aem-guru

  AEM - LDAP Integration LDAP (the   L ightweight   D irectory   A ccess   P rotocol) is used for accessing centralised directory services.  You can achieve below vital things with LDAP integration The User accounts can be synchronised between LDAP server and the AEM repository.  The AEM uses LDAP authentication  to authenticate users, with credentials being passed to the LDAP server for validation.  To improve performance, successfully validated credentials can be cached by repository, with an expire timeout. This helps reduce the effort required to manage user accounts as they can be accessed by the multiple applications.  When a user/account is removed from LDAP server validation is no longer granted & access to the AEM is denied.  The following are the AEM steps for integrating the LDAP and using it as your Single Sign On (SSO) source of truth for authenticating AEM Users. In order to have LDAP working with AEM, you need to create three OSGi configurations: An LDAP Identity Pro

How to Configure S3 in AEM  Configuring s3 data stores in AEM 6 In Adobe Experience Manager (AEM), binary data can be stored independently from the content nodes. The binary data is stored in a data store, whereas content nodes are stored in a node store. Both data stores and node stores can be configured using OSGi configuration. Each OSGi configuration is referenced using a persistent identifier (PID). In this article we learn the detailed steps for configuration S3 data store in AEM.  You can get the architectural level understand of S3 with AEM from article -  https://www.aemrules.com/2021/06/how-does-s3-works-with-aem.html   Amazon S3 Data Store AEM can be configured to store data in Amazon’s Simple Storage Service (S3). It uses the org.apache.jackrabbit.oak.plugins.blob.datastore.S3DataStore.config PID for configuration.   In order to enable the S3 data store functionality, a feature pack containing the S3 Datastore Connector needs to be downloaded and installed.  Go to the Adob

How to Use Crypto Support in AEM to Encrypt/Decrypt Data? While working with AEM, The AEM dev-ops / developer team sometimes have a requirements to call third-party APIs/Services. Configurations related to these APIs/Services like username, passwords, client id/secrets, API keys are usually stored in a code repository in the form of OSGi configuration. This sensitive information should be stored encrypted rather than plain-text format. This is possible through the OOTB AEM Crypto Support bundle. This bundle provides services for encrypting and decrypting the confidential/secured data through system-wide keys (hmac and master files).   What are the Features of Crypto Support? Decryption happens at runtime. No one can decrypt the data through the UI. There’s no UI to decrypt the encrypted data. So, the information remains secure. What are hmac/master keys? Encryption/decryption happens through keys (hmac and master files). These keys get generated during the first startup of AEM instance

Crypto Support in AEM (Syncing HMAC among AEM instances) AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration. Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology. For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances. Vital Points to know before HMAC SYNC  Sync of HMAC/keys will break the AEM SSL and

LOGGING OF THE X-FORWARDED-FOR HEADER The dev-opes team , struggles to find the end user IP while working / troubleshooting the DOS, D-DOS attacks/issue.  To troubleshoot such issue first thing you need to do is , log the end user IP.  Please follow the steps to do the same.  In the Apache HTTP Server's access_log, add this to the httpd.conf file in the dispatcher servers: LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent In Microsoft IIS add X-Forwarded-For in the  "Advanced Logging"  configuration. That would log the correct end-user IP. Use the output showing the IP and User-Agent to analyse whether it is a malicious attack and block the offending IPs if it makes sense. 2. SET DISPATCHER.LOG'S LOG LEVEL TO DEBUG: