|
@@ -1,383 +1,550 @@
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
|
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
|
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
|
-<sect1 id="ssl4esp">
|
|
|
- <title>Configuring ESP Server to use HTTPS (SSL)</title>
|
|
|
+ <chapter id="SSLModuleWrapperChap">
|
|
|
+ <title>Chapter Level Wrapper</title>
|
|
|
|
|
|
- <para>The HPCC Enterprise Services Platform server (ESP) supports Secure
|
|
|
- Sockets Layer (SSL), a protocol used to send and receive private data or
|
|
|
- documents.</para>
|
|
|
+ <para>This is a Chapter Wrapper for an included
|
|
|
+ <Sect1> module.</para>
|
|
|
|
|
|
- <para>SSL works by using a private key to encrypt and decrypt data
|
|
|
- transferred over the SSL connection. By convention, URLs using an SSL
|
|
|
- connection start with HTTPS instead of HTTP.</para>
|
|
|
+ <sect1 id="ssl4esp">
|
|
|
+ <title>Configuring ESP Server to use HTTPS (SSL)</title>
|
|
|
|
|
|
- <para>The SSL option in the ESP Server allows secure and encrypted
|
|
|
- communication between a browser or SOAP client application and the HPCC
|
|
|
- platform.</para>
|
|
|
+ <para>The HPCC Enterprise Services Platform server (ESP) supports Secure
|
|
|
+ Sockets Layer (SSL), a protocol used to send and receive private data or
|
|
|
+ documents.</para>
|
|
|
|
|
|
- <para>SSL capabilities are configured in the Configuration Manager, but
|
|
|
- require a certificate be installed on the ESP server. The OpenSSL libraries
|
|
|
- provide a means to create the necessary certificate files in one of two
|
|
|
- ways.</para>
|
|
|
+ <para>SSL works by using a private key to encrypt and decrypt data
|
|
|
+ transferred over the SSL connection. By convention, URLs using an SSL
|
|
|
+ connection start with HTTPS instead of HTTP.</para>
|
|
|
|
|
|
- <itemizedlist mark="bullet">
|
|
|
- <listitem>
|
|
|
- <para>You can use the OpenSSL libraries to create a private key and a
|
|
|
- Certificate Signing Request (CSR) to purchase a certificate from a
|
|
|
- Certificate Issuing Authority (such as, VeriSign).</para>
|
|
|
- </listitem>
|
|
|
+ <para>The SSL option in the ESP Server allows secure and encrypted
|
|
|
+ communication between a browser or SOAP client application and the HPCC
|
|
|
+ platform.</para>
|
|
|
|
|
|
- <listitem>
|
|
|
- <para>You can use that CSR to generate your own self-signed certificate
|
|
|
- and then install the certificate and private key to your ESP
|
|
|
- Server.</para>
|
|
|
- </listitem>
|
|
|
- </itemizedlist>
|
|
|
+ <para>SSL capabilities are configured in the Configuration Manager, but
|
|
|
+ require a certificate be installed on the ESP server. The OpenSSL
|
|
|
+ libraries provide a means to create the necessary certificate files in
|
|
|
+ one of two ways.</para>
|
|
|
|
|
|
- <para>In either case, once installed and configured, the network traffic is
|
|
|
- encrypted and secure. The Public and Private Keys use 1024-bit RSA
|
|
|
- encryption.</para>
|
|
|
+ <itemizedlist mark="bullet">
|
|
|
+ <listitem>
|
|
|
+ <para>You can use the OpenSSL libraries to create a private key and
|
|
|
+ a Certificate Signing Request (CSR) to purchase a certificate from a
|
|
|
+ Certificate Issuing Authority (such as, VeriSign).</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>You can use that CSR to generate your own self-signed
|
|
|
+ certificate and then install the certificate and private key to your
|
|
|
+ ESP Server.</para>
|
|
|
+ </listitem>
|
|
|
+ </itemizedlist>
|
|
|
|
|
|
- <sect2 id="ConfigureESP_GenerateRSAPrivateKey">
|
|
|
- <title><emphasis role="bold">Generate an RSA Private
|
|
|
- Key</emphasis></title>
|
|
|
+ <para>In either case, once installed and configured, the network traffic
|
|
|
+ is encrypted and secure. The Public and Private Keys use 1024-bit RSA
|
|
|
+ encryption.</para>
|
|
|
|
|
|
- <para>Use the OpenSSL toolkit to generate an RSA Private Key and a
|
|
|
- Certificate Signing Request (CSR). This can also be the basis for a
|
|
|
- self-signed certificate. Self-signed certificates are useful for internal
|
|
|
- use or testing.</para>
|
|
|
+ <sect2 id="ConfigureESP_GenerateRSAPrivateKey">
|
|
|
+ <title><emphasis role="bold">Generate an RSA Private
|
|
|
+ Key</emphasis></title>
|
|
|
|
|
|
- <para>In our example, we create a 1024-bit RSA Private Key which is
|
|
|
- encrypted using Triple-DES encryption and stored in Privacy Enhanced Mail
|
|
|
- (PEM) format.</para>
|
|
|
