Server-to-server SSL with Plumtree

Two different customers of ours have recently experienced problems with server-to-server SSL and Plumtree, so I thought I would shed some light on the issue in the hope that it might help someone else who’s having the same problem.

The reality is that server-to-server SSL is no different with Plumtree than it is in any other environment, but it’s just poorly understood in general. Also, Plumtree makes server-to-server requests in places where you might not think to look. For example, you might think that only end users hit the Image Server, but in fact both the Portal Server and the Collaboration Server make server-to-server connections to the Image Server to pull down javascript files. (It’s possible that Content Server, Studio Server and the new Analytics Server make similar requests; I just haven’t run into problems with these products — yet.)

So, here’s the gist: in order for a server to communicate with another server over SSL, the requesting server needs to have the host server’s certificate installed in it’s keystore. Doing this is pretty straighforward and well documented. First, you need to export the certificate from the host server and copy it over to the requesting server. You can read about how to do this in IIS or how to do this in a JVM-based application server such as Weblogic or Tomcat.

After exporting the cert, you’ll end up with a .cer file that you’ll need to install on the requesting server. Say that server is a Tomcat instance on which you’ve installed Plumtree’s Collaboration Server. In this case, this set of instructions should help you get that part working.

One gotcha is that the name of the server in the certificate must match the name being placed in requests made to that server. For example, if the requesting server is making a call to https://images.mycompany.com, you need to have images.mycompany.com as the name of the server in its certificate.

Leave a Reply