Friday 31 July 2020

Ugrading from older versions of AEM to AEM as a cloud Service - Tools


There are some readily available tools which fasten the process of upgrading older AEM to AEM as a Cloud Service.


Cloud Readiness Analyzer-CRA
  • Cloud Readiness Analyzer report is built using the output of the Adobe Experience Manager (AEM) Pattern Detector)
  • This gives high-level understanding of general upgrade readiness.
  • Helps accelerate the processes of assessing readiness to move from an existing Adobe Experience Manager (AEM) deployment to AEM as a Cloud Service.
  • This tool generates a report that identifies areas of potential refactoring, which is the first step in the transition journey to AEM as a Cloud Service.
  • CRA is supported on AEM instances with version 6.1 and above (CRA is supported on AEM instances with version 6.1 and above)
  • CRA can run on any environment, but it is preferred to have it run on a Stage (Author) environment or clone of the production Author environment
  • CRA can be downloaded as zip and uploaded to AEM instance via Package Manager

Notes: CRA utilizes a system service user account named repository-reader-service(default available in AEM 6.2 and later, For AEM 6.1 we will have to manually create it) to execute the Pattern Detector. Version 6.3 and later we can access CRA via tools -> Operations -> Cloud Readiness Analyzer.
AEM 6.2 prvides a link that generates and downloads the CSV report.
and 6.1 the tool is not functional and only the HTTP interface may be used
    

Analyzer report
-  includes the following categories:
  • Application functionality that must be refactored
  • Repository items that must be moved to a supported location
  • Legacy user interface dialogs and components that must be modernized
  • Deployment and configuration issues
  • AEM 6.x features that have been replaced by new functionality or that are currently not supported on AEM as a Cloud Service
  • The report generation time required is highly dependent on the size and nature of the AEM repository content, the AEM version, and other factors
-----------
Content Transfer Tool CTT

This tool helps to move existing content over from a source AEM instance (on-premise or AMS) to the target AEM Cloud Service instance.
We can use this tool to transfer principals (users or groups) automatically

2 Steps involved
Extraction- extract the source content from AEM and keeping a temporary place called 'migration set'(cloud storage area provided by Adobe - inactive for more than 30 days it gets deleted )

Ingestion - ingesting content from the migration set into the target Cloud Service instance

**Content Transfer Tool creates a local copy of the repository that is later uploaded to the migration set. So ensure enough space is available in local/source AEM

  • Minimum req for CTT is  AEM 6.3 + and JAVA 8. On lower env upgrade your content repository to AEM 6.5 first
  • author AEM will be unavailable during the whole ingestion process.
  • The recommended upper limit for the repository size is 20 Gb
  • CTT can be downloaded as zip and uploaded to AEM instance via Package Manager
  • Access it from  navigate to tools -> Operations -> Content Transfer
WATCH THIS >> AEM AS CLOUD SERVICE VIDEO TUTORIAL SERIES

FAQ on AEM as a cloud service

1) Which are all the environments available as part of AEM as a cloud service?

Four types of environments available with AEM as a Cloud Service:
  • Production environment - for the business practitioners
  • Stage environment : performance and quality tests before changes to the application are pushed to the production
  • Development environment -  developers to implement AEM applications
  • Demonstration environment : Training , demos, pocs etc - is simplified to a single author node, all others having min 2 author nodes
2) Which are all the types of programs available as part of AEM as a cloud service?

Two types of programs are initially available for AEM as a Cloud Service:
  • AEM Cloud Sites Service
  • AEM Cloud Assets Service

3) What we get as part of AEM as a cloud license?

When we get the license we will have

  • Code repository (Git)  1
  • Baseline image (Sites or Assets)  1
  • Stage and production environment set (1:1) 0 or 1
  • Non-production environments (development or demonstration) 0 to N
  • Pipeline for each environment 0 or 1

**Note:* The author tier will contain all Sites and Assets functionality for all programs, but the Assets programs will not have a publish tier by default

4) What are all the changes in Author, Publish & Replication in AEM as a Cloud Service

Author and publish features:

Both author and publish tiers always accessed via a load balancer. But publish tier, a Continuous Delivery Network (CDN) is always available.

