Server-to-server SSL with Plumtree

Two different customers of ours have recently experienced problems with server-to-server SSL and Plumtree, so I thought I would shed some light on the issue in the hope that it might help someone else who’s having the same problem.

The reality is that server-to-server SSL is no different with Plumtree than it is in any other environment, but it’s just poorly understood in general. Also, Plumtree makes server-to-server requests in places where you might not think to look. For example, you might think that only end users hit the Image Server, but in fact both the Portal Server and the Collaboration Server make server-to-server connections to the Image Server to pull down javascript files. (It’s possible that Content Server, Studio Server and the new Analytics Server make similar requests; I just haven’t run into problems with these products — yet.)

So, here’s the gist: in order for a server to communicate with another server over SSL, the requesting server needs to have the host server’s certificate installed in it’s keystore. Doing this is pretty straighforward and well documented. First, you need to export the certificate from the host server and copy it over to the requesting server. You can read about how to do this in IIS or how to do this in a JVM-based application server such as Weblogic or Tomcat.

After exporting the cert, you’ll end up with a .cer file that you’ll need to install on the requesting server. Say that server is a Tomcat instance on which you’ve installed Plumtree’s Collaboration Server. In this case, this set of instructions should help you get that part working.

One gotcha is that the name of the server in the certificate must match the name being placed in requests made to that server. For example, if the requesting server is making a call to https://images.mycompany.com, you need to have images.mycompany.com as the name of the server in its certificate.

How to search for other Plumtree deployments

If you’d like to see what people are doing with Plumtree on the open internet, you can search Google using the allinurl: portal/server.pt syntax.

Bear in mind that Plumtree portal administrators can change both “portal” and “server.pt” to anything, but most do not choose (or do not know how) to change this. Really, it’s easy — just change the VirtualDirectoryPath and the HTTPEntryPoint in j_config.xml or n_config.xml.

bdg takes Wind River live on Plumtree 5.0.4J

All of us at bdg are very pleased to announce that our very own Andrew Morris has led Wind River to a successful launch of 5.0.4J on their corporate extranet with an extremely slick and highly customized UI. In fact, the UI is so good that if it weren’t for the portal/server.pt in the URL, you seriously wouldn’t know that it’s a Plumtree Portal!

To pull this off, Andrew leveraged bdg’s extensive knowledge of Plumtree UI customization (especially pluggable navigation) in Java along with a boatload of Plumtree Content Server magic. Up until now, I thought SunTrust was the most creative Plumtree 5x deployment in terms of UI tweaking, but this one trumps it. By a lot. If you don’t believe me, take a look for yourself.