Gentics CMS package configuration

This documentation is for Gentics CMS installations that still use the old package apache only. If you are using a distribution webserver the steps will be different but similar. However this is not explained here.

1 Using HTTPS

1.1 Virtual host configuration

To use HTTPS, you must add a corresponding virtual host to the httpd. You can do this by copying the original non-HTTPS-enabled virtual host:


cd /Node/apache/conf/sites-available
cp cms.conf cms_ssl.conf

Then adjust the VirtualHost directive to use the HTTPS port and add the mod_ssl configuration:

/Node/apache/config/sites-available/cms_ssl.conf

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /Node/apache/conf/ssl/server.crt
SSLCertificateKeyFile /Node/apache/conf/ssl/server.key

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

1.2 Apache configuration

Activate the virtual host and mod_ssl:


cd /Node/apache/config/sites-enabled/
ln -s ../sites-available/cms_ssl.conf 010-cms_ssl.conf
cd ../mods_enabled
ln -s ../mods_available/ssl.load

Create the /Node/apache/config/ssl directory and copy your certificate and key files there as mentioned in the virtual host configuration.

If you don’t have a commercial certificate yet and just want to test the HTTPS functionality you can also generate a self-signed certificate.

If you use a commercial certificate, you must provide the complete certificate chain. You can do this by either adding the SSLCACertificatePath directive or by using the SSLCertificateChainFile directive instead of SSLCertificateFile.

1.3 HTTPS only & Secure cookies

If the only means of access to both the backend and the REST API is HTTPS, the secure_cookie feature can be enabled to improve security.

To make sure everything works HTTPS only, you must check the following:

  • Java processes accessing the HTTPS port (that can be the Tomcat of your Gentics CMS installation, or some application using the Java-REST-client) must trust the used certificate. (e.g. signed by a trusted authority or added to the JVM truststore)
  • The $CN_LOCAL_SERVER variable in your node.conf is set to the HTTPS URL. It needs to be followed by this line:
node.conf

$PORTAL_CONNECT['url'] = $CN_LOCAL_SERVER.$PORTLETAPP_PREFIX .'JavaParserInvoker';
  • Put the certificate in PEM format into /usr/local/share/curl/curl-ca-bundle.crt
  • Your browsers must trust the certificate.

1.4 Restart

Finally, restart Gentics CMS.


/Node/bin/nodectl restart

Currently active sessions must be logged in again or there might be some malfunctions.