The method of author to publish replication has upgraded now. AEM as a Cloud Service Sling Content Distribution which  allows one to distribute Sling resources between different Sling instances.{The API works at path level and the distribution agents basically enable distribution of specific paths between instances.}This uses a pipeline service run on Adobe I/O, which is external to AEM.

Replication changes - The replication agents used in previous versions of AEM are no longer used or provided, which might impact the following areas of existing AEM projects:
  • Custom workflows that push content to replication agents of preview servers for example.
  • Customization to replication agents to transform content
  • Using Reverse Replication to bring content from publish back to author
5) Do we have all types of runmodes as in previous version of AEM?

The answer is NO.

Run modes that are defined typically include the service (author and publish) and the environment (dev, stage, prod).

Pattern
<service>.<environment_type>

Fr eg: author.dev or publish.prod

The supported runmode configurations in AEM as a cloud service are:
  • config ( The default, applies to all AEM Services )
  • config.author ( Applies to all AEM Author service )
  • config.author.dev ( Applies to AEM Dev Author service )
  • config.author.stage ( Applies to AEM Staging Author service )
  • config.author.prod ( Applies to AEM Production Author service )
  • config.publish ( Applies to AEM Publish service )
  • config.publish.dev ( Applies to AEM Dev Publish service )
  • config.publish.stage ( Applies to AEM Staging Publish service )
  • config.publish.prod ( Applies to AEM Production Publish service )
  • config.dev (*Applies to AEM Dev services)
  • config.stage (*Applies to AEM Staging services)
  • config.prod (*Applies to AEM Production services)

** OSGI configuration that has the most matching runmodes is used.

6) How do we do local development when AEM is in cloud?

For local development:
The following artifacts are made available to the developers:
  • The AEM as a Cloud Service QuickStart: a .jar based, standalone installer of the latest AEM code base, with the same functional and API surface.
  • The AEM as a Cloud Service Dispatcher SDK: an image-based process for testing and validating Dispatcher configurations locally

[* The quickstart is a simple author environment where the majority of the extensions can be developed and tested - does not allow for all AEM Sites and AEM Assets functionalities]

7. What are all some of the important terminologies which we should be aware of?

New important terminologies w.r.t. cloud
  • AEM as a Cloud Service - The cloud-native way of leveraging the AEM applications
  • AEM Image - A deployable artifact that contains the AEM product code together with the customer code.
  • Golden Master - The AEM publish tier.
  • Orchestration Engine - AEM as a Cloud Service uses an orchestration engine to ensure that all author and publish services are scaling as and when needed.
  • Asset microservices - Cloud-based digital asset processing services that cater to various asset processing use cases, such as rendition generation, PDF processions, subasset handling, text extraction etc.
8) What are all the types of users and roles available in AEM as a cloud?

Users & Roles

Cloud Manager currently defines four roles for users which govern the availability of specific features:
  • Business Owner - defining KPIs, approving production deployments
  • Program Manager -  team setup, review status
  • Deployment Manager - execute stage/production deployments
  • Developer - Develops and tests custom application code , do git operations

* There is a role 'Content Author' who does not interact with Cloud Manager. May use Cloud Manager Program Switcher (having navigated from Experience Cloud) to access AEM

9) How do we upgrade from existing AEM version to Cloud Service

> Planning
Access cloud service readiness - determine areas that will require refactoring to be compatible with AEM as a Cloud Service.(Source code Vs deprecated features, New path structure w.r.t AEM as cloud). Then estimate the plan.
Review resource planning - identify resources, create a team, and map out roles and responsibilities
Establish KPIs - Define KPIs to help your team focus on what matters the most.

> Execution
- onboad -familiarize & deploy the code to cloud service
- Integrate - the Git and deploy the code, content transfer, code refactor( Use tools where ever possible For eg: Asset Workflow Migration Tool, Dispatcher Converter, Modernization Tools. )
- Configure - user roles and other things on Admin console of cloud manager

> Post Go-Love
clean-up of temporary files,
review best practices for continuous development
manage logs

10) What are all the options available to troubleshoot anything in AEM as a cloud service?

