Installing SSL certificates for tethered nodes

Edit online

The first step in tethering your IBM Aspera High-Speed Transfer Server (HSTS) node to your Aspera on Cloud organization is to install SSL certificates on the node.

This is step 1 in tethering a node

For an overview and prerequisites, see Tether Your Aspera Transfer Server to Aspera on Cloud.

ssl certs firewall HTTPs proxy configure node nginx transfer user optional for HA cluster add node mark remote storage alee and aejd backup and restore

Prerequisites

To configure an Aspera High-Speed Transfer Server (HST Server) with an SSL certificate, you must have:

  • the key
  • the signed root certificate, or a certificate bundle (root certificate plus intermediate certificates)

The key and certificate files must be in .pem or .crt format.

Note: The key and certificate (or certificate bundle) must be provided by an authorized, globally trusted Certificate Authority (CA) included in the Mozilla CA bundle. You cannot use a self-generated SSL certificate.

Task overview

To install and verify your SSL certificates you must:

  1. Replace the contents of the default Aspera key and certificate files in your installation (aspera_server_key.pem and aspera_server_cert.pem) with the contents of the files that you got from the CA, in the required order.
  2. Create a new file (aspera_server_cert.chain) in the same directory, and add the required certificate content to it.
  3. Use the openssl command to determine whether or not your certificate installation is correct.

Install key and certificates

  1. Back up the default private-key file and the self-signed certificate file in your HST Server installation. For example, make copies of the files with a .bak extension. The private key and certificate files are:
    • aspera_server_key.pem
    • aspera_server_cert.pem

    For Linux and Mac, the files are in /opt/aspera/etc.

    For Windows, the files are in drive-name:\Program Files\Aspera\Enterprise Server\etc.

  2. Replace the existing content of aspera_server_key.pem with the new private key that you have received for the HST Server from the CA.
  3. Replace the existing contents of aspera_server_cert.pem with the new private key and certificate information.

    The new contents must be in the following order:

    1. The private key.
    2. The server certificate.
    3. Any intermediate certificates that were provided by the CA.
      Note: These may be provided in the same file as the root certificate (as a certificate bundle), or in separate files. If they are provided in separate files, place them in order of ascending authority (that is, lowest first, next lowest below it, and so on).
    4. The root certificate of the CA.
  4. In the same directory as aspera_server_key.pem and aspera_server_cert.pem, create a new file named aspera_server_cert.chain.
  5. Copy the certificate information from aspera_server_cert.pem into your new aspera_server_cert.chain file.

    Do not include the key information. The contents of aspera_server_cert.chain and aspera_server_cert.pem are therefore the same, except that aspera_server_cert.chain does not include the key.

  6. Restart the asperacentral and asperanoded services.

    For Linux and Mac:

    # service asperacentral restart
# service asperanoded restart

    For Windows:

    1. Select Control Panel > Administrative Tools > Services.
    2. Select Aspera HTTPD, then click Restart.
    3. Select Control Panel > Administrative Tools > Services.
    4. Select Aspera Central, click Start, and run the following commands:
      > sc stop asperanoded > sc start asperanoded

Check certificates

Verify that you've installed the key and certificate information correctly.

Use the openssl s_client command to connect to the HST Server and check whether or not the certificate files were correctly assembled and installed.

Use your system version of openssl. Do not use /opt/aspera/bin/openssl.

The syntax for the command is:

openssl s_client -connect server-ip-addr:port-number

For port-number, use the port number that you have configured the HST Server to use for HTTPS, which should be one of these:

  • 443 (the standard HTTPS port number)
  • 9092 (if you are using the Nginx reverse proxy—which is strongly recommended by Aspera)

Near the end of the command output, the Verify return code: statement indicates whether or not the installation was successful.

This message indicates that the installation was successful:

Verify return code: 0 (ok)
If the installation was not successful, an error message displays. For example:
Verify return code: 21 (unable to verify the first certificate)

Troubleshooting

If your output indicates an unsuccessful verification, inspect the certificate content with the openssl x509 command. If your output indicates an unsuccessful verification, inspect the certificate content with the openssl x509 command.

For example:
# openssl x509 -in aspera_server_cert.pem -text -noout

Next step in tethering a node

You've completed the installation of the SSL certificates for your HSTS node. For step 2 in tethering the HSTS node to your AoC organization, go to Firewall requirements for tethered nodes.