Introduction

The HTTPs protocol is used to secure the communication between the clients and the EPC Server. Interfacing is supplying a self signed SSL certificate by default and this is available out of box when the server is installed. However, when a client would try to access the EPC Server the browser will warn the user that the certificate is not trusted. In this case one of the two options is available, either adding the existing self-signed certificate to the trusted certificates store, either generate a certificate for the EPC Server alias a trusted certificate by the client browsers.

Prerequisites

  • OpenSSL on the linux machine or windows machine
  • EPC Server should be accessible from user’s browser via a DNS alias (ex. epc.company.com)
  • The person generating the SSL certificate should have access to Certification Authority and have the possibility of confirming the certificate request if the certificate is generated by a public Certification Authority
  • The person should have root access to the linux box that is running the EPC docker containers

Generating the CSR and the private key

The following instructions will guide you through the CSR generation process for EPC Server. If you already generated the CSR and received your trusted SSL certificate, jump to the section “Installing the SSL certificate on EPC Server”

1. Log in to your server’s terminal or open a command line on your windows machine and switch to openssl directory
2. Enter CSR and Private Key command
Generate a private key and CSR by running the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Note: Replace “server ” with the EPC DNS alias you intend to secure.
3. Enter your CSR details

Enter the following CSR details when prompted:
Common Name: The EPC DNS Alias (ex. epc.company.com)
Organization: The full legal name of your organization including the corporate identifier.
Organization Unit (OU): Your department such as ‘Information Technology’ or ‘Website Security.’
City or Locality: The locality or city where your organization is legally incorporated. Do not abbreviate.
State or Province: The state or province where your organization is legally incorporated. Do not abbreviate.
Country: The official two-letter country code (i.e. US, CH) where your organization is legally incorporated.
Note: You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.

4. Generate the order or submit the CSR to your local Certificate Authority
Locate and open the newly created CSR in a text editor such as Notepad and copy all the text including:
——-BEGIN CERTIFICATE REQUEST——-
And
——-END CERTIFICATE REQUEST——-

5. Obtain the SSL certificate from the Certification authority in PEM format (base 64 encoded)
You should obtain an SSL Certificate and optionally Intermediary and root certificates all in base 64 format

6. (Optional) Chain the SSL certificates in one file
Create one file with all the certificates chained starting with the EPC Certificate, Intermediate certificate and the root certificate
You should have in your file a following sequence:
——-BEGIN CERTIFICATE——-

——-END CERTIFICATE——-
——-BEGIN CERTIFICATE——-

——-END CERTIFICATE——-
——-BEGIN CERTIFICATE——-

——-END CERTIFICATE——-

Install/update the SSL Certificate and the private key

1. Connect to the EPC Server linux host as root user
2. Switch to the following location /volumes/nginx/
3. Backup the files cert.pem and key.pem

You can copy them to a different directory or create local copies with the command:

#’ cp cert.pem cert.pem.original
#’ cp key.pem key.pem.original

4. Replace the content of the cert.pem and key.pem files with your private key and the chained certificate
5. Restart the nginx container by running the following command

#’ docker restart $(docker ps -aqf name=nginx)

6. Check the SSL certificate in the client browser
Open the EPC Server page in the client browser and check the SSL certificate (clean the browser cache before checking). Revert the certificate in case the nginx doesn’t start or you see a wrong certificate in the browser.

(Optional) Disable the SSL enforcement

By default, EPC is configured to redirect the client’s browser to the HTTPs encrypted connection. This behavior can be disabled.
1. Connect to the EPC Server linux host as root user
2. Switch to the following location /volumes/nginx/
3. Edit the file force-https.conf
4. Comment all the lines by inserting a # character before every line in the file and save the file
5. Restart the nginx container by running the following command

  1. docker restart $(docker ps -aqf name=nginx)
    6. The client browser will not be redirected to HTTPs when the client opens the HTTP connection to EPC Server.
    Please note, this is highly not recommended as all the traffic between the client and the server is passed in clear text over the network.

Besoin d'aide supplémentaire avec ce sujet?
Visit the Support Portal

Merci pour vos commentaires.