The following tools are available to troubleshoot AEM as a Cloud Service environments:
  • Developer Console
  • CRX/DE Lite
  • Managing Logs

11)  What does the SDK For Local Development contains in AEM as a Cloud Service?

SDK is comprised of the following artifacts
  • Quickstart Jar - The AEM runtime
  • Java API Jar - all allowed Java APIs that can be used to develop against AEM as as Cloud Service(Previously known as Uber Jar)
  • Javadoc Jar - The javadocs for the above JAR
  • Dispatcher Tools - set of tools used to develop against Dispatcher locally
12) How does the Maintenance tasks became more users friendly now?

With AEM as a Cloud Service, the need for customers to configure the operational properties of maintenance tasks is minimal. Customers can focus their resources on application-level concerns, leaving the infrastructure operations to Adobe.

Below given customer owned the configuration
  • Ad-hoc Task Purge
  • Workflow Purge
  • Project Purge

13) Can you explain mutable vs immutable in AEM as a Cloud Service?

Mutable Vs immutable
  • /apps and /libs are considered immutable areas of AEM as they cannot be changed (create, update, delete) after AEM starts (i.e. at runtime). Any attempt to change an immutable area at runtime will fail.
  • Everything else in the repository, /content , /conf , /var , /home , /etc , /oak:index , /system , /tmp , etc. are all mutable areas, meaning they can be changed at runtime.
  • Oak indexes are mutable at run time
  • *  /oak:index configurations are part of the Code Package and not part of the Content Package

Architectural changes or improvements in AEM as a Cloud Service

Below given the noted architectural changes in AEM as a cloud service


  • Scaling - A dynamic architecture with a variable number of AEM images.
  • Has an author cluster as default;
  • Has individual instances that only run when needed.
  • Dynamically scales each of the service instances as per the actual needs; both scaling up or down as appropriate.
  • Many tasks have been automated. - like indexing , backup etc, binary-less replication is the default.
  • Micro-services sharing the processes which were done by core AEM itself: For eg: Heavy-load tasks, such as queues, jobs and bulk-processing tasks etc
  • Authoring UI is purely touch-enabled; the classic UI is no longer available
  • AEM as a Cloud Service currently supports Azure. AWS support is a roadmap item.
  • The default workflow DAM Asset Update in previous versions of AEM is no longer available.
  • No Custom replication agents & No Reverse Replication Agents are allowed in AEM as cloud

Friday 17 July 2020

Content disposition configuration in AEM

What is Content-Disposition?
According to developer guide from Mozilla : "In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.

Content disposition filter is a security feature against XSS attacks on SVG files.



Different values for the Content-Disposition headers
  • inline (This is the default value - indicating it can be displayed inside the Web page, or as the Web page)
  • attachment (which indicates it should be downloaded).
In AEM how the content disposition supports?
Usually people might have complained in AEM websites, the pdf or an image which is supposed to be downloaded are getting open in new tab(usually on dispatcher URL).

In AEM there is a configuration in OSGI console - 'org.apache.sling.security.impl.ContentDispositionFilter'

In AEM we can configure Content Disposition Filter in multiple ways

Content Disposition Paths
This option helps us to configure a list of paths where the content disposition filter will be applied followed by a list of mime-types to exclude on that path.

Some examples given below: 
  • /content/*:image/png This will apply the filter to every node in /content except png/content
  • /*:image/png,image/svg+xml - This will apply the filter to every node in /content except svg images
  • /content/*:audio/mpeg - For the audio of type mpeg
  • /content/*:application/pdf - For pdf files to download instead of opening in other tab
  • /content/dam/project/doc/*:image/png,image/svg+xml,image/jpeg,image/jpg
Ensure the path must be an absolute path and can contain a wildcard ('*') at the end, to match every resource path with the given path prefix.

Excluded Resource Paths
We can exclude a set of paths to be excluded, each resource path must be given as absolute and fully qualified path. In ths case prefix matching/wildcards are not supported.

Enable For All Resource Paths


This feature flag controls enablement of the filter for all paths, except for the excluded paths defined by Excluded Resource Paths.
If we set this to true, we are ignoring all content disposition paths (resource paths which has a property named 'jcr:data' or 'jcr:content jcr:data').


