SSL Certificate Configuration > Implementing SSL
  
Version 9.2.00
Implementing SSL
Implementing SSL involves three main tasks:
Obtain an SSL certificate
Install the certificate on your server
Update the web service configuration to enable SSL
Obtaining an SSL Certificate
APTARE, Inc. recommends obtaining a third-party certificate from a certificate authority such as VeriSign, Thawte or GeoTrust. The methods for obtaining a certificate vary, so refer to their websites for specific instructions.
You may, for testing purposes or as a permanent solution, use a self-signed certificate. This is not recommended as it makes the implementation slightly more complex and may limit access to StorageConsole to some of your users. To create a self-signed certificate, see Creating Self-Signed SSL Certificate.
Installing the Certificate on Your Server
Copy the certificate files to a folder in the Apache configuration folder.
For Linux, APTARE recommends using: /opt/apache/conf/ssl_cert.
For a Windows server, APTARE recommends using: C:\opt\apache\conf\ssl_cert.
Note: Configuration files shipped with APTARE products may use path names with recommended folder names. To use folders with different names, be sure to update all references to the recommended name in the default configuration files.
Updating the Web Server Configuration to Enable SSL (Linux)
Note: These instructions apply to Apache version 2.4.6.
1. Stop the Apache and Tomcat services. From a terminal console, enter the following commands for a Linux server:
/opt/aptare/bin/tomcat-agent stop
/opt/aptare/bin/tomcat-portal stop
/opt/aptare/bin/apache stop
2. Update the Apache configuration file (/opt/apache/conf/httpd.conf) to enable SSL:
Un-comment #LoadModule ssl_module modules/mod_ssl.so by removing the #
Un-comment #Include conf/extra/httpd-ssl.conf by removing the #
Un-comment #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
3. Update the Apache SSL configuration file (/opt/apache/conf/extra/httpd-ssl.conf). See Default Apache SSL Configuration File for the sample SSL configuration file shipped with APTARE installations. Note that this line may not be in your configuration.
Disable the SSLMutex by adding a # at the beginning of the SSLMutex line (if this line is listed in your configuration).
Un-comment #Include conf/extra/httpd-ssl.conf by removing the #
Ensure that an IP address is available for the Portal and/or Data Collection, as required
4. If any of the above configuration is missing for either the Portal or Data Collector, the host configuration information must be added to enable SSL. Refer to Default Apache SSL Configuration File as a guide.
5. If a virtual host declaration is missing from the default configuration file, add the missing virtual host declaration to the configuration file. See If implementing SSL for the Portal only, If implementing SSL for Data Collection only, and If implementing SSL for both the Portal and Data Collection.
6. Add an entry in the host file for the Virtual Host.
If implementing SSL for the Portal only
a Verify that there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName aptareportal.domainname:443
Document Root /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c If the Portal VirtualHost section is not found, the configuration for the Portal VirtualHost must be added.
d If there is a configuration section for the Data Collection virtual host, ensure that this section is disabled by added a # to the beginning of each line in the section, as shown below.
#<VirtualHost aptareagent.domainname:443>
If implementing SSL for Data Collection only
a Verify there is a VirtualHost section for the data collection with the IP address of the Data Receiver. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName aptareagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
b Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
c If the data collection VirtualHost section is not found, the configuration for the data collection VirtualHost must be added.
d If there is a configuration section for the Portal virtual host, ensure that this section is disabled by added a
# to the beginning of each line in the section, as shown below.
#<VirtualHost aptareportal.domainname:443>
If implementing SSL for both the Portal and Data Collection
Note: To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection. The two required IP addresses may be implemented using two NICs. If only a single NIC is available, a virtual interface may be added for the second IP address. See Adding a Virtual Interface to a Linux Server.
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName aptareportal.domainname:443
DocumentRoot /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName aptareagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
d Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
7. For each active virtual host section in the configuration file, ensure that declaration lines beginning with the following are un-commented (they do not have a # at the beginning of the line):
SSLEngine
SSLCipherSuite
SSLCertificateFile
SSLCertificateKeyFile
8. Update the APTARE apache script in /opt/aptare/bin used to start Apache to include the -D SSL parameter:
Ret="`$APACHE_HOME/bin/apachectl -D SSL -k start 2>&1"
9. If implementing SSL for Data Collection complete the following steps:
a Ensure that the Data Collector global properties
(/opt/aptare/datacvrconf.collectorConfig.global.properties) file does NOT have the protocol (http or https) in the URL specified in that file.
b If using a self-signed certificate, run the InstallCert utility on the Data Collection server to allow the background data collection processes to automatically accept the unsigned, unverified certificate.
