Configuring TLS (non OCP install)
- It is recommended that you configure to use your own certificate for TLS.
- TLS is enabled by default.
- If you do not provide a certificate then TA will generate a self-signed certificate when TLS is enabled.
- There are a number of limitations when using a self-signed certificate.
- We do not support LibreSSL.
- TA uses
.crt
format for public certification, and.pem
format for private key.
TLS (non OCP install)
TLS is enabled and configured by default which can be viewed in .security_config
, if the file does not exist create it.
cd scripts
vi .security_config
- Default values for
.security_config
# Https
TA_AUTH_ENABLE_TLS=true
TA_LOCAL_INTERNAL_SERVER_PORT=9443
TA_LOCAL_INTERNAL_UI_PORT=3443
TA_LOCAL_INTERNAL_DB_PORT=6984
TA_AES_IV=
TA_AES_KEY=
- If the values are changed re-initialize TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option
Using your own certificate with TA_LOCAL
To use your own certificate you must have a certificate and a private key.
All encoding must be in the pem format.
You can use files directly or store the relevant values as environmental variables.
Certificates as files
Note: The certificate must be in a file called: public.crt.
Note: The private key must be in a file called: private.pem.
Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use
Complete the following steps:
- Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launchTransformationAdvisor.sh
Choose Stop Transformation Advisor from the menu option
- Configure TA_LOCAL to use your files
cd key
Copy the private.pem and public.crt files to this location
- Start TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option
Certificates as environmental variables
Note: Any files in the key folder (detailed previously) will override these environmental variables.
To use environmental variables you must delete the key folder if it exists
Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use
Complete the following steps:
- Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launchTransformationAdvisor.sh
Choose Stop Transformation Advisor from the menu option
- Configure TA_LOCAL to use environmental variables
base64 -w 0 key/private.pem > key/private-base64
Copy the text in private-base64 and set it as the value for TA_PRIVATE_KEY in .security_config
base64 -w 0 key/public.crt > key/public-base64
Copy the text in public-base64 and set it as the value for TA_PUBLIC_KEY in .security_config
- Start TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option
Browser limitations when using self signed certificates
- Different browsers react differently when they encounter self-signed certificates
- Their behaviour is also dependant on the security settings for each user
- At the time of writing this is the current behaviour of different browsers
Chrome
- This will not allow you to connect to a server using a self-signed certificate
- Potential Solutions
- Use your own certificate
- Install the self-signed certificate as a trusted certificate in the browser
Firefox
- This will allow you to connect to a server using a self-signed certificate only after you accept the risk
- Note: You will not be able to upload data directly from the browser even after you accept the risk
- Potential Solutions
- Use your own certificate
- Install the self-signed certificate as a trusted certificate in the browser
- Configure a proxy for TA, this will allow you to upload data directly from the browser
Safari
- This will allow you to connect to a server using a self-signed certificate only after you accept the risk
- Potential Solutions
- Use your own certificate
- Install the self-signed certificate as a trusted certificate in the browser
Disabling TLS (non OCP install)
Backup .security_config
if it exists
cd scripts
cp .security_config .security_config.backup
If .security_config
doesn't exist create .security_config
cd scripts
vi .security_config
- Default values for
.security_config
# Http
TA_AUTH_ENABLE_TLS=false
TA_LOCAL_INTERNAL_SERVER_PORT=9080
TA_LOCAL_INTERNAL_UI_PORT=3000
TA_LOCAL_INTERNAL_DB_PORT=5984
TA_AES_IV=
TA_AES_KEY=
- Update
.configuration
cd scripts
vi .configuration
- Value of
TA_EXTERNAL_UI_PORT
updated in.configuration
...
# Https
# Configured by default
#TA_EXTERNAL_UI_PORT=443
# Http
TA_EXTERNAL_UI_PORT=3000
- Re-initialize TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option