Enabling HTTPS Connectivity for Nodes
The default certificate presented by the application server uses localhost.localdomain
. This works only for local node installations (server and node on a single host).
Note.
You can use the default certificate - remember that you may need to use the
./node_add_ssl_cert.sh
script after future updates to refresh the certificate on the nodeDefault password for our keystore is
changeit
For the default certificate - jump to the Node configuration and use the localhost.localdomain instead of the
vplus.local
When registering the node locally over HTTPS note that the URL you should use is
localhost.localdomain
- NOTlocalhost
When registering a node via HTTPS, please note that the server must have an FQDN that is different from the IP address (hostname like
10.10.10.10
can be processed incorrectly).
This section presents the steps necessary for generating an SSL certificate, to set up vPlus to use it and how to register a remote node.
vPlus Server (when using own certificate)
This section describes certificate generation and import on the vPlus Server side. It uses a self-signed certificate. If you would like to use CSR and your own CA instead - check for additional steps described in the next section.
SSH to vPlus Server host
Generate the key and certificate (remember to provide a valid vPlus Server DNS hostname - in our example it was vplus.local):
Example output (you need to input some information, especially passphrase for certificate):
Create the PKCS12 bundle from the certificate and the key:
You need to input passphrase defined before and define export password:
Create a keystore for the vPlus Server with the PKCS12 bundle (as a
root
):Note: Default password for our keystore is
changeit
.Change ownership on the keystore to the
vprotect
user:Edit
/opt/vprotect/payara.properties
, change the path to the keystore and password (use password generated in step 3 of this instruction, default keystore password ischangeit
):Restart the Server:
vPlus Node (any SSL certificate)
SSH to vPlus Node host
Make sure that your nodes resolve the hostname (FQDN) of the vPlus Server. You also can add an entry in the
/etc/hosts
like this (example IP: 1.2.3.4):Check with your browser that
https://vPlus_HOST:8181
presents the certificate that you have just generated. You also can execute the openssl client from the node to print it (check the hostname that you have provided in the certificate):Import the server certificate using the script under the /opt/vprotect/scripts folder:
[SERVER_HOST] - FQDN name of vPlus Server
[PORT] - port for SSL communication on vPlus Server (you need to open it on server
# firewall-cmd --permanent --add-port=[PORT]/tcp && firewall-cmd --reload
)[KEYSTORE_PASS] - password which you defined in step 3 of that instruction
Note:
If you have the node on the same host as the server, You could use default variables of script (and you can use script without arguments). Default variables are:
SERVER_HOST =
127.0.0.1
PORT =
8181
KEYSTORE_PASS =
changeit
It applies if you would not generate any certificate.
Register the node with the NODE_NAME of your choice, the ADMIN_USER user name which you would like to use and the URL to vPlus API, and provide the password when prompted:
Examples:
Remote server with a generated certificate:
Local installation with default certificate:
Notes on using your own certificate with CSR and your own CA
When using CSR to get a trusted certificate, you need to replace step 2 in vPlus Server (when using own certificate) with several steps including CSR generation, and download the CRT signed by your CA. The steps are as follows:
Generate the CSR - answer the same set of questions as above:openssl req -new -newkey rsa:2048 -nodes -keyout vplus.key -out vplus.csr.
Send your CSR and have it signed by your CA.
Download your CRT file and save it as vplus.crt (note that you should have your working directory set to
/opt/vprotect
).Download your CA certificate chain (for example for a singleca.crt) and import it with the CA_ALIAS of your choice as follows:
Now continue from PKCS12 bundle generation (step 3 in the section above).