To use this tool run:
"java -classpath /opt/aptare/mbs/bin InstallCert aptareagent.put-your-domain-here.com:443"
The InstallCert utility is not shipped with APTARE products. Contact the APTARE Global Support Services to obtain a copy of this utility.
Note: If you are using a self-signed certificate and the Data Collector is upgraded, the validation of the certificate may be lost and you may have to rerun the InstallCert utility for data collection to work.
c Verify that the following line is in the Portal configuration file (/opt/aptare/portalconf/portal.properties):
portal.trustAllCertificates=true
If not present, add it.
10. Restart Apache and both Tomcat (portal and agent) services.
/opt/aptare/bin/apache start
/opt/aptare/bin/tomcat-portal stop
/opt/aptare/bin/tomcat-agent start
Updating the Web Server Configuration to Enable SSL (Windows)
Note: These instructions apply to Apache version 2.4.6.
See also: Adding a Virtual/Secondary IP Address on Windows
1. Stop the Apache and Tomcat services. From the command line, enter the following commands for a Windows server:
C:\opt\aptare\utils\stopagent.bat
C:\opt\aptare\utils\stopportal.bat
C:\opt\aptare\utils\stopapache.bat
2. Update the Apache configuration file (C:\opt\apache\conf\httpd.conf) to enable SSL:
Uncomment #LoadModule ssl_module modules/mod_ssl.so by removing the #
Uncomment #Include conf/extra/httpd-ssl.conf by removing the #
3. Update the Apache SSL configuration file (C:\opt\apache\conf\extra\httpd-ssl.conf). See Default Apache SSL Configuration File for the sample SSL configuration file shipped with APTARE installations. Note that this line may not be in your configuration.
Disable the SSLMutex by adding a # at the beginning of the SSLMutex line (if this line is listed in your configuration).
Enable the virtual host section or sections, depending upon your configuration.
To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection.
Note: To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection. The default SSL configuration file that ships with configurations is set up for both the Portal and Data Collector. If the configuration for either the Portal or Data Collection Agent is missing, add the host configuration information to enable SSL.
If a virtual host declaration is missing from the default configuration file, you must add the missing virtual host declaration to the configuration file.
If implementing SSL for the Portal only
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName aptareportal.domainname:443
Document Root /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c If the Portal VirtualHost section is not found, the configuration for the Portal VirtualHost must be added.
d If there is a configuration section for the Data Collection virtual host -- a section that begins with <VirtualHost IP_ADDRESS_DATARCVR:443> -- ensure that this section is disabled by added a # to the beginning of each line in the section.
If implementing SSL for Data Collection only
a Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName aptareagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
b Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
c If the data collection VirtualHost section is not found, the configuration for the data collection VirtualHost must be added.
d If there is a configuration section for the Portal virtual host -- a section that begins with <VirtualHost IP_ADDRESS_PORTAL:443> -- ensure that this section is disabled by added a # to the beginning of each line in the section.
If implementing SSL for both the Portal and Data Collection
Note: To implement SSL for both the Portal and Data Collection, the Portal server must be configured with two IP addresses, one for the Portal and one for Data Collection.
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName aptareportal.domainname:443
DocumentRoot /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName aptareagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
d Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
4. For each active virtual host section in the configuration file, ensure that declaration lines beginning with the following are uncommented (they do not have a # at the beginning of the line):
SSLEngine
SSLCipherSuite
SSLCertificateFile
SSLCertificateKeyFile
5. If implementing SSL for Data Collection complete the following steps:
a Ensure that the Data Collector global properties
(C:\opt\aptare\datarcvrconf.collectorConfig.global.properties) file does NOT have the protocol (http or https) in the URL specified in that file.
b If using a self-signed certificate, run the InstallCert utility on the Data Collection server to allow the background data collection processes to automatically accept the unsigned, unverified certificate.
To use this tool run:
"java -classpath /opt/aptare/mbs/bin InstallCert aptareagent.put-your-domain-here.com:443"
The InstallCert utility is not shipped with APTARE products. Contact the APTARE Global Support Services to obtain a copy of this utility.
Note: If you are using a self-signed certificate and the Data Collector is upgraded, the validation of the certificate may be lost and you may have to rerun the InstallCert utility for data collection to work.
c Verify that the following line is in the Portal configuration file (C:\opt\aptare\portalconf\portal.properties):
portal.trustAllCertificates=true
If not present, add it.
6. Restart Apache and both Tomcat (portal and agent) services.
C:\opt\aptare\utils\startapache.bat
C:\opt\aptare\utils\startagent.bat
C:\opt\aptare\utils\startportal.bat