Implementing Primo-Aleph Secure Connection

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Primo contacts Aleph's JBoss server over HTTP in a method called REST (Representational State Transfer) according to the DLF ILS Discovery Interface API. Because the REST standards do not include session handling or authentication, the data that the API transmits is not protected by any identification or encryption methods. Therefore, customers may configure Aleph and Primo to communicate over SSL (an encrypted and authenticated method).

To configure SSL communication between Primo and Aleph:

Perform the following steps on the Primo server:
1. Enter the following commands, making sure that the keypass and storepass are the same:
  
  keytool -genkey -alias primo -keypass <passwd> -keystore /tmp/primo.keystore -storepass <passwd> -dname "cn=<primo_hostname>, ou=primo, o=<company_name>, c=<country_prefix>" -validity 3650
  
  keytool -selfcert -alias primo -keypass <passwd> -keystore /tmp/primo.keystore -storepass <passwd> -dname "cn=<primo_hostname>, ou=primo, o=<company_name>, c=<country_prefix>" -validity 3650
  
  keytool -list -keypass <passwd> -storepass <passwd> -keystore /tmp/primo.keystore -rfc > /tmp/primo.crt
2. Edit the file so that it contains only the certificate information, which includes the following beginning and ending lines:
  
  -----BEGIN CERTIFICATE-----
  
  .
  
  .
  
  .
  
  -----END CERTIFICATE-----
Perform the following steps on the Aleph server:
1. Enter the following commands, making sure that the keypass and storepass are the same:
  
  keytool -genkey -alias aleph -keypass <passwd> -keystore /exlibris/aleph/a21_8/ng/aleph/home/system/thirdparty/openserver/server/default/conf/aleph.keystore -storepass <passwd> -dname "cn=<aleph_hostname>, ou=aleph, o=<company_name>, c=<country_prefix>" -validity 3650
  
  keytool -selfcert -alias aleph -keypass <passwd> -keystore /exlibris/aleph/a21_8/ng/aleph/home/system/thirdparty/openserver/server/default/conf/aleph.keystore -storepass <passwd> -dname "cn=<aleph_hostname>, ou=aleph, o=<company_name>, c=<country_prefix>" -validity 3650
  
  keytool -list -keypass <passwd> -storepass <passwd> -keystore /exlibris/aleph/a21_8/ng/aleph/home/system/thirdparty/openserver/server/default/conf/aleph.keystore -rfc > /tmp/aleph.crt
2. Edit the file so that it contains only the certificate information, which includes the following beginning and ending lines:
  
  -----BEGIN CERTIFICATE-----
  
  .
  
  .
  
  .
  
  -----END CERTIFICATE-----
3. Enter the following commands to copy the certificates to and from the Primo server:
  
  scp aleph.crt primo@<primo_server>:/tmp
  
  scp primo@<primo_server>:/tmp/primo.crt /tmp
Enter the following command on the Primo server to import aleph.crt into Primo’s keystore:

keytool -import -alias aleph -file /tmp/aleph.crt -storepass <passwd> -keystore /tmp/primo.keystore -noprompt
Perform the following steps on the Aleph server:
1. Enter the following command to import primo.crt into Aleph's keystore:
  
  keytool -import -alias primo -file /tmp/primo.crt -storepass <passwd> -keystore /exlibris/aleph/a21_8/ng/aleph/home/system/thirdparty/openserver/server/default/conf/aleph.keystore -noprompt
2. Enter the following commands to access the server.xml file:
  
  cd $aleph_dev/ng/aleph/home/system/thirdparty/openserver/server/default/deploy/jbossweb-tomcat.sar
  
  If the above directory does not exist, enter the following command:
  
  cd $aleph_dev/ng/aleph/home/system/thirdparty/openserver/server/default/deploy/jbossweb.sar
3. Enter the following command to edit the server.xml file:
  
  vi server.xml
4. In the following section in the server.xml file, modify the path of the keystore file and its password if needed.
  
  <connector address="$<span class=" plain="" port="8443">{jboss.bind.address}}"</connector>
  
  maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
  
  scheme="https" secure="true" clientAuth="true" disableUploadTimeout="true"
  
  keystoreFile="${jboss.server.home.dir}}/conf/aleph.keystore" keystorePass="<passwd>"
  
  truststoreFile="${jboss.server.home.dir}}/conf/aleph.keystore" truststorePass="<passwd>"
  
  connectionTimeout="20000" sslProtocol="TLS" />
  
  Make sure that the above lines are not commented out before saving the server.xml file.
  
  When selecting a port for SSL communication, enter the following command to make sure that port is open and free:
  
  telnet <server_name_or_ip><ssl_port>
  
  In the following example, port 8888 is open for communication to the il-aleph07 server:
  
  telnet il-aleph07 8888
  
  Trying 10.1.235.93...
  
  Connected to il-aleph07.
  
  Escape character is '^]'.
  
  Telnet Example
5. Enter the following command to edit the main.properties file:
  
  vi $alephe_root/jboss_conf/main.properties
6. Add the following line to the main.properties file to make sure that access to the REST API only is available in HTTPS:
  
  api.rest.https=Y
7. Enter the following commands to restart Aleph’s JBoss server:
  
  Jbin
  
  jboss_shutdown.sh
  
  jboss_startup.sh
Perform the following steps in the Primo Back Office:
1. On the Primo Home > Advanced Configuration > General Configuration Wizard page, select the Installation subsystem from the drop-down list.
2. On the General Configuration Wizard page, specify the following parameters:
  - javax.net.ssl.trustStore – Enter the full path to the primo.keystore file.
  - javax.net.ssl.keyStore – Enter the full path to the primo.keystore file.
  - javax.net.ssl.trustStorePassword – Enter the password used for the truststore.
  - javax.net.ssl.keyStorePassword – Enter the password used for the keystore.
3. Click Save & Continue.
4. On the Primo Home > Ongoing Configuration Wizards > Institution Wizard page, edit your institution.
5. On the Edit Institution page, specify the HTTPS URL in the API field under the Delivery Base URLs section.
6. Click Save & Continue.
7. Deploy the changes to the institution.
On the Primo server, restart Primo’s Front End.