.dnsname.com What is the name of your organizational unit? [Unknown]: emc What is the name of your organization? [Unknown]: emc What is the name of your City or Locality? [Unknown]: Pleasanton 11
What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN= wdkmachine.dnsname.com, OU=emc, O=emc, L=Pleasanton, ST=CA, C=US correct? [no]: yes Enter key password for <wdkkey> (RETURN if same as keystore password): 3. Modify server.xml in application server to enable SSL and server to use HTTPS protocol. Check for the SSL configuration lines in server.xml, uncomment them and provide the appropriate details for keystore file path, password, port etc. Example, for tomcat, uncomment the below lines in <app_server_home>/conf/server.xml <Connector protocol="http/1.1" port="8443" maxthreads="200" scheme="https" secure="true" SSLEnabled="true" keystorefile="${user.home}/wdk.keystore" keystorepass="password" clientauth="false" sslprotocol="tls"/> 4. Restart the application server. 5. Access WDK-based client application url with https protocol and 8443 port (that is a default port, it may be changed). https://<wdkmachine.dnsname.com>:8443/<wdk-client-app-name> Example, for DA client, it will be like: https://< wdkmachine.dnsname.com>:8443/da 6. Generate the WDK-based client certificate by exporting wdk.keystore. Use the below command through command line. From <java_home>/bin keytool.exe -export -alias wdkkey -file wdk.cer -keystore wdk.keystore 7. In WDK client machine, import this certificate (exported in step 6) in that java where WDK application is running. keytool.exe -import -noprompt -trustcacerts -alias wdkcert -file "C:\certificate\wdk.cer" -keystore "<java>/jre/lib/security/cacerts" It will prompt for keystore password. Give the default password for java truststore cacerts that is changeit. 12
Other Required Configuration Below configuration steps (1-3) can be done through iapi by accessing ACS, BOCS and DMS config objects or through DA as well. 1. Through iapi : Access the ACS server config object through iapi and modify the ACS base url and supported protocol. Provide the below url as acs_base_url and https protocol as acs_supported_protocol. acs_base_url https://<acsmachine.dnsname.com>:9082/acs/servlet/acs acs_supported_protocol https Or Through DA: Go to Distributed Content Configuration-> ACS Servers-> Select the ACS server-> right click-> properties-> click on base url-> click on edit Modify the protocol to https and base url to https://<acsmachine.dnsname.com>:9082/acs/servlet/acs Click ok. 13
2. Through iapi : Access the BOCS server config object through iapi and modify the BOCS base url and supported protocol. Provide the below url as base_url and https protocol as supported_protocol. base_url https://<bocsmachine.dnsname.com>:8088/bocs/servlet/acs supported_protocol https Or Through DA: Go to Distributed Content Configuration-> BOCS Servers-> Select the BOCS server-> right click-> properties-> click on base url-> click on edit 14
Modify the protocol to https and base url to https://<bocsmachine.dnsname.com>:8088/bocs/servlet/acs Click ok. 15
3. Through iapi : Access the DMS server config object through iapi and modify the post url and consume url. Provide the below url as message_post_url and as message_consume_url. https://<dmsmachine.dnsname.com>:8491 Or Through DA: Go to Distributed Content Configuration-> Messaging Server-> Select the DMS server-> right click-> properties Modify the Post URL and Consume URL to https://<dmsmachine.dnsname.com>:8491 16
4. Modify the dms.webservice.update.url parameter value in dms.properties file. In DMS machine <Documentum>\jboss5.1.0\server\DctmServer_DMS\deploy\DMS.ear\lib\configs.j ar\dms.properties Modify the value of dms.webservice.update.url to https://<dmsmachine.dnsname.com>:8491 5. For BOCS pull mode, modify the acs.properties file in BOCS machine. <Documentum>\jboss5.1.0\server\DctmServer_BOCS\deploy\bocs.ear\lib\configs.jar\config\acs.properties Modify dms.pulling.url and dms.server.base.urls parameters values. dms.pulling.url = https://<dmsmachine.dnsname.com>:8491 dms.server.base.urls = https://<dmsmachine.dnsname.com>:8491 6. While content transfer, a separate JRE will be installed with UCF client if this JRE version is higher than the existing JRE in machine. All certificates except DMS (ACS, BOCS and WDK 17
