1.6.3 Procedure to enable HTTPS connections
Set up the user_httpsd.conf file, and then store the private key file and SSL server certificate file in the specified folder to enable HTTPS connections on the Web server.
Before you begin
-
Log in to the JP1/AO server as a user with administrator or root permissions.
-
Stop the JP1/AO service.
- For non-cluster systems:
-
Execute the hcmds64srv command with the stop option specified.
- For cluster systems:
-
Use the cluster software to bring the service offline.
To enable HTTPS connections:
-
Open the user_httpsd.conf file from the following location:
- If the OS of the JP1/AO server is Windows
Common-Component-installation-folder\uCPSB11\httpsd\conf\user_httpsd.conf
- If the OS of the JP1/AO server is Linux
Common-Component-installation-directory/uCPSB11/httpsd/conf/user_httpsd.conf
- If the OS of the JP1/AO server is Windows
- Within the user_httpsd.conf file, do the following:
-
Uncomment the following lines by removing the hash [#] signs:
#Listen 22016
through
#HWSLogSSLVerbose On
with the exception of #SSLCACertificateFile and #Header set Strict-Transport-Security max-age=31536000, which must remain commented out.
For an IPv6 environment, remove the hash mark (#) at the beginning of the lines #Listen [::]:22016.
-
Edit the following lines as required:
ServerName in the first line
ServerName in the <VirtualHost> tag
SSLCertificateKeyFile
SSLCertificateFile
#SSLCACertificateFile
- For the ServerName directive in the top line and the ServerName directive in the <VirtualHost> tag, specify the host name (for cluster environments, specify the logical host name) that you specified for "Common Name" in the certificate signing request. Note that host names are case sensitive.
-
For the SSLCertificateKeyFile directive, specify the absolute path of the private key file.
Do not specify a symbolic link and junction for the path.
-
For the SSLCertificateFile directive, specify the absolute path of the server certificate.
There are two types of server certificates: certificates signed by a certificate authority and self-signed certificates.
-
To use a certificate of the certificate authority, remove the hash mark (#) at the beginning of the line for the SSLCACertificateFile directive, and then specify the absolute path of the certificate of the certificate authority. Multiple certificates can be contained in one file by using a text editor to chain multiple PEM format certificates. Note that you must not specify a symbolic link or junction for the path.
- Important
-
To block non-SSL communication from external servers to the host, comment out the lines Listen 22015 and Listen [::]:22015 by adding a hash mark (#) to the beginning of each line. After you comment out these lines, remove the hash mark (#) from the line #Listen 127.0.0.1:22015.
When editing directives, be aware of the following:
- Do not specify the same directive twice.
- Do not enter a line break in the middle of a directive.
- When specifying paths in the following directives, do not specify symbolic links or junction points.
- When specifying certificates and private key files in the following directives, specify PEM-format files.
- Do not edit httpsd.conf and hsso_httpsd.conf files.
The following is an example of how to edit the user_httpsd.conf file. The numbers represent the default ports.
ServerName host-name Listen [::]:22015 Listen 22015 #Listen 127.0.0.1:22015 SSLEngine Off #Listen [::]:22016 Listen 22016 <VirtualHost *:22016> ServerName host-name SSLEngine On SSLProtocol +TLSv1.2 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256 # SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 SSLCertificateKeyFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsdkey.pem" SSLCertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/httpsd.pem" # SSLCertificateKeyFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsdkey.pem" # SSLCertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/server/ecc-httpsd.pem" SSLCACertificateFile "Common-Component-installation-directory/uCPSB11/httpsd/conf/ssl/cacert/anycert.pem" # Header set Strict-Transport-Security max-age=31536000 </VirtualHost> HWSLogSSLVerbose On
-
- Start the JP1/AO service.
- For non-cluster systems:
Execute the hcmds64srv command with the start option specified.
- For cluster systems:
Use the cluster software to bring the service online.
- For non-cluster systems:
- Update the JP1/AO URL by using the hcmds64chgurl command to do the
following:
- Change the protocol from http: to https:
- Change the port number used for secure communication.
- If the OS of the JP1/AO server is Windows, change the URL of the shortcut file to the
page displayed by performing the following operation:
From the Start menu, select All Program, JP1_Automatic Operation, and then JP1_AO Login.
- Important
-
If the connection between the Web browser and JP1/AO is configured incorrectly, the HBase 64 Storage Mgmt Web Service might fail to start, preventing the JP1/AO login window from appearing.