How to secure infoworks services with self signed SSL certificate in 5.0

How to secure infoworks services with self signed SSL certificate in 5.0?

Description: A self-signed SSL certificate signed by the person who created it rather than a trusted certificate authority. Self-signed certificates can have the same level of encryption as the trusted CA-signed SSL certificate.

Web browsers do not recognize the self-signed certificates as valid. When using a self-signed certificate, the web browser shows a warning to the visitor that the website certificate cannot be verified.

The self-signed certificates are used for testing purposes or internal usage and should not be used in production systems that are exposed to the Internet.

Prerequisites:

The OpenSSL toolkit is required to generate a self-signed certificate.

Steps to create a self signed certificate:

sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /destination/directory/private.key -out /destination/directory/certificate.crt

Example:

infoworks@edgenode:$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /opt/infoworks/ganesh/ssl_files/key/private.key -out /opt/infoworks/ganesh/ssl_files/cert/certificate.crt

Generating a RSA private key

.........................+++++

......................................+++++

writing new private key to '/opt/infoworks/ganesh/ssl_files/key/private.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:karnataka

Locality Name (eg, city) []:banglore

Organization Name (eg, company) [Internet Widgits Pty Ltd]:infoworks

Organizational Unit Name (eg, section) []:support

Common Name (e.g. server FQDN or YOUR name) []:edgenode.c.gcp-cs-shared-resources.internal

Email Address []:xxxxx@infoworks.io

infoworks@edgenode:$ 

Steps to add the certificate and key files in Infoworks:

1) Once we have the certificate and key files generated, navigate to the Nginx configuration directory using the following command: cd ${IW_HOME}/resources/nginx-portable/conf/infoworks

2) vi platform.conf.template

3) Add the string ssl after the proxy_server_port as follows: listen $ {PROXY_SERVER_PORT} ssl;

4) Uncomment # ssl_certificate /etc/nginx/ssl/infoworks_ssl.crt; line. Update it to ssl_certificate /infoworks_ssl.crt;

5) Uncomment # ssl_certificate_key /etc/nginx/ssl/infoworks_ssl.key; line. Update it to ssl_certificate_key /infoworks_ssl.key;

6) Update the conf.properties file by changing the key: proxy_server_scheme=https

7) Restart all Infoworks services using the following commands:

cd ${IW_HOME}/bin

$IW_HOME/bin/stop.sh all mongo

$IW_HOME/bin/start.sh mongo all

Since the certificate is not a third-party CA-signed, we need to add the certificate in the JAVA Keystore of the infoworks node and the master node. If the certificate is a third-party CA-approved certificate then you could ignore the steps mentioned below.

Steps to add the self-signed Infoworks certificate to JAVA Keystore (This needs to be executed on infoworks node and on the EMR master node):

A KeyStore, as the name suggests, is basically a repository of certificates, public and private keys. Moreover, JDK distributions are shipped with an executable to help manage them, the keytool

sudo keytool -import -keystore JAVA_HOME/jre/lib/security/cacerts -alias self_signed_cert_for_HTTPS -file /Absolute/path/of/certificate.crt

Notea) default password is changeit

b) JAVA_HOME= the Java used by Infoworks Services on the Edge node. To locate JAVA used by IWX on the Edge node, you can perform the below steps.

Login to Edge node as the user who starts infoworks services.

source env.sh

Run the command which java and go to the corresponding java directory.

On the EMR master node, locate the java installed and then run the keytool import command to import the Infoworks certificate to the JAVA Keystore.

Example:

sudo keytool -import -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -alias self_signed_cert_for_HTTPS_new -file /opt/infoworks/ganesh/ssl_files/cert/certificate.crt

Note: Infoworks UI cannot be accessible from the latest version of google chrome if HTTPS is enabled with a self-signed certificate. In that case, one needs to switch to different browsers like firefox or safari.