Enabling SSL for host factory (self-signed certificate)

Enable SSL for host factory by using a default self-signed certificate for testing purposes. SSL communication between the host factory server and client enables secure access for the host factory RESTful APIs.

About this task

SSL communication for host factory follows your SSL setting for RESTful web servers, which is enabled during installation by default. If you disabled SSL for web server communication during installation, SSL for host factory is also disabled.
Important: Ensure that you use the same SSL setting (either enabled or disabled) for the cluster management console, RESTful web servers, and host factory. You cannot enable SSL for one and disable SSL for others; without a uniform configuration, errors occur. Note, however, that when SSL is uniformly enabled, you can use different certificates and keys as required.

With SSL for web servers enabled during installation, SSL for host factory is also enabled; the host factory client automatically uses a built-in self-signed certificate for its SSL sessions. If you disabled SSL for web servers during installation and want to enable SSL for host factory for the first time, you can use the default self-signed certificate purely for testing purposes. The self-signed certificate is available at $EGO_TOP/wlp/usr/shared/resources/security/.

Procedure

Follow these steps to enable SSL for host factory with the default self-signed certificate.

  1. Stop the HostFactory service: 
    egosh service stop HostFactory
  2. Edit the hostfactoryconf.json file at $HF_TOP/$HF_VERSION/ to specify the path to the default self-signed certificate file and private key in the HF_REST_TRANSPORT_ARG parameter. You can define this configuration at the cluster level and retrieve it for host factory, or define it exclusively for host factory.
    • To retrieve cluster-level SSL configuration from the ego.conf file on a management host that runs the HostFactory service:
      1. In hostfactoryconf.json, set the HF_REST_TRANSPORT_ARG parameter to an environment variable. For example:
        "HF_REST_TRANSPORT_ARG": "$EGO_DEFAULT_TS_PARAMS"
      2. In ego.conf, set the CERTIFICATE and PRIVATE_KEY subparameters for the EGO_DEFAULT_TS_PARAMS parameter to the default certificate file and private key. Optionally, you can also define the CIPHER, CAFILE, and SERVER_AUTH subparameters. For example:
        EGO_DEFAULT_TS_PARAMS: "SSL[CERTIFICATE=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/user.pem,
PRIVATE_KEY=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/user.key,CIPHER=ECDHE-ECDSA-AES256-GCM-SHA384,
CAFILE=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/cacert.pem,SERVER_AUTH={}]"
    • To define SSL parameters separately for host factory, in hostfactoryconf.json, set the HF_REST_TRANSPORT_ARG parameter to the default certificate file and private key as subparameters in the following format:
      "HF_REST_TRANSPORT_ARG": "SSL[subparameter, ...]"
      where the subparameters are:
      • CERTIFICATE: Path to the user.pem certificate file, which is at $EGO_TOP/wlp/usr/shared/resources/security/.
      • PRIVATE_KEY: Path to the user.key private key file, which is at $EGO_TOP/wlp/usr/shared/resources/security/.

      The HF_REST_TRANSPORT_ARG parameter uses the same subparameters as the EGO_DEFAULT_TS_PARAMS parameter in ego.conf. Optionally, you can also define the CIPHER, CAFILE, and SERVER_AUTH parameters.

      For example:
      "HF_REST_TRANSPORT_ARG": "SSL[CERTIFICATE=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/user.pem,
PRIVATE_KEY=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/user.key,CIPHER=ECDHE-ECDSA-AES256-GCM-SHA384,
CAFILE=/opt/ibm/spectrumcomputing/wlp/usr/shared/resources/security/cacert.pem,SERVER_AUTH={}]"
  3. Optional: Set the HF_REST_LISTEN_PORT parameter in hostfactoryconf.json to specify the listening port for host factory client requests. Valid value is either 0 or a port number in the range 1024 - 65535. The default SSL port is 9443. If you specify 0 or if the parameter is not defined, a random port is assigned.
    For example:
    "HF_REST_LISTEN_PORT": 9443
  4. Save your changes to hostfactoryconf.json.
  5. Start the HostFactory service: 
    egosh service start HostFactory

Results

You can now access the host factory APIs over SSL with the default self-signed certificate.