SCM-Server SSL
Note: This document describes a ssl configuration with a self-signed certificate
1. Open a shell and go to the conf directory of the scm-server
2. Create a certificate request. Replace all variables (*varname*)
$ keytool -genkey -alias scm -keyalg RSA -keystore keystore.jks
Enter keystore password: your password
Re-enter new password: your password
What is your first and last name?
[Unknown]: *your servername*
What is the name of your organizational unit?
[Unknown]: *organisation unit*
What is the name of your organization?
[Unknown]: *organisation*
What is the name of your City or Locality?
[Unknown]: *city*
What is the name of your State or Province?
[Unknown]: *state*
What is the two-letter country code for this unit?
[Unknown]: *country code*
Is CN=your servername, OU=your organisation unit, O=your organisation, L=your city, ST=your state, C=cc correct?
[no]: yes
Enter key password for <scm>
(RETURN if same as keystore password): *password*
Re-enter new password: *password*
Note: You have to enter the full qualified hostname of your server for the cn (cn = What is your first and last name?)
3. Edit the server-config.xml, uncomment the SSL-Connector and set your password. For example:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<!--
Exclude SSLv3 to avoid POODLE vulnerability.
See https://groups.google.com/d/msg/scmmanager/sX_Ydy-wAPA/-Dvs5i7RHtQJ
-->
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
<Set name="Port">8181</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="password">*password*</Set>
<Set name="keyPassword">*password*</Set>
<Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
<Set name="trustPassword">*password*</Set>
</New>
</Arg>
</Call>
4. Start or restart the scm-server
Note: It looks like there is a error in some version of OpenJDK (issues #84 and #151). If you have such a problem, please try to use the Oracle JDK.
Configure Git
1. Export the certificate from keystore:
$ keytool -exportcert -keystore keystore.jks -alias scm -rfc -file cert.pem
2. Copy the certificate to your client and add it to your git config:
$ git config http.sslCAInfo /complete/path/to/cert.pem
Configure Mercurial
1. Export the certificate from keystore:
$ keytool -exportcert -keystore keystore.jks -alias scm -rfc -file cert.pem
2. Copy the certificate to your client and add it to your .hgrc config file:
[web]
cacerts = /complete/path/to/cert.pem