Setting up SSL for your nodes

The Aspera Node API provides an HTTPS interface for encrypted communication between nodes (on port 9092, by default). For example, if you are running the IBM Aspera Faspex web UI or the IBM Aspera Shares web UI on one computer, you can encrypt the connection (by using SSL) with your transfer server or file-storage node on another computer. HSTS nodes are preconfigured to use Aspera default, self-signed certificate (aspera_server_cert.pem). You might need to create a new certificate or install a valid, signed certificate, such as when you are configuring HSTS as a IBM Aspera on Cloud node.

About this task

The self-signed Aspera certificate is located in the following directory:

C:\Program Files\Aspera\Enterprise Server\etc

About PEM Files: The PEM certificate format is commonly issued by certificate authorities. PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files that contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

To generate a new certificate:

Procedure

  1. Create a working directory, ssl.
    In a Command Prompt window (Go to Search from the taskbar and type Command Prompt), create a new working directory by running the following commands: 
    > cd c:\
> mkdir ssl
> cd c:\ssl
  2. Copy openssl.cnf to your working directory. 
    > copy "C:\Program Files\Aspera\Enterprise Server\etc\openssl.cnf" "C:\ssl\"
  3. Generate a Private Key and Certificate Signing Request (CSR) by using OpenSSL.
    In a Command Prompt window, run the following command (where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of your CSR): 
    > openssl req -config "c:\ssl\openssl.cnf" -new -nodes -keyout my_key_name.key -out my_csr_name.csr

    In the example, the .key and .csr files are written to the c:\ssl\ directory.

  4. At the prompt, enter your X.509 certificate attributes.
    Important: The Common Name field must be completed with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside the US, go to Online Browsing Platform (OBP), select Country codes, and click Click the Magnifier to view a list of two-letter ISO country codes.
    Generating a 1024 bit RSA private key
....................++++++
................++++++
writing new private key to 'my_key_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
State or Province Name (full name) [Some-State]:Your_State_Province_or_County
Locality Name (eg, city) []:Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
Organizational Unit Name (eg, section) []:Your_Department
Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
Email Address []:johndoe@yourwebsite.com

    You are also prompted to input extra attributes, including an optional challenge password.

    Note: Manually entering a challenge password when starting the server can be problematic in some situations, for example, when starting the server from the system start scripts. Skip entering a challenge password by pressing Enter.
    ...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

    After finalizing the attributes, the private key and CSR are saved to your root directory.

    Important: If you make a mistake when running the OpenSSL command, you might discard the generated files and run the command again. After successfully generating your key and CSR, be sure to guard your private key, as it cannot be regenerated.
  5. If required, send the CSR to your Certifying Authority (CA).
    Once completed, you have a valid, signed certificate.
    Note: Some certificate authorities provide a CSR generation tool on their website. For additional information, check with your CA.
  6. If required, generate a self-signed certificate.
    You might need to generate a self-signed certificate for the following reasons:
    • You don't plan on having your certificate that is signed by a CA.
    • You plan to test your new SSL implementation while the CA is signing your certificate.

    To generate a self-signed certificate through OpenSSL, run the following command:

    > openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt

    This creates a certificate that is valid for 365 days.

  7. Create the .pem file.
    Note: Before overwriting the existing .pem file, be sure to back up this file as aspera_server_cert.old), in the following directory: 
    C:\Program Files\Aspera\Enterprise Server\etc
    Copy and paste the entire body of the key and cert files into a single text file and save the file as aspera_server_cert.pem. The order of the text in the new .pem file depends on if you have individual certificate files or a bundle of certificates.

    Individual certificate files:

    1. The private key.
    2. The primary server's certificate.
    3. The intermediate certificates, if any (if more than one, begin with the least authoritative and proceed in ascending order).
    4. The root certificate.

    Bundle of certificates:

    1. The private key.
    2. The primary server's certificate.
    3. The entire bundle (as one file).

    For a certificate bundle, create a new file that is named aspera_server_cert.chain in the same directory as the .pem files. Copy and paste the root certificate into this file, followed by the bundle.

  8. Enable SSL options in aspera.conf.
    For information about enabling specific SSL protocols with <ssl_protocol> and enabling specific encryption ciphers with <ssl_ciphers>, see Configuring the Aspera NodeD service.
  9. Restart the Aspera Node Service by running the following commands:

    Open Search from the taskbar and type Services, click IBM Aspera NodeD, and click Restart.