Tuesday, September 20, 2011

How to Set up SSL for local in CQ / WEM / Dispatcher

Use case For testing

Step 1: Generate Key Store

Use Keytool to generate keystore

You can also confirm if you have keytool in your system by using command keytool --help

Once you have keytool installed you can following command to generate ketstore

From command line navigate to /crx-quickstart/server/etc
Use command "keytool -genkey -keystore mykey -alias myalias -keyalg rsa"

Set up SSL till CQ5.4 (Using server.xml)

use following entry in server.xml

<!-- You already have one entry here don't modify it-->
<!--Entry for new SSL Listener-->
<passphrase><Password you have given while creating certificate></passphrase>
<password><Password you have given while creating certificate></password>
<!--End of new entry for SSL-->

You can also check /crx-quickstart/server/etc/SSL_HowTo.txt to see how configuration can be done.


Once you have SSL set up check logs/server.log to make sure that server is started on secure port.

If you get Error like,

*ERROR* servletengine: Unable to start https listener on address, port 443: Permission denied
That means you need to start CQ as root user.

Set up SSL in CQ5.5

In CQ5.5 CQSE is deployed as a bundle and you can configure SSL using Felix configuration, Please see screen shot of how to do that. All parameter is self explanatory

This is actual configuration

1. You can put certificate file at any location you want. Only absolute path is required.
2. There is no way to configure multiple port you can listen to now.

Set up SSL on apache (If your SSL terminate at apache)

Assuming that you are using Apache web server,

Click here to see how to generate certificate and key file

If you already have cert and password then you can use following command to generate key

openssl rsa -in <Your Key>.key -out <Key with Password>.new.key

Then go to /conf/httpd.conf and add following entry

Listen 443
<VirtualHost *:80>
    ServerName wemblog.com
    ServerAlias wemblog*.com

    RewriteEngine on
    #Rewrite all request to https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,R=301]

NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
    ServerName wemblog.com
    ServerAlias wemblog*.com
    SSLEngine on
    SSLCertificateFile <cert path>.cert
    SSLCertificateKeyFile <key path>.key

    RewriteEngine on
    ProxyPreserveHost On
    ProxyPass / http://localhost:4502/
    ProxyPassreverse / http://localhost:4502

    #set header for SSL
    Header add X-Forwarded-Proto "https"
    <LocationMatch "/(content|apps|etc).*">
        RequestHeader set X-Forwarded-Proto "https"


To be honest you will get ton of information about How to set up SSL on Apache on Google.

Note: If you just have to use https (force https in CQ) and not let author to use http, There are two options,

1) You can configure dispatcher rewrite rule to redirect all http request to https.
2) If you are not using dispatcher, you can write rewrite rule under /etc/map to redirect all request to https port. Here is example

Please check https://cwiki.apache.org/SLING/flexible-resource-resolution.html

You have to do something like this

+-- http
+-- localhost.4502
+-- sling:redirect = "https://localhost:<your secure port>"


  1. How to run aem author and bind it with 443 port using non root user and without using dispatcher in AEM 6.1?

    1. Hello Dg,

      If you don't want to use Dispatcher, you can just use apache and proxy it to author instance.


  2. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. everydaylocksmiths.com