Redhat HTTPS config on Comstice Wallboard

August 26, 2019 in Wallboard
Redhat HTTPS config on Comstice Wallboard

This guide explains the steps followed when setting up HTTPS for the Comstice Wallboard on a Redhat server. Please note that the file names (e.g. example.com.crt) or any acronyms used are for the sake of demostration. You will need to rename files correctly.


Ensure that Selinux is disabled and that the following ports are open

  • - 80
  • - 8080
  • - 443
  • - 8443
  • - 3000
  • - 2778
  • - 8445

  • Create an SSL directory
        
            $ mkdir /opt/ssl
            $ chown -R comstice:comstice  /opt/ssl


  • Go into the SSL directory and generate the key
        
            $ cd /opt/ssl
            $ openssl genrsa -out wallboard.key 2048


  • Create the Certificate Request
        
            $ openssl req -new -key wallboard.key -out wallboard.csr


  • Create your self-signed certificates
        
            $ openssl x509 -req -days 1095 -in wallboard.csr -signkey wallboard.key -out wallboard.crt


  • Copy the cer and key files and rename them as wallboard.cer and wallboard.key
  • If you have a CER file, you need to convert it to crt file. Try the commands below;
        
            $ openssl x509 -inform DER -in wallboard.cer -out wallboard.crt
  • If the above doesn't work, try the command below
        
            $ openssl x509 -inform PEM -in wallboard.cer -out wallboard.crt


  • Copying the files
        
            $ cp wallboard.crt /etc/pki/tls/certs/
            $ cp wallboard.key /etc/pki/tls/private/
            $ cp wallboard.csr /etc/pki/tls/private/


HTTPD | Apache2 Service

    
        $ yum -y install openssl openssl-devel mod_ssl

Check if mod_ssl is properly installed

    
        $ rpm -q mod_ssl

Check if it is loaded as a module into httpd server

    
        $ apachectl -M | grep ssl

Open the ssl.conf file and update the following lines

    
        $ vi /etc/httpd/conf.d/ssl.conf
        $ i
    
    
        Update the following lines
        SSLCertificateFile /etc/pki/tls/certs/wallboard.crt
        SSLCertificateKeyFile /etc/pki/tls/private/wallboard.key

Restart Apache

    
        $ service httpd restart

On the browser, verify that this URL is accessible https://your_wallboard_ip_address


Enabling HTTPS in Express

    
        $ cd /opt/www/express/bin

In this folder there is already a key file and a cert file. Copy your key and crt files here under the same name i.e. overwrite the existing files such that the file names are as before. Also make sure that the files are owned by comstice user. 

    
        $ cp /opt/ssl/wallboard.key comstice_uccx.com.key
        $ cp /opt/ssl/wallboard.crt comstice_uccx.com.cert
        $ chown -R comstice:comstice /opt/www/express
        $ systemctl restart express
        $ systemctl status express (make sure that it is active)

On the browser test the Express Service HTTPS port. You should get a JSON file saying "no profile found" or as below
https://your_wallboard_ip_address:2778/profile/allprofiles 

    
        {"user_id":"5822d036b97c0bf059589add","profilematching":[{"profile_name":"denem", "user_name":"osman"},{"profile_name":"all_Access","user_name":"comstice"},{"profile_name":"Testing","user_name":"yigit7.zorlu"}]}


Enabling HTTPS in Java Dropwizard

Go back to the ssl folder 

    
        $ cd /opt/ssl

Create the Java Keystore file and add the cert and key into it. Enter a password of your choice. This will then be updated in the config.yml file

    
        $ openssl pkcs12 -export -in wallboard.crt -inkey wallboard.key -out keystore.p12 -CAfile temp.crt

Convert PKCS12 keystore to JKS

    
        $ keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype pkcs12 -deststoretype jks


Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".


Update the config.yml file

    
        $ vi /opt/informix/config.yml
        $ i
    
        Enter the following and save.
    
        server:
        applicationConnectors:
        - type: http
            port: 8080
        - type: https
            port: 8445
            keyStorePath: ./keystore/KeyStore.jks
            keyStorePassword: "myPassword"
            validateCerts: false
            validatePeers: false
        Enter Esc
        :wq (colon write quit to save)
    
    Restart The service
    
        systemctl restart wallboard

Modifying Express Settings

    
        $ cd /opt/www/universal/js
        $ vi setting.js
        $ i

        url: "https://wallboard.example.com:8445", //http://www.uccedemo.co:8080
	    url_page: "https://wallboard.example.com/universal", // Url of Home Page  //http://www.uccedemo.co/universal
	    server_url: "https://wallboard.example.com:2778", //http://www.uccedemo.co:3000

Restart the server and test the https, you must use the hostname of the server such as wallboard.comstice.com and the domain must match the certificate domain
https://wallboard.example.com:8445/csqname/allcsqs
https://wallboard.example.com:2778/profile/allprofiles
https://wallboard.example.com/universal 

    
        $ service wallboard restart
Success!