The Content Disposition details can be found in url

Friday 10 July 2020

All you need to know about AEM Assets as a Cloud Service

The new 'AEM Assets as a cloud service' which is part of AEM as a cloud (platform as a service solution) provides Digital Asset Management capabilities(storage, managing metadata online, versioning, upload and download) with below extended features.
  • Based on asset microservices(asset ingestion and processing).
  • Smart capabilities, such as AI/ML
  • Highly scalable
  • Always current
  • Always available
  • Auto scaled, deployed and monitored

In older AEM all the asset operations happened at AEM Author instance - which consumes considerable CPU, memory, and I/O resource.Asset processing and storage requirements demand resources which in turn create performance issues impact authoring and browsing experience of end users.

A High-level Architecture of Assets as a Cloud Service can be seen below



The generic steps followed in sequence are,
  • Clients send an upload request - then start uploading binary directly to cloud
  • Once the direct upload is completed, the client notifies AEM
  • Now the AEM sends a processing request to Assets Microservice
  • The asset microservice now start processing the asset (based on the rendition request from AEM) - asset microservice runs relevant microservices for this. They access the binary from cloud and processed assets are also placed in binary cloud.
  • Now assets microservice notifies AEM that renditions are available.

Assets as a Cloud Service Vs AEM Asset upload on premise

Assets as a Cloud Service uses direct binary access principle for upload and download - Previously Assets were uploaded directly to AEM author instance for processing.

Assets as a Cloud Service uses 'asset microservices' for asset processing, which is external to AEM -  But in older AEM versions, all process happened within AEM.

In Assets as a Cloud Service DAM Asset Update Not available [ asset microservices provide a scalable, readily available service that covers most of the default asset processing (renditions, metadata extraction, text extraction for indexing)]. But in older AEM we had DAM Asset Update workflow as default.

Assets as a Cloud Service comes with post-processing workflows which can be used or customizations(where additional processing of assets is required that cannot be achieved using the processing profiles) -In older AEM we had default + customized workflow steps (Even though it looks as an advantage it had used AEM for all processing).

In Assets as a Cloud Service the standard Asset upload interface is the Touch-enabled UI -  In older version Classic UI was available.

In Assets as a Cloud Service only the new upload APIs are supported -The older AEM Assets HTTP API(AEM 6.5), AssetManager Java API, is deprecated now

Advantages of new cloud
  • The uploaded binaries do not go through AEM, which is now simply coordinating the upload process with the binary cloud storage configured for the deployment. finally clients get direct access to them to carry out their work. This minimizes the load on networks and duplication of binaries stored.
  • Binary cloud storage is fronted by a Content Delivery Network (CDN, Edge Network), which brings the upload endpoint closer to the client, helping to improve upload performance and user experience, especially for distributed teams uploading assets
  • More scalable and performant handling of asset uploads.

Ways of uploading Assets to Assets as a Cloud Service
Upload using web interface, Adobe Asset Link, AEM desktop app or custom applications which uses the new HTTP API.

Post-processing workflows
There are cases where we need additional processing to be done, which are not done by asset microservices(For eg. Generating a rendition which requires an integration with other application), additional post-processing workflows can be added to the configuration.

Post-processing workflows, once configured, are automatically executed by AEM after the microservices processing finishes. There is no need to add workflow launchers manually to trigger them.

Some examples for Post Processing workflow use cases are:
  • Custom workflow steps to process assets.
  • Additional processing done by external services.
  • Integrations to add metadata or properties to assets from external systems

How to create Post - Processing Workflows: Steps involved
  1. Create one or more workflow models. - they are of regular AEM workflow models
  2. Add specific workflow steps to these models.
  3. Add 'DAM Update Asset Workflow Completed' Process step at the end(To inform AEM once the processing is done)
  4. Create a configuration for the Custom Workflow Runner Service(configuration of an OSGi service) - This ensures the execution of a post-processing workflow model either by a path (folder location) or by a regular expression.
Supported File Formats