+ <para>Use the OpenSSL toolkit to generate an RSA Private Key and a
|
|
|
+ Certificate Signing Request (CSR). This can also be the basis for a
|
|
|
+ self-signed certificate. Self-signed certificates are useful for
|
|
|
+ internal use or testing.</para>
|
|
|
|
|
|
- <programlisting>openssl genrsa -des3 -out server.key 1024</programlisting>
|
|
|
+ <para>In our example, we create a 1024-bit RSA Private Key which is
|
|
|
+ encrypted using Triple-DES encryption and stored in Privacy Enhanced
|
|
|
+ Mail (PEM) format.</para>
|
|
|
|
|
|
- <para>When prompted, provide a passphrase. This is used as the basis for
|
|
|
- the encryption.</para>
|
|
|
+ <programlisting>openssl genrsa -des3 -out server.key 1024</programlisting>
|
|
|
|
|
|
- <para><emphasis role="bold">Remember this passphrase as you will need to
|
|
|
- enter it into the Configuration Manager later.</emphasis></para>
|
|
|
- </sect2>
|
|
|
+ <para>When prompted, provide a passphrase. This is used as the basis
|
|
|
+ for the encryption.</para>
|
|
|
|
|
|
- <sect2 id="ConfigureESP_GenerateCSReq" role="brk">
|
|
|
- <title><emphasis role="bold">Generate a CSR (Certificate Signing
|
|
|
- Request)</emphasis></title>
|
|
|
+ <para><emphasis role="bold">Remember this passphrase as you will need
|
|
|
+ to enter it into the Configuration Manager later.</emphasis></para>
|
|
|
+ </sect2>
|
|
|
|
|
|
- <para>After you have a private key, you can use it to create a Certificate
|
|
|
- Signing Request (CSR). You can use your CSR to request a signed
|
|
|
- certificate from a Certificate Authority (such as Verisign or Network
|
|
|
- Solutions). You can also use the CSR to create a self-signed
|
|
|
- certificate.</para>
|
|
|
+ <sect2 id="ConfigureESP_GenerateCSReq" role="brk">
|
|
|
+ <title><emphasis role="bold">Generate a CSR (Certificate Signing
|
|
|
+ Request)</emphasis></title>
|
|
|
|
|
|
- <programlisting>openssl req -new -key server.key -out server.csr </programlisting>
|
|
|
+ <para>After you have a private key, you can use it to create a
|
|
|
+ Certificate Signing Request (CSR). You can use your CSR to request a
|
|
|
+ signed certificate from a Certificate Authority (such as Verisign or
|
|
|
+ Network Solutions). You can also use the CSR to create a self-signed
|
|
|
+ certificate.</para>
|
|
|
|
|
|
- <para>Answer the questions when prompted:</para>
|
|
|
+ <programlisting>openssl req -new -key server.key -out server.csr </programlisting>
|
|
|
|
|
|
- <para><informaltable colsep="1" frame="all" rowsep="1">
|
|
|
- <tgroup cols="2">
|
|
|
- <colspec colwidth="243.90pt" />
|
|
|
+ <para>Answer the questions when prompted:</para>
|
|
|
|
|
|
- <colspec colwidth="234.90pt" />
|
|
|
+ <para><informaltable colsep="1" frame="all" rowsep="1">
|
|
|
+ <tgroup cols="2">
|
|
|
+ <colspec colwidth="243.90pt" />
|
|
|
|
|
|
- <tbody>
|
|
|
- <row>
|
|
|
- <entry>Country Name (2 letter code):</entry>
|
|
|
+ <colspec colwidth="234.90pt" />
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <tbody>
|
|
|
+ <row>
|
|
|
+ <entry>Country Name (2 letter code):</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>State or Province Name (full name):</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>State or Province Name (full name):</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>Locality Name (eg, city) :</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>Locality Name (eg, city) :</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>Organization Name (eg, company) :</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>Organization Name (eg, company) :</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>Organizational Unit Name (eg, section) :</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>Organizational Unit Name (eg, section) :</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>Common Name (e.g., server’s hostname):</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>Common Name (e.g., server’s hostname):</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>Email Address :</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>Email Address :</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>A challenge password (optional):</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
+ <row>
|
|
|
+ <entry>A challenge password (optional):</entry>
|
|
|
|
|
|
- <row>
|
|
|
- <entry>An optional company name (optional):</entry>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
|
|
|
- <entry></entry>
|
|
|
- </row>
|
|
|
- </tbody>
|
|
|
- </tgroup>
|
|
|
