Enabling https for TEM SUA

This page has not been liked. Updated 4/12/13 11:36 AM by KarenKueTags: None

To use HTTPS for the TEM SUA service, you must have a proper SSL certificate. If you don't require authentication back to a trusted root, you can generate a self-signed certificate with the OpenSSL utilities. This document also describes modifying a signed PKCS12 certificate using OpenSSL.

OpenSSL for Windows can be found: http://www.slproweb.com/products/Win32OpenSSL.html

The following steps describe how to enable HTTPS for the TEM SUA web application using a self-signed certificate:

1. Verify the system is in a healthy configuration by restarting the BigFixDSSApache service and all BigFix DSS Backend services, then trying to use the application.

Note: Sometimes user accounts or servers change and the problem is not discovered until service restart. These problems would be unrelated to changing the HTTPS configuration and make it much harder to diagnose what happened. Verifying that the application works ahead of configuring it for HTTPS helps to save time in the troubleshooting process later on.

2. Stop the BigFixDSSApache service.

3. Open regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\BigFix Inventory\text_subs.

Note: This key may contain a DB password and so has access restricted to only the user hosting the DSS services. Either open regedit as that user, or else change the permissions on that key (as a local admin).

a. Change UseSSL to true.

b. (Optional) Change the HTTPSPort to something non-standard.

4. Verify the port chosen for HTTPS (default 443) is not in use and is not blocked by a firewall. If it is in use, choose another port.

Note: Internet Explorer may have problems processing TEM SUA requests over SSL when the port is configured to anything other than port 443. You may want to keep the to the default port (443), or inform your users to use a different browser (such as Firefox).

5. Generate your Self-Signed SSL certificate.

To use HTTPS for the TEM SUA service, you must have a proper SSL certificate. If you don't require authentication back to a trusted root, you can generate a self-signed certificate with the OpenSSL utilities. This document also describes modifying a signed PKCS12 certificate using OpenSSL.

OpenSSL for Windows can be found: http://www.slproweb.com/products/Win32OpenSSL.html

 

Creating a Certificate Signing Request (cert.csr)

For use in either a self signed or CA signed certificate. This will create both a private key (nopwdkey.pem) as well as the certificate request file (cert.csr).

a. In order to create a valid request, you need a valid config file.

b. Replace "Common" with the fully qualified domain name of the TEM SUA Server.

c. Save as mynewconfig.conf.

Example config file:

[ req ]

default_bits = 1024

default_keyfile = keyfile.pem

distinguished_name = req_distinguished_name

attributes = req_attributes

prompt = no

output_password = bigfix

[ req_distinguished_name ]

C = US

ST = California

L = Emeryville

O = BigFix

OU = Development

CN = Common

emailAddress = admin@bigfix.com

[ req_attributes ]

challengePassword = bigfix



d. Now that the config file is created, create the certificate request. (This also generates the private key called keyfile.pem):

openssl req -new -config "c:\mynewconfig.conf" > cert.csr

e. Remove the password from the private key (keyfile.pem) and generate a new private key (nopwdkey.pem) using the following command:

openssl rsa -in keyfile.pem -out nopwdkey.pem

 

Generating a Self-Signed Certificate (cert.pem) from a certificate request file (cert.csr)

WARNING: These certificates will not be implicitly trusted by web browsers, they will need to be either manually added to the trusted certificate store on the client (browser) machine or explicitly trusted the first time anyone visits TEM SUA.

a. Create a Certificate Signing Request (cert.csr) using the process outlined above.

b. Create a certificate file (cert.pem) from your private key (nopwdkey.pem) and certificate request file (cert.csr) using the following command (valid for 365 days):

openssl x509 -in cert.csr -out cert.pem -req -signkey nopwdkey.pem -days 365

c. Open up your private key file (nopwdkey.pem) in a text viewer (wordpad, not notepad), copy the contents and paste them below the certificate (cert.pem).