Adobe formats - AI, COLLAGE, DN, IDEAS, INDD, INDT, PDF, PROTO, PSB, PSD, XD
Imaging file formats - BMP, EPS, GIF, JPEG, PNG, SVG, TIFF
Image formats in Dynamic Media - PNG, GIF, TIFF, JPEG, BMP, PSD , EPS, PICT
3D formats - DN, gLB, gLTF, OBJ, STL, USDz
Camera Raw file formats - 3FR, ARW, CR2, CR3, CRW, DCR, DNG, ERF, FFF, GPR, IIQ, KDC, MEF, MFW, MOS, MRW, NEF, NRW, ORF, PEF, RAF, RAW, RW2, RWL, SRF, SRW, X3F
Document formats - PDF,DOCX,DOC,PPTX,PPT, XLSX,XLS,ODF,OFG,ODM,ODP,ODS,ODT,EPUB,HTML,PS,RTF,TXT,XML
Document formats in Dynamic Media - AI, PDF, INDD
Video formats - 3G2,3GP,AVI,DIVX,F4V,FLV,M2T,M2TS,M2V,M4V,MKV,MOV,MP4,MPEG,MPG,MTS,OGV,QT,R3D,SWF,WEBM,WMV
Video formats in Dynamic Media for transcoding - MP4,MOV, QT,FLV, F4V,WMV,MPG, VOB, M2V, MP2,M4V,AVI,WebM,OGV, OGG,MXF,MTS,MKV,R3D, RM,RAM, RM,FLAC,MJ2,
Audio formats  - AIF, ASF, M4A, MP3, WAV, and WMA


Monday 6 July 2020

Robots.txt file in AEM websites


When we think about AEM websites, SEO is one of the major consideration. To ensure the crawlers are crawling our website, we need to have sitemap.xml and a robots.txt which redirects the crawler to corresponding sitemap.xml

A robots.txt file lives at the root folder of the website. Below given the role of a robots.txt in any website. Robots.txt file acts as an entry point to any website and ensure the crawlers are accessing only the relevent items whcihwe have defined.

Click on image to see it big


robots.txt in AEM websites

Let us see how we can implement a robots.txt file in our AEM website. There are many ways to do this, but below is one of the easiest way to achieve the implementation.

Say we have multiple websites(multi-lingual) with language roots /en, /fr, /gb, /in

Let us see how we can enable robots.txt in our case.

Add robots.txt in Author

Login to the crxde and create a file called 'robots.txt' under path /content/dam/[sitename]
Ensure the following lines are added to the 'robots.txt' in Author of AEM instance and publish the robots.txt

#Any search crawler can crawl our site
User-agent: *

#Allow only below mentioned paths
Allow: /en/
Allow: /fr/
Allow: /gb/
Allow: /in/
#Disallow everything else
Disallow: /

#Crawl all sitemaps mentioned below
Sitemap: https://[sitename]/en/sitemap.xml
Sitemap: https://[sitename]/fr/sitemap.xml
Sitemap: https://[sitename]/gb/sitemap.xml
Sitemap: https://[sitename]/in/sitemap.xml

Now publish the robots.txt

Add OSGi configurations for url mapping

Now add below entry in OSGI console> configMgr  - 'Apache Sling Resource Resolver Factory'

Add below mapping for section 'URL Mappings'
/content/dam/sitename/robots.txt>/robots.txt$

Add rewrite rule/ allow access to  robots.txt via dispatcher
And allow the crawlers to access robots.txt via the dispatcher

Add allow rule for robots.txt in dispatcher
/0010 { /type "allow"  /url "/robots.txt"}

When you hit the www.[sitename]/robots.txt you should see the robots.txt file on public domain.

Now any search engine which tries to access our site will find the robots.txt and recognises, whether the crawler has got permission to crawl the site and what areas of the site has got crawl access.

Some sample usage of robots.txt is given below


# Disallow googlebot accessing example.com/directory1/... and example.com/directory2/...
# but allow access to subdirectories -> directory2/subdirectory1/...
# All other directories on the site are allowed by default.
User-agent: googlebot
Disallow: /directory1/
Disallow: /directory2/
Allow: /directory2/subdirectory1/

# Block the entire site from xyzcrawler.
User-agent: xyzcrawler
Disallow: /


Let me know if you find a better way to do this; via comments section.

