Self-signed certificates

You require an SSL configuration to integrate IBM Process Mining and IBM Task Mining.

In a production environment, you must use an official SSL certificate that is obtained from the certificate authority (CA). For both local and test environments, you can install a self-signed certificate. You can then add the created self-certificate to the NGINX configuration.

This topic describes how to create a sample self-signed certificate and configure the system to use the certificate in a local or test environment. You can use multiple methods to create self-signed certificates. This topic explains one of the methods.

For security reasons, it is recommended to use HTTPS.

For demonstration purpose, the instruction steps include the following sample domains:

  • IBM Process Mining
    pm.processmining
  • IBM Task Mining
    tm.processmining

If the DNS for your domain is not available, you must add a record to the local host file as indicated in the following example:

192.168.0.10 pm.processmining tm.processmining

You can locate the host files in the following directories: * For Mac and Linux®
/etc/hosts * For Windows operating systems
C:\Windows\System32\drivers\etc\hosts

Creating certificates

You can use the following steps to create a certificate:

  1. Create and open a directory.
/home/pm/cert
  1. Generate a CA private key.
openssl genrsa -des3 -out rootCA.key 2048
(password: changeit)

This CA is common for IBM Process Mining and IBM Task Mining. It is also valid for NGINX.

  1. Generate the CA certificate.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
  1. Create the new file, v3.ext, and then copy the following contents to the file.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = pm.processmining
DNS.2 = tm.processmining

  1. Update the domain name based on the installation.

  2. Create the certificate. You must install the certificate on both Nginx.

    openssl req -new -nodes -out server.csr -newkey rsa:2048 -keyout server.key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
cat server.crt server.key > server.pem

    You must ensure that the current directory includes the following files:

    server.key
server.crt
rootCA.pem

    You need these files to complete the installation. For more information about installation, see the Installation and configuration topic.