In the process of setting up the AEM Workbench to use 2-way-SSL, you will need at some point to use a Hybrid Domain and a specific Authentication Provider. Depending on the version of the AEM that you are using, this Authentication Provider might not be present and therefore you will never be able to set that up properly. In this blog, I will describe what was done in our case to solve this problem.
The first time we tried to set that up (WebLogic Server 12.2, AEM 6.4.0), it just wasn’t working. Therefore, we opened a case with the Adobe Support (#159953) and after quite some time, we found out that the documentation was not complete (#CQDOC-13273) and that there were actually missing steps and missing configuration inside the AEM to allow the 2-way-SSL to work. So basically everything said that the 2-way-SSL was possible but there were just missing pieces inside AEM to have it really working. Therefore after discussion & investigation with the Adobe Support Engineers (#NPR-26490), they provided us the missing piece: adobe-usermanager-ssl-dsc.jar.
When you install AEM Forms, it will automatically deploy a bunch of DSC (jar file) to provide all features of the AEM Forms. These are a few examples:
Therefore, our AEM Forms version at that time (mid-2018, AEM 6.4.0) was missing one of these DSC and it was the root cause of our issue. So what can you do fix that? Well you just have deploy it and since we are anyway in the middle of working with the AEM Workbench to set it up with 2-way-SSL, that’s perfect. While the Workbench is still able to use 1-way-SSL (don’t set your Application Server in 2-way-SSL or revert it to 1-way-SSL):
- Download or request the file “adobe-usermanager-ssl-dsc.jar” for your AEM version to the Adobe Support
- Open the AEM Workbench (run the workbench.exe file)
- Click on “File > Login“
- Set the Log on to to: <AEM_HOST> – SimpleAuth (or whatever the name of your SimpleAuth is)
- Set the Username to: administrator (or whatever other account you have)
- Set the Password for this account
- Click on “Login“
- Click on “Window > Show View > Components“
- The Components window should be opened (if not already done before) somewhere on the screen (most probably on the left side)
- Inside the Components window, right click on the “Components” folder and select “Install Component …“
- Find the file “adobe-usermanager-ssl-dsc.jar” that has been downloaded earlier, select it and click on “Open“
- Right click on the “Components” folder and select “Refresh“
- Expand the “Components” folder (if not already done), and look for the component named “SSLAuthProvider“
- If this component isn’t started yet (there is a red square on the package), then start it using the following steps:
- Right click on “SSLAuthProvider“
- Select “Start Component“
Note: If the “SSLAuthProvider” component already exists, then you will see an error. This is fine, it just needs to be there and to be started/running. If this is the case then it’s all good.
Once the SSLAuthProvider DSC has been installed and is running, you should be able to see the SSLMutualAuthProvider in the list of custom providers while creating the Hybrid Domain on the AdminUI. Adobe was normally supposed to fix this in the following releases but I didn’t get the opportunity to test the installation of AEM 6.5 from scratch yet. If you have this information, don’t hesitate to share!