Sunday 5 July 2020

Path changes while upgrading from AEM 6.3 to AEM 6.5

Before we start any AEM upgrades we should ensure that a detailed study is done on the release notes.
If the upgrades are planned to the next direct version (Say AEM 6.4 to AEM 6.5), We can just read the release notes of AEM 6.5 and proceed for the upgrade. But if the case is different (AEM 6.3 to AEM 6.5) ensure we are comparing the release notes for each versions.

For eg: Say we are upgrading from AEM 6.3 to AEM 6.5. We know there was an AEM 6.4 available. So while upgrade, first understand the release notes of AEM 6.4 and observe the changes between AEM 6.3 to AEM 6.4 and do the same comparison from AEM 6.4 to AEM 6.5. This process ensure that we are identifying every changes and accommodating all changes by taking precaution not to break anything during upgrades.

Approach
AEM 6.3 -> AEM 6.4(Release Notes) -> AEM 6.5 (Release Notes)

AEM 6.3 to AEM 6.5 Path Changes

Notes:  AEM content is being restructured out of /etc to other folders in the repository, along with guidelines on what content goes where, adhering to the following high-level rules:
•    AEM product code will always be placed in /libs, which must not be overwritten by custom code
•    Custom code should be placed in /apps, /content, and /conf


Old Path

New Path

/etc/workflow/models

/libs/settings/workflow/models

 

/conf/global/settings/workflow/models

 

/var/workflow/models

/etc/workflow/instances

/var/workflow/instances

/etc/workflow/launcher/config

/libs/settings/workflow/launcher/config

 

/conf/global/settings/workflow/launcher/config

/etc/workflow/scripts

/libs/workflow/scripts

 

/apps/workflow/scripts

/etc/designs/default

/libs/settings/wcm/designs/default

 

/apps/settings/wcm/designs/default

/etc/taskmanagement

/var/taskmanagement

/etc/tags

/content/cq:tags

/etc/notification/email/default/com.day.cq.replication

/libs/settings/notification-templates/com.day.cq.replication

 

/apps/settings/notification-templates/com.day.cq.replication

/etc/workflow/notification

/libs/settings/workflow/notification

 

/conf/global/settings/workflow/notification

/etc/workflow/packages

/var/workflow/packages

Hide /content root path in publish and website domains

How do we hide the '/content/sitename' from the URL?


It is always good to hide the content path from the public domain  or publish server urls. Let us see one of the best approach for the same.

Say we have our website in below domain URL,

https://[websitename.com]/content/sitename/fr/home.html

And hosted AEM with below URL,

http://<hostname>:<port>/content/sitename/fr/home.html

As a best practice and recommended option, we have to ensure the '/content/sitename' is hidden from appearing on the public domain.

Here I am going to explain one of the best approach for achieving the same. To achieve this, we will have to configure things on both publish and dispatcher.

Configurations on PUBLISH:

Configuring the Apache Sling Resource Resolver Factory to ensure the URLs are re-written at PUBLISH server.

Apache Sling Resource Resolver Factory - add below configurations under section - 'URL Mapping'

/content/sitename/(.*)</$1
/content/sitename/fr$1>/fr(.*)

One you save the configuration, and hit the webpage with http://<hostname>:<port>/fr/home.html, you will be able to see the home page over publish instance(without /content/sitename).

Note:After saving, it takes some time to auto-restart the relevant bundles.

Configurations on DISPATCHER:
Now we are able to hit the publish server without content path. Now let us see how this can be achieved over dispatcher or the publish domain URL.

Step1: Ensure the 'mod_rewrite' module is loaded in apache.
#
# This file loads most of the modules included with the Apache HTTP
#
LoadModule rewrite_module modules/mod_rewrite.so

Step 2: To do this set 'DispatcherUseProcessedURL' property to 1 - This will ensure the dispatcher using processed URLS .
<IfModule disp_apache.c>
        # This is enabled to ensure re-writes taking effect
        DispatcherUseProcessedURL    1     
</IfModule>

Step 3: Now update the virtual host file and add the below rules in it.(Usually this configuration file sits in the conf.d module)

<IfModule mod_rewrite.c>

RewriteEngine on
 
RewriteRule ^(.+)/$ $1
 
#shorten the URL
RewriteRule ^/content/sitename/(.*).html$ $1.html [R,L]
#Redirect the fr to the root folder to the home page
RewriteRule ^/?$ fr/home.html [R,L]

Now after restarting the Apache and hit the public domain URL
https://[websitename.com]/fr/home.html, you can see the home page is loading.