Example:

-----BEGIN CERTIFICATE-----

MIICYjCCAcugAwIBAgIJANiRLK2nbg9oMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApFbWVyeXZpbGxl

MREwDwYDVQQDDAhIRUlNREFMTDAeFw0xMjAzMTUwMjA5MzdaFw0xMzAzMTUwMjA5

MzdaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQH

DApFbWVyeXZpbGxlMREwDwYDVQQDDAhIRUlNREFMTDCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEA5h5aCcN5Up5rNYn7a88dKAehe7CbKDtPF6jdrn52yShJc97f

mceJeIsnkVmBVRoIBevxFnNIKxMzzR52c0NKK2gU0ax2k6TWD8yVOHHFepBgcCyF

JD9y9g5u444+7S5vsXRpmAx7z3HYHHh9Jjiv7zLoN46Mu+7KpnZnJgFX0QcCAwEA

AaNQME4wHQYDVR0OBBYEFHJXtkgif6mZzQBcrp7U7yptf/WzMB8GA1UdIwQYMBaA

FHJXtkgif6mZzQBcrp7U7yptf/WzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF

BQADgYEARkkc8GmyFtuXsWmjvkUJvRkGJYiQ7LsO5Qg67ONcMr/beJDXsOR3w3lD

cDqCglnQuswNySrcAGDPctDJwE2cZbcvpVdNlUd1UdXnbzHAjg/buh6Uy5OYYc0y

NtbcKlPpgxvBp6cGua7K01bMeb379vXLNr1EcQG9KmlkHYqqJpU=

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOYeWgnDeVKeazWJ

+2vPHSgHoXuwmyg7Txeo3a5+dskoSXPe35nHiXiLJ5FZgVUaCAXr8RZzSCsTM80e

dnNDSitoFNGsdpOk1g/MlThxxXqQYHAshSQ/cvYObuOOPu0ub7F0aZgMe89x2Bx4

fSY4r+8y6DeOjLvuyqZ2ZyYBV9EHAgMBAAECgYEAh2Jh/I6JaUcUsgn85l+SusNK

iTfNAO1ryfKqgYeboRtXo5kDGjkfstDDtargAU5wW/OFAn1OfzEr78i1TXjQP/2h

1ntvOobYeEsRFBlVdoC361GHKoSWMMbrymx75XIRmdW3cIHOSlpHfr2RA9WZfA2R

tn8gtITQNKed0uFyBskCQQD6IeYaxWegfoJwpcAmlTlYfyKXdSL9/DGsG+uhAIhU

pUWPwsH/uHR8/61wQ9coH1NEy2bVRT0qha1s9CvHA0OFAkEA64RD4t5oQcA+Q/2o

TtfYD3MB0NQJVL2KwJaW9hr4+osMQWJSSXTQuymMcd3tLJaS3eg0DVIsg0pO0GYx

bVKKGwJANF9IqK5QhkA225M46lswSKFGAuRZ0UgutlSaP3m3EdIRAIrMx9g9O7bk

/66UrCfy7WKRQ3Jd3jtjFn8Bc4fxaQJBALCVoRjPTThPXeA4piNHbvZWcrwS31Qs

MYao4lNwcdHYw72abLwq2/4Y7vbJQPU3iLLdUXnTbRCbfHCAzvp68pUCQQDX7iVR

Wjd9qVlgtR/6wxAQjSHSmlCyTfHA0ncVNzjEjZzA3FiCNq+gHFkBc6Kr4FxfNWCm

aoyVGYxl1LT+VHJA

-----END PRIVATE KEY-----

d. Refer to cert.pem on your TEM SUA server in the certificate path registry setting (see below).

 

Requesting a Certificate from a Certificate Authority

To encrypt HTTPS TEM SUA with a certificate that browsers will implicitly trust, request a signed certificate from a trusted Certificate Authority (or CA) such as Verisign. Here's a brief overview of that process:

a. Create a Certificate Signing Request (.csr) using the process described above.

b. Forward the .csr file to a Certificate Authority (CA). They will issue you a signed (browser-trusted) certificate for your server. Request the certificate be issued in PKCS12 format.

c. Once you have received the PKCS12 formatted file, DO NOT import in to any Microsoft default certificate handling facilities.

d. Via openssl perform the following on each PKCS12 file to export to a password stripped PEM file format:

openssl pkcs12 -in PKCS12.p12 -out PEM_CERT_FILE_NAME.pem -nodes -clcerts

e. This will export the PKCS12 file to a PEM formatted file with both the public key and private certificate - all sans any passwords.

f. Open this newly created PEM certificate file with a suitable text editor (note that MS notepad will NOT suffice; use Wordpad instead).

g. Strip out all but the public key and private certificate; be sure to INCLUDE the "BEGIN ..." and "END ..." block stanza headers.

