Self-signed certificates

You require an SSL configuration to integrate IBM Process Mining and IBM Task Mining.

In a production environment, you must use an official SSL certificate that is obtained from the certificate authority (CA). For both local and test environments, you can install a self-signed certificate. You can then add the created self-certificate to the NGINX configuration.

This topic describes how to create a sample self-signed certificate and configure the system to use the certificate in a local or test environment.

IMPORTANT: For security reasons, it is recommended to use HTTPS.

NOTES:

  • For demonstration purpose, the instruction steps include the following sample domains:

    • IBM Process Mining
      pm.processmining
    • IBM Task Mining
      tm.processmining

  • If the DNS for your domain is not available, you must add a record to the local host file as indicated in the following example:

    192.168.0.10 pm.processmining tm.processmining

  • You can locate the host files in the following directories:

    • For Mac and Linux®
      /etc/hosts
    • For Windows operating systems
      C:\Windows\System32\drivers\etc\hosts

  • You can use multiple methods to create self-signed certificates. This document only explains one of the methods.

Creating certificates

You can use the following steps to create a certificate:

  1. Create and open a directory

    /home/pm/cert

  2. Generate a CA private key.

    openssl genrsa -des3 -out rootCA.key 2048
(password: changeit)

    NOTE: This CA is common for IBM Process Mining and Task Mining. It is also valid for NGINX.

  3. Generate the CA certificate

    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

  4. Create the new file, v3.ext and then copy the following contents to the file.

    authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = pm.processmining
DNS.2 = tm.processmining

  5. Update the domain name based on the installation.

  6. Create the certificate. You must install the certificate on both Nginx.

    openssl req -new -nodes -out server.csr -newkey rsa:2048 -keyout server.key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
cat server.crt server.key > server.pem

    NOTE: You must ensure that the current directory includes the following files:

    server.key
server.crt
rootCA.pem

    You need these files to complete the installation. For more information about installation, see Installation and configuration.