client) needs to be import in UCF s JRE and browser s java (where WDK application url is being accessed). Default location for UCF client JRE is: <User-directory>\Documentum\ucf\<machine-hostname>\shared\jre<version> For importing acs, bocs, wdk certificates into UCF client JRE: keytool.exe -import -noprompt -trustcacerts -alias acscert -file "C:\certificate\acs.cer" - keystore "<User-directory>\Documentum\ucf\<machinehostname>\shared\<jre>\lib\security\cacerts" keytool.exe -import -noprompt -trustcacerts -alias bocscert -file "C:\certificate\bocs.cer" - keystore "<User-directory>\Documentum\ucf\<machinehostname>\shared\<jre>\lib\security\cacerts" keytool.exe -import -noprompt -trustcacerts -alias wdkcert -file "C:\certificate\wdk.cer" - keystore "<User-directory>\Documentum\ucf\<machinehostname>\shared\<jre>\lib\security\cacerts" For importing acs, bocs, wdk certificates into browser java: keytool.exe -import -noprompt -trustcacerts -alias acscert -file "C:\certificate\acs.cer" - keystore <JAVA>\<jre>\lib\security\cacerts" keytool.exe -import -noprompt -trustcacerts -alias bocscert -file "C:\certificate\bocs.cer" - keystore <JAVA>\<jre>\lib\security\cacerts" keytool.exe -import -noprompt -trustcacerts -alias wdkcert -file "C:\certificate\wdk.cer" - keystore <JAVA>\<jre>\lib\security\cacerts" Verify SSL Configuration User may follow below steps to verify the ACS, BOCS and DMS configured in SSL mode. 1. After each server restart, logs for ACS, BOCS and DMS servers can be checked if there is any error or exception after enabling the SSL. 2. Try to access ACS, BOCS, DMS and WDK client application URLs from each machine by using their full hostname with HTTPS protocol and SSL port. These URLs should be accessible from each machine. 3. User can retrieve any certificate to verify if it has been imported in trusted store or not by using the below command. From <java>/bin keytool.exe -list -keystore <jre_path>\lib\security\cacerts" Provide the keystore password. 18
Monitor Logs During Content Transfer over SSL This section describes the UCF client logs for all content transfer requests and WDK, BOCS logs for asynchronous write and predictive caching requests. In all cases, UCF client log level is set to FINEST, WDK client log level is set to DEBUG and BOCS log level is set to DEBUG. ACS read request The below UCF client log shows that the read request is successfully handled by ACS in SSL mode. ACS read url gets generated with HTTPS protocol and 9082 port. 19
The below block diagram shows the interaction of different components during read and write requests through ACS. WDK-based Client app UCF Server/DFC UCF Client HTTPS Request ACS Content Server Figure1: ACS read, write request ACS write request The below UCF client log shows that the write request is successfully handled by ACS in SSL mode. ACS write url gets generated with HTTPS protocol and 9082 port. 20
21
BOCS read request The below UCF client log shows that the read request is successfully handled by BOCS in SSL mode. BOCS read url gets generated with HTTPS protocol and 8088 port. 22
The below block diagram shows the interaction of different components during read and write requests through BOCS. 23
WDK-based Client app UCF Server/DFC UCF Client HTTPS Request BOCS Cache HTTPS Request ACS Content Server Figure2: BOCS read, write request BOCS write synchronous request a.) BOCS write request: The below UCF client log shows that the write request is successfully handled by BOCS in SSL mode. BOCS write url gets generated with HTTPS protocol and 8088 port. 24
25
26
b.) BOCS move request: The below UCF client log shows that the move request is successfully handled by BOCS in SSL mode. BOCS move url gets generated with HTTPS protocol and 8088 port. Asynchronous write request a.) Park request: The below UCF client log shows that the park request is successfully handled by BOCS in SSL mode. BOCS park url gets generated with HTTPS protocol and 8088 port. 27
Below WDK log shows the park request handled with HTTPS and 8088 port. Content is successfully parked on BOCS server in prime store. 28
b.) BOCS store request: Below WDK log shows the BOCS store request handled with HTTPS and 8088 port. Below WDK log shows the message is successfully sent to DMS (https ://< dmsmachinename.dnsname.com>:8491/). 29
c.) ACS store request: Below BOCS log shows the ACS store request handled with HTTPS and 9082 port. Content is now successfully sent to the ACS. Once the content is written to the repository, message is being processed successfully. Below BOCS server log shows the response status is sent to return URL (https ://< dmsmachinename.dnsname.com >:8491) that updates the message status in database. 30
The below block diagram shows the interaction of different components during asynchronous write requests. WDK-based Client app UCF Server/DFC UCF Client HTTPS Request HTTPS return url DMS BOCS Message Cache HTTPS Request ACS Content Server Figure3: Asynchronous write request Predictive Caching request Below BOCS log shows the predictive caching request handled with HTTPS and 9082 port by ACS URL. Content is downloaded successfully to the BOCS cache. 31
Below BOCS log shows the message is being processed successfully and the response status is sent to return URL (https ://< dmsmachinename.dnsname.com>:8491) that updates the message status in database. 32
