Configuring TLS (non OCP install)

Edit online
  • It is recommended that you configure to use your own certificate for TLS.
  • TLS is enabled by default.
  • If you do not provide a certificate then TA will generate a self-signed certificate when TLS is enabled.
  • TA uses .crt format for public certificate, and .pem format for private key.

TLS (non OCP install)

Edit online

TLS is enabled and configured by default which can be viewed in .security_config, if the file does not exist create it.

cd scripts
vi .security_config
  • Default values for .security_config 
# Https

TA_AUTH_ENABLE_TLS=true
TA_LOCAL_INTERNAL_SERVER_PORT=9443
TA_LOCAL_INTERNAL_UI_PORT=3443
TA_LOCAL_INTERNAL_DB_PORT=6984

TA_AES_IV=
TA_AES_KEY=
  • If the values are changed re-initialize TA_LOCAL
./launch.sh

Choose Re-initialize Configuration from the menu option

Using your own certificate with TA_LOCAL

Edit online

To use your own certificate you must have a certificate and a private key. All encoding must be in the pem format.

You can use files directly or store the relevant values as environmental variables.

Here is an example of how to get a cert and key pair, and your own cert and key shall be in the same format:

openssl req -newkey rsa:2048 -keyout private.pem -x509 -nodes -new -out public.crt \
-subj "/C=IE/ST=Cork/L=Cork/emailAddress=Transformation.Advisor@ie.ibm.com/O=TA/OU=TA/CN=ta.server.local" \
-addext "subjectKeyIdentifier=hash" \
-addext "authorityKeyIdentifier=keyid:always,issuer" \
-addext "basicConstraints = critical,CA:false" \
-addext "keyUsage = digitalSignature, keyEncipherment" \
-addext "extendedKeyUsage = serverAuth" \
-addext "subjectAltName=DNS:localhost,DNS:ta.server.local" \
-sha256 \
-days 365

After you obtain your own cert and key pair, follow the steps to enable your own cert and key:

Certificates as files

Edit online
Note: The certificate must be in a file called: public.crt.
Note: The private key must be in a file called: private.pem.
Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use.

Complete the following steps:

  • Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launch.sh
Choose Stop Transformation Advisor from the menu option
  • Configure TA_LOCAL to use your files
cd key
Copy the private.pem and public.crt files to this location
  • Start TA_LOCAL
./launch.sh
Choose Re-initialize Configuration from the menu option

Certificates as environmental variables

Edit online
Note: Any files in the key folder (detailed previously) will override these environmental variables.

To use environmental variables you must delete the key folder if it exists

Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use.

Complete the following steps:

  • Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launch.sh
Choose Stop Transformation Advisor from the menu option
  • Configure TA_LOCAL to use environmental variables
base64 -w 0 key/private.pem > key/private-base64
Copy the text in private-base64 and set it as the value for TA_PRIVATE_KEY in .security_config
base64 -w 0 key/public.crt > key/public-base64
Copy the text in public-base64 and set it as the value for TA_PUBLIC_KEY in .security_config
  • Start TA_LOCAL
./launch.sh
Choose Re-initialize Configuration from the menu option

Browser limitations when using self-signed certificates

Edit online

  • Different browsers react differently when they encounter self-signed certificates.

  • Their behaviour is also dependent on the security settings for each user.

  • At the time of writing this is the current behaviour of different browsers.

Chrome

Edit online
  • This will not allow you to connect to a server using a self-signed certificate
  • Potential Solutions
    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser

Firefox

Edit online

  • This will allow you to connect to a server using a self-signed certificate only after you accept the risk.

  • You will not be able to upload data directly from the browser even after you accept the risk

  • Potential Solutions

    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser
    • Configure a proxy for TA, this will allow you to upload data directly from the browser

Safari

Edit online

  • This will allow you to connect to a server using a self-signed certificate only after you accept the risk.

  • Potential Solutions

    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser

Disabling TLS (non OCP install)

Edit online

Backup .security_config if it exists

cd scripts
cp .security_config .security_config.backup

If .security_config doesn't exist create .security_config 

cd scripts
vi .security_config

  • Default values for .security_config 

    # Http
TA_AUTH_ENABLE_TLS=false
TA_LOCAL_INTERNAL_SERVER_PORT=9080
TA_LOCAL_INTERNAL_UI_PORT=3000
TA_LOCAL_INTERNAL_DB_PORT=5984

TA_AES_IV=
TA_AES_KEY=

  • Update .configuration 

    cd scripts
vi .configuration

  • Value of TA_EXTERNAL_UI_PORT updated in .configuration 

    ...
# Https
# Configured by default
#TA_EXTERNAL_UI_PORT=443

# Http
TA_EXTERNAL_UI_PORT=3000

  • Re-initialize TA_LOCAL

    ./launch.sh
Choose Re-initialize Configuration from the menu option