Example:

-----BEGIN CERTIFICATE-----

MIICYjCCAcugAwIBAgIJANiRLK2nbg9oMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV

BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQHDApFbWVyeXZpbGxl

MREwDwYDVQQDDAhIRUlNREFMTDAeFw0xMjAzMTUwMjA5MzdaFw0xMzAzMTUwMjA5

MzdaMEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRMwEQYDVQQH

DApFbWVyeXZpbGxlMREwDwYDVQQDDAhIRUlNREFMTDCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEA5h5aCcN5Up5rNYn7a88dKAehe7CbKDtPF6jdrn52yShJc97f

mceJeIsnkVmBVRoIBevxFnNIKxMzzR52c0NKK2gU0ax2k6TWD8yVOHHFepBgcCyF

JD9y9g5u444+7S5vsXRpmAx7z3HYHHh9Jjiv7zLoN46Mu+7KpnZnJgFX0QcCAwEA

AaNQME4wHQYDVR0OBBYEFHJXtkgif6mZzQBcrp7U7yptf/WzMB8GA1UdIwQYMBaA

FHJXtkgif6mZzQBcrp7U7yptf/WzMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF

BQADgYEARkkc8GmyFtuXsWmjvkUJvRkGJYiQ7LsO5Qg67ONcMr/beJDXsOR3w3lD

cDqCglnQuswNySrcAGDPctDJwE2cZbcvpVdNlUd1UdXnbzHAjg/buh6Uy5OYYc0y

NtbcKlPpgxvBp6cGua7K01bMeb379vXLNr1EcQG9KmlkHYqqJpU=

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOYeWgnDeVKeazWJ

+2vPHSgHoXuwmyg7Txeo3a5+dskoSXPe35nHiXiLJ5FZgVUaCAXr8RZzSCsTM80e

dnNDSitoFNGsdpOk1g/MlThxxXqQYHAshSQ/cvYObuOOPu0ub7F0aZgMe89x2Bx4

fSY4r+8y6DeOjLvuyqZ2ZyYBV9EHAgMBAAECgYEAh2Jh/I6JaUcUsgn85l+SusNK

iTfNAO1ryfKqgYeboRtXo5kDGjkfstDDtargAU5wW/OFAn1OfzEr78i1TXjQP/2h

1ntvOobYeEsRFBlVdoC361GHKoSWMMbrymx75XIRmdW3cIHOSlpHfr2RA9WZfA2R

tn8gtITQNKed0uFyBskCQQD6IeYaxWegfoJwpcAmlTlYfyKXdSL9/DGsG+uhAIhU

pUWPwsH/uHR8/61wQ9coH1NEy2bVRT0qha1s9CvHA0OFAkEA64RD4t5oQcA+Q/2o

TtfYD3MB0NQJVL2KwJaW9hr4+osMQWJSSXTQuymMcd3tLJaS3eg0DVIsg0pO0GYx

bVKKGwJANF9IqK5QhkA225M46lswSKFGAuRZ0UgutlSaP3m3EdIRAIrMx9g9O7bk

/66UrCfy7WKRQ3Jd3jtjFn8Bc4fxaQJBALCVoRjPTThPXeA4piNHbvZWcrwS31Qs

MYao4lNwcdHYw72abLwq2/4Y7vbJQPU3iLLdUXnTbRCbfHCAzvp68pUCQQDX7iVR

Wjd9qVlgtR/6wxAQjSHSmlCyTfHA0ncVNzjEjZzA3FiCNq+gHFkBc6Kr4FxfNWCm

aoyVGYxl1LT+VHJA

-----END PRIVATE KEY-----

 

6. Save out the modified PEM file that should now include only the public certificate and private key.

7. Copy your certificate to \BigFix Enterprise\DSS\rails\apache\conf\cert.pem.

8. Re-generate your Apache configuration file by running the following rails script. From a command prompt cd to BigFix Enterprise\DSS\rails\lib\ and run text_sub.rb.

Note: If you are asked by Windows for which program to use to run the script, browse for and choose \BigFix Enterprise\DSS\ruby\bin\ruby.exe.

Note: You must run the script as the same user who hosts the DSS services (use the Windows 'runas' command if that user cannot log in).

9. Start the BigFixDSSApache service.

10. Verify you can log into the application.

 

If you had granted additional permissions to the BigFix Inventory registry key, and you are using password authentication (instead of NT Authentication) to the DB, it is recommended you restore the original, restrictive access controls to that key.