AEM SSL Enablement
Updated: May 20, 2020
This is an Adobe Experience Manager (AEM) task specific to enabling HTTP over SSL to employ more secure connections to AEM environments. The steps in this document are specific to configuring the Author instance: Secure client connections to the author instance specifically the connectivity from Dispatcher to the rendered Author instance. At a high-level, we are trying to achieve the following connectivity flow:
Content Authors – SSL Connection—Author Dispatcher—SSL Connection—Author AEM
The following are the required prerequisites for enabling SSL within AEM:
1. SSL Certificate
SSL Certificate, self-signed for development and signed CRT for production implementation
2. Private Key
Private key pertaining to the SSL certificate and in DER format
3. Apache Dispatcher Module w/ SSL support, latest web module from Adobe
The following are the steps for installing the SSL certificate in an AEM Author instance:
1. It is highly recommended to configure HTTPS now in any AEM Author instance and as part of this initiative; AEM lists “Configure HTTPS” as an active task that needs to be performed.
2. Click on the “Configure HTTPS” task and click on open to start the wizard. A service user called ssl-service has been created for this feature.
3. Type in a Key Store and Trust Store passwords. These are the Store credentials for the ssl-service system user's key store that will contain the private key and trust store for the HTTPS listener.
4. Upload the associated private key and internal signed CSR for the SSL connection.
5. Select the HTTPS port. 8443 is the default TCP port for Author AEM HTTPS listener.
6. You should get a success page stating that “SSL Successfully Configured”
To validate that the proper certificate has been installed, please perform the following steps:
1. Go to AEM User Management and look for the service user, ssl-service.
2. In the Account Settings section, make sure that the status is set to “active”. Click on “Manage KeyStore” to view the certificate
3. Confirm that the Certificate Subject, Issuer and Expiry date are consistent with the CRT that was installed.
The following are the steps for installing the update dispatcher module and configuring the dispatcher to use the secure SSL channel:
1. Validate the you have the right version of the dispatcher. If not, upload the updated dispatcher-apache2.4-4.2.2.so to the webserver (dispatcher).
2. Edit dispatcher.any file to use secure channel and SSL port
3. Restart Apache
4. Validate to test.