Useful Points 1. For exporting the certificates, user can apply below alternate way. a.) Access the HTTPS url by using the hostname, browser throws the certificate error at right side in address bar. Click on that. Click on view certificates-> Install certificate-> click next-> select Place all certificates in the following store -> browse the certificate store-> select Trusted root certification authorities -> click next-> click finish->click ok. b.) Close the browser and reopen it. It will not throw certificate error now. c.) Go to tools-> internet options-> content->click on certificates-> go to trusted root certification authorities. d.) Select the same certificate which got installed in step a. e.) Click on export-> click next-> select first option.cer-> click next-> browse the file name. (like C:\acs.cer)-> click next-> click finish. It will pop up the message The export was successful. Click ok -> close the window. 2. Make sure the keystore file and corresponding password is given correctly in application server s configuration file (server.xml). Size of the cipher to be specified correctly. 3. If DMS is installed on the same CS machine then one keystore (ACS one) can be used for both servers ACS and DMS. If the DMS is installed on another machine then DMS machine s keystore should be created and used. 4. If the keystore is tampered and a new keystore is being replaced then the new corresponding certificate should be replaced/imported in every machine s running JVM wherever it was imported before. 5. If the apache tomcat 7.0 application server is used for deploying WDK-based client application then tomcat will try to use APR connector that needs other different SSL settings (particularly keys and certificates). OpenSSL can be used to generate those attributes. Or else user can disable the APR library path in server.xml file and can use the normal SSL configuration settings. 33
Troubleshooting Tips S. No. 1. SSLexception: java.security.cert.certificateexce ption: No name hostname matching found Issues Possible Cause Solution 2. "java.io.filenotfoundexception: <somedirectory>/<keystorefilename>.ke ystore not found" 3. "java.io.filenotfoundexception: Keystore was tampered with, or password was incorrect" 4. SSLexception: javax.net.ssl.sslexception: java.lang.runtimeexception: Could not generate DH keypair 5. java.security.invalidkeyexceptio n: Illegal key size Accessing the URL with different hostname which is not used in specific certificate. Keystore file is not there in path which is specified in server.xml. Wrong keystore password is provided in server.xml for keystorepass attribute. During content transfer, if ucf client is using JRE version lower to 1.7.07 If the ciphers attribute is not defined in server.xml to specify the size to be used by JBOSS then cipher size above 128 bits (AES128) is being used by JBOSS application server. While accessing any URL (ACS, BOCS, DMS or WDK client app), hostname should be used as full CN name in URL. That same CN has been set while creating the keystore. Check and provide the correct path for.keystore file as keystorefile attribute in server.xml. Check and provide the correct password for keystore as keystorepass attribute in server.xml. Or User can create a new keystore with new password and provide the same server.xml. UCF's private JRE version should be 1.7, update 07 or higher than this. (Here, it is assumed that Documentum version 7.0 is being used by user.) If user wants to use more strength ciphers (above AES128), they should install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files". Or Ciphers attribute with limiting the size 128 can be added in server.xml for JBOSS. ciphers="tls_rsa_with_aes_1 28_CBC_SHA" (This option is implemented in Documentum 7.0 onwards.) 34
6. Connection issues with ACS, BOCS, DMS and WDK-based client machines. Not able to ping machines with their full CN (which is used during keystore creation). Map the machine s ip to their full hostname in etc/hosts file. (This hostname must have been used in keystore creation as common name.) Conclusion This white paper explains the procedure for configuring Distributed Content to support secure socket layer connections. It is easy to understand and very helpful in setting up the ACS, BOCS, DMS and WDK-based client in SSL environment. It describes the content transfer behavior in SSL environment and monitors the logs for HTTPS and SSL port URLs being used during operations. References http://developercontent.emc.com/developer/downloads/distributed_content_configuration_and_tr oubleshooting.pdf https://support.emc.com/docu32947_documentum-content-server-6.7-distributed- Configuration-Guide.pdf?language=en_US http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html 35