Monday 29 June 2020

Experience with Adobe-AEM Certification


Recently I had appeared for AEM Certification exam and thought I will share my experience with you all.

How did I register for exam?

I went through the AEM certification site and registered my-self choosing a date - A convenient date when I can make myself completely free.

- There were two options, PSI and Examity. I have chosen one.

- Due to the COVID lock-down, majority of the exams are happening online

Procedures on exam day.

The exam notification email said, I can login to the exam system half an hour before. Since this was the first experience, I logged into the system 1 hour before.

System Checks: The exam site asked me to install a secure browser, once installed they do check system requirements. They do a set of checks like system resources, camera, internet speed, browser used etc.

Check-in Personal Information: Once that is done, I was asked to take a pic of 1) Myself 2) my government issued ID 3) and a video scan of my room by rotating laptop around, including the desk where laptop was placed.

Once those files are checked into the system, I was asked to wait for the scheduled time.

My recommendation here:
If you are confident enough about your system, internet etc, login just half an hour before the exam - else you will have to wait a lot.

You can even disconnect and login back, but since camera was on, i did not attempt that.

Waiting for proctor
Now my scheduled time came. I had scheduled exam at 10 AM. But I was still getting message like 'Your exam will start once proctor joins on the scheduled time'. It went on for 10 minutes. I saw an option to chat with the executive. I pinged executive via the chat option. Even to connect the customer care executive - it took some time.

The executive told me , he can reschedule, but the replies were too late, so I was worried about the confirmation.

Check-in Expert Verifying my details:
Fortunately my on screen message changed to - 'Check-in verification expert is analysing details'. So I have asked the chat agent to hold on from rescheduling.

The verification agent(proctor) told to re-take the ID proof photo again - which was not clear according to him. I have done that and re-uploaded.

Starting the exam now:
After waiting for few minutes, My screen changed to "starting with exam". Then the proctor started sending me messages.

Proctor asked to scan the room again. rotating 4 sides of room, (He saw my ID card was on my desk/table - pinged me to remove it) once that was done, the proctor shared the terms and condition and then started the exam.

Notes:
Even though exam was scheduled at a specific time, the exam started quite late after all these procedures. This means, same process is carried out for all persons who are taking exam in parall and this is the reason the proctor may not be able to start our exam on scheduled time. So I personally ask every one who takes the test to have patience and wait till the procedures are completed before taking exam.

My suggestions
- Ensure un-interrupted internet, power connectivity
- Ensure its a peaceful space where no one disturbs you.

I will be providing more tips for the AEM certification via my YouTube channel - Link is provided on right side of the webpage.

Saturday 13 June 2020

Configure the https(SSL) on AEM instance quickly


There are cases where during development we may need to setup https connection in our existing AEM instance.

By following procedure we can have both http and https on same AEM instance. This is very helpful while testing some of the AEM features which require SSL connections.

To start with, we need keys and certificates to configure SSL on AEM. We will use OpenSSL to set up keys and certificates. The method is tested on window, but should work on any other OS seamless way.

How to setup OpenSSL on Windows

  • Download OpenSSL from any URL - Ensure its relevant to your OS (including 86 Vs 64 Bit)
  • Unzip it.
  • Set the classpath


  • place the conf file in below path (Else you may get an error that openSSL conf cannot be found)

Now the OpenSSL is configured on your windows
  • Using command prompt execute below commands

### Create Private Key
$ openssl genrsa -aes256 -out localhostprivate.key 4096

### Generate Certificate Signing Request using private key
$ openssl req -sha256 -new -key localhostprivate.key -out localhost.csr -subj "/CN=localhost"

### Generate the SSL certificate and sign with the private key, will expire one year from now
$ openssl x509 -req -days 365 -in localhost.csr -signkey localhostprivate.key -out localhost.crt

### Convert Private Key to DER format - SSL wizard requires key to be in DER format
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in localhostprivate.key -out localhostprivate.der -nocrypt

You will have the certificates now in local drive as shown below.




