Configuring TLS (non OCP install)

  • It is recommended that you configure to use your own certificate for TLS.
  • TLS is enabled by default.
  • If you do not provide a certificate then TA will generate a self-signed certificate when TLS is enabled.
  • TA uses .crt format for public certification, and .pem format for private key.

TLS (non OCP install)

TLS is enabled and configured by default which can be viewed in .security_config, if the file does not exist create it.

cd scripts
vi .security_config
  • Default values for .security_config
# Https

TA_AUTH_ENABLE_TLS=true
TA_LOCAL_INTERNAL_SERVER_PORT=9443
TA_LOCAL_INTERNAL_UI_PORT=3443
TA_LOCAL_INTERNAL_DB_PORT=6984

TA_AES_IV=
TA_AES_KEY=
  • If the values are changed re-initialize TA_LOCAL
./launchTransformationAdvisor.sh

Choose Re-initialize Configuration from the menu option

Using your own certificate with TA_LOCAL

To use your own certificate you must have a certificate and a private key.
All encoding must be in the pem format.

You can use files directly or store the relevant values as environmental variables.

Certificates as files

Note: The certificate must be in a file called: public.crt.
Note: The private key must be in a file called: private.pem.
Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use

Complete the following steps:

  • Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launchTransformationAdvisor.sh
Choose Stop Transformation Advisor from the menu option
  • Configure TA_LOCAL to use your files
cd key
Copy the private.pem and public.crt files to this location
  • Start TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option

Certificates as environmental variables

Note: Any files in the key folder (detailed previously) will override these environmental variables.
To use environmental variables you must delete the key folder if it exists

Note: The private.pem file must be unencrypted. If, when you open the file, it indicates that it is encrypted it must be decrypted before use

Complete the following steps:

  • Go to the <TA_LOCAL_HOME> location and stop TA_LOCAL
./launchTransformationAdvisor.sh
Choose Stop Transformation Advisor from the menu option
  • Configure TA_LOCAL to use environmental variables
base64 -w 0 key/private.pem > key/private-base64
Copy the text in private-base64 and set it as the value for TA_PRIVATE_KEY in .security_config
base64 -w 0 key/public.crt > key/public-base64
Copy the text in public-base64 and set it as the value for TA_PUBLIC_KEY in .security_config
  • Start TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option

Browser limitations when using self signed certificates

  • Different browsers react differently when they encounter self-signed certificates
  • Their behaviour is also dependant on the security settings for each user
  • At the time of writing this is the current behaviour of different browsers

Chrome

  • This will not allow you to connect to a server using a self-signed certificate
  • Potential Solutions
    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser

Firefox

  • This will allow you to connect to a server using a self-signed certificate only after you accept the risk
  • Note: You will not be able to upload data directly from the browser even after you accept the risk
  • Potential Solutions
    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser
    • Configure a proxy for TA, this will allow you to upload data directly from the browser

Safari

  • This will allow you to connect to a server using a self-signed certificate only after you accept the risk
  • Potential Solutions
    • Use your own certificate
    • Install the self-signed certificate as a trusted certificate in the browser

Disabling TLS (non OCP install)

Backup .security_config if it exists

cd scripts
cp .security_config .security_config.backup

If .security_config doesn't exist create .security_config

cd scripts
vi .security_config
  • Default values for .security_config
# Http
TA_AUTH_ENABLE_TLS=false
TA_LOCAL_INTERNAL_SERVER_PORT=9080
TA_LOCAL_INTERNAL_UI_PORT=3000
TA_LOCAL_INTERNAL_DB_PORT=5984

TA_AES_IV=
TA_AES_KEY=
  • Update .configuration
cd scripts
vi .configuration
  • Value of TA_EXTERNAL_UI_PORT updated in .configuration
...
# Https
# Configured by default
#TA_EXTERNAL_UI_PORT=443

# Http
TA_EXTERNAL_UI_PORT=3000
  • Re-initialize TA_LOCAL
./launchTransformationAdvisor.sh
Choose Re-initialize Configuration from the menu option