Setting Up SSL for the Web Interface

SSL on Windows (IIS)

Configuring SSL Certificate

  1. Open the IIS (Internet Information Services) Manager.

  2. Select the Web Server node in the left sidebar, under Start Page, and double-click Server Certificates in the middle pane.

  1. In the Actions pane, select an action to import an existing .pfx SSL certificate or to create a self-signed certificate. If your certificate is in a format other than .pfx, see the documentation or tools provided by your certificate authority to convert certificates to .pfx format.

  2. Select your website under Sites in the left sidebar (usually Default Web Site), and then click Bindings… in the Actions pane on the right.

  1. In the Site Bindings dialog box, click Add, select https on the Type menu, and then select the certificate you added in step 3 from the SSL certificate list. Click OK.

../../../_images/iis-ssl-step3.png
  • The Host Name and Require Server Name Indication fields can be left blank if this the first certificate installed on the server.

Redirecting HTTP Traffic to HTTPS

  1. Navigate to URL Rewrite rules and locate the grayed out HTTP –> HTTPA redirect rule.

  2. Ensure it’s postitioned at the top of the list, select it, and click Enable under Actions on the right side.

  3. Restart the web server. This will automatically redirect all HTTP queries to HTTPS.

Using the IIS Manager

With Default Web Site selected in the left sidebar, double-click URL Rewrite in the middle pane.

If there’s already an HTTP to HTTPS redirect rule at the top of the list, no further action is needed.

To add a new rule:

  1. Click Add Rules in the Actions pane on the right, then click OK to create an empty inbound rule.

  2. In the Name field, enter HTTP to HTTPS redirect.

  3. In the Pattern field, enter (.*)

  4. Under conditions, click Add and enter the required condition:

  1. In the Actions pane at the bottom, select Redirect from the Action type drop-down list, set the redirect URL to https://{HTTP_HOST}/{R:1} and the redirect type to Permanent (301).

  1. Click Apply in the Actions pane on the left, and then click Back to rules.

  2. Move the new HTTP to HTTPS redirect rule to the top of the list using the Move Up button in the Actions pane on the right.

SSL on Linux (Apache)

By default, the Web Interface uses an unencrypted http connection on port 80. To use it with https on port 443, follow these steps.

  1. Ensure that mod_ssl for Apache is installed:

yum install mod_ssl
  1. If you have existing SSL key files:

  • place the .key file in /etc/pki/tls/private/

  • and the .crt and .csr files in /etc/pki/tls/certs/.

  1. If you need new SSL keys, generate a keypair:

openssl req -new -nodes -keyout mmweb.key -out mmweb.csr -newkey rsa:4096
  1. Create self-signed certificate:

openssl x509 -req -days 365 -in mmweb.csr -signkey mmweb.key -out externaldns3.crt
  1. Move the files to the appropriate directories:

cp mmweb.key /etc/pki/tls/private/
cp mmweb.c* /etc/pki/tls/certs/
  1. Once the keyfiles are placed in their respective directories, edit the mmweb.conf file in the Apache configuration directory (default /etc/httpd/conf, or use find /etc/ -name “mmweb.conf” to locate the file) with the following changes:

  • change <VirtualHost *:80> to <VirtualHost *:443>

  • add in the references to the key files (amend the path as necessary):

SSLCertificateFile /etc/pki/tls/certs/mmweb.crt
SSLCertificateKeyFile /etc/pki/tls/private/mmweb.key
  • enable SSL:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

Note

The default Apache installation may already have a <VirtualHost _default_:443> directive, which may conflict with the mmweb.conf file. Comment out this existing VirtualHost block to avoid errors.

To verify the Web Interface is accessible, navigate to https://web-application.domain.tld. The Micetro Web Interface login should be displayed.