Use the SSL Wizard in AEM

Now login to AEM
http://localhost:4502/aem/start.html

Tools > Security > SSL Configuration

For store credentials provide the Key store and Trust store password. [I have used admin for all, since its a localhost]

Monday 6 April 2020

Common security vulnerabilities identified as part of AEM projects

When ever an AEM project goes Live, there are set of scans happens to ensure that the website adheres to set of security & performance guidelines.
The security/ penetration tests usually gets scheduled few days ahead of any AEM go live. Below given the set of issues identified as part of AEM websites normally.



Horizontal Privilege Escalation Vulnerability   

Usually by horizontal privilege escalation, hackers remain on the same general user privilege level but gains access data of other accounts or processes that should be unavailable to the current account or process.

Host Header Injection Vulnerability   

Normally a header is used by a web server to decide which website should process the received HTTP request. Whenever many websites are hosted on the same IP address, webserver uses the value of this header to forward the HTTP request to the correct website for processing. This poses as a vulnerability.

Email Flooding Attack   

In general, sending large volumes of email to an email address so that the mail box gets overflowed, overwhelm the server where the email address is hosted in a denial-of-service attack. Thus a wrong impression screen to distract the attention from important email messages indicating a security breach.

HTML Injection Vulnerability   


HTML injection generally occurs when the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and the attacker is able to inject valid HTML code into a vulnerable web page. If these methods are provided with un trusted input, then there is a high risk of XSS, specifically an HTML injection issues. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

Session Replay Attack   

This kind of attacks, known as playback attacks or replay attacks, are network attacks that maliciously repeat or delay a valid data transmission. A hacker can do this by intercepting a session and stealing a user’s unique session ID. Now, the hacker is able to behave himself or herself as an authorized user on site, and will be granted full access to do anything that the authorized user can do on a website.

Stored XSS via File Upload Vulnerability

    Such scripts are possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload of any type & was able to upload a file containing HTML content or various file extensions. When HTML files are allowed, XSS payload can be injected in the file uploaded.

Web Server Banner Disclosure   

When we are running a web server, it often shows the others what type of server it is, its version number, and the operating system. This information is available in header fields and can be acquired using a web browser to make a simple HTTP request to any web application. It is often called the web server banner

Concurrent Logins Allowed    

Parallel logins. Interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there. This causes data leak.

Email Harvesting   

A process of obtaining large number of e-mail addresses through various online sources like website hacking. They obtain list of emails, either by purchase or theft, of valid email address for the purpose of sending bulk emails or Spam.

Vulnerable JQuery version in use   
Old version of Jquerys causes a threat to the websites.

Content Spoofing Vulnerability  

Content Spoofing or Content Injection is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loop holes in the website to inject the content that they wish to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

Missing Secure and "Http Only" Flag from cookie   

This is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's web

[Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]]

Cookie Path Set to Root  

Many of the browsers don’t allow to set cookie at root level. set the cookie path attribute to application defined folder

SameSite Cookie Attribute Not Set   

The 'SameSite' attribute tells browsers when and how to fire cookies in first- or third-party situations. This attribute is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.

Improper Error/Exception Handling Vulnerability   

Improper error handling arises when security mechanisms fail to deny access until it is specifically granted. This may occur as a result of a mismatch in policy and coding practice. It may also result from code that lacks appropriate error handling logic. For example, a system may grant access until it's denied (deny all, then allow individually).

Improper Session Management    The issue is because session tokens are not handled in proper way. While some of it might be intentional, enough care should be taken to add some kind of validation for the user. Because of the way mobile applications are used, many developers allow long or non-expiring user sessions, or use session tokens that are too predictable.

Session Timeout is not set Properly   

As a standard process, application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible.  To protect against Insufficient Session Expiration attacks, the logout function should be easily visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token.

Missing Security Headers   

Security HTTP headers are a fundamental part of website security. Once implemented, they protect against the types of attacks that a site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.

There are third party services to enable the security scan. A through scan and identify and fix all the major critical items should be a must included item in any AEM project delivery.