- </informaltable></para>
|
|
|
- </sect2>
|
|
|
+ <row>
|
|
|
+ <entry>An optional company name (optional):</entry>
|
|
|
|
|
|
- <sect2 id="ConfigureESP_GenerateSelf-Signed_Certificate">
|
|
|
- <title><emphasis role="bold">Generate a Self-Signed
|
|
|
- Certificate</emphasis></title>
|
|
|
+ <entry></entry>
|
|
|
+ </row>
|
|
|
+ </tbody>
|
|
|
+ </tgroup>
|
|
|
+ </informaltable></para>
|
|
|
+ </sect2>
|
|
|
|
|
|
- <para>To generate a temporary certificate, which is good for up to 365
|
|
|
- days, issue the following command:</para>
|
|
|
+ <sect2 id="ConfigureESP_GenerateSelf-Signed_Certificate">
|
|
|
+ <title><emphasis role="bold">Generate a Self-Signed
|
|
|
+ Certificate</emphasis></title>
|
|
|
|
|
|
- <programlisting>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt </programlisting>
|
|
|
+ <para>To generate a temporary certificate, which is good for up to 365
|
|
|
+ days, issue the following command:</para>
|
|
|
|
|
|
- <para>When prompted, enter the passphrase you used earlier when creating
|
|
|
- your CSR.</para>
|
|
|
- </sect2>
|
|
|
+ <programlisting>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt </programlisting>
|
|
|
|
|
|
- <sect2 id="ConfigureESP_InstallPrivateKeyandCertificate">
|
|
|
- <title><emphasis role="bold">Installing the Private Key and Certificate to
|
|
|
- your ESP Server</emphasis></title>
|
|
|
+ <para>When prompted, enter the passphrase you used earlier when
|
|
|
+ creating your CSR.</para>
|
|
|
+ </sect2>
|
|
|
|
|
|
- <para>You must install the certificate and private key on all ESP server
|
|
|
- node(s) that will host a service binding using SSL.</para>
|
|
|
+ <sect2 id="ConfigureESP_InstallPrivateKeyandCertificate">
|
|
|
+ <title><emphasis role="bold">Installing the Private Key and
|
|
|
+ Certificate to your ESP Server</emphasis></title>
|
|
|
|
|
|
- <para>Your PrivateKey and certificate must be copied to
|
|
|
- /var/lib/HPCCSystems/myesp/.</para>
|
|
|
+ <para>You must install the certificate and private key on all ESP
|
|
|
+ server node(s) that will host a service binding using SSL.</para>
|
|
|
|
|
|
- <programlisting># For example:
|
|
|
+ <para>Your PrivateKey and certificate must be copied to
|
|
|
+ /var/lib/HPCCSystems/myesp/.</para>
|
|
|
+
|
|
|
+ <programlisting># For example:
|
|
|
sudo cp server.crt /var/lib/HPCCSystems/myesp/certificate.cer
|
|
|
sudo cp server.key /var/lib/HPCCSystems/myesp/privatekey.cer
|
|
|
</programlisting>
|
|
|
- </sect2>
|
|
|
+ </sect2>
|
|
|
|
|
|
- <sect2 id="ConfigureHTTPSonESPServer" role="brk">
|
|
|
- <title><emphasis role="bold">Configure HTTPS on your ESP
|
|
|
- Server</emphasis></title>
|
|
|
+ <sect2 id="ConfigureHTTPSonESPServer" role="brk">
|
|
|
+ <title><emphasis role="bold">Configure HTTPS on your ESP
|
|
|
+ Server</emphasis></title>
|
|
|
|
|
|
- <sect3 id="Start_ConfigMgrAdvancedMode">
|
|
|
- <title><emphasis role="bold">Start Configuration Manager in Advanced
|
|
|
- Mode</emphasis></title>
|
|
|
+ <sect3 id="Start_ConfigMgrAdvancedMode">
|
|
|
+ <title><emphasis role="bold">Start Configuration Manager in Advanced
|
|
|
+ Mode</emphasis></title>
|
|
|
|
|
|
- <orderedlist numeration="arabic">
|
|
|
- <listitem>
|
|
|
- <para>Start the Configuration Manager Service on one node (usually
|
|
|
- the first node is considered the head node and is used for this
|
|
|
- task, but this is up to you).</para>
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>Start the Configuration Manager Service on one node
|
|
|
+ (usually the first node is considered the head node and is used
|
|
|
+ for this task, but this is up to you).</para>
|
|
|
|
|
|
- <para><programlisting>sudo /opt/HPCCSystems/sbin/configmgr
|
|
|
+ <para><programlisting>sudo /opt/HPCCSystems/sbin/configmgr
|
|
|
</programlisting></para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Using a Web browser, go to the Configuration Manager's
|
|
|
- interface.</para>
|
|
|
-
|
|
|
- <para>Use the url of http://nnn.nnn.nnn.nnn:pppp, where
|
|
|
- nnn.nnn.nnn.nnn is the IP address of the node running Configuration
|
|
|
- Manager and pppp is the port (default is 8015).</para>
|
|
|
-
|
|
|
- <para>The Configuration Manager startup wizard displays.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Select <emphasis role="bold">Advanced View</emphasis>.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Select an XML file from the drop list.</para>
|
|
|
-
|
|
|
- <para>This list is populated from versions of an environment XML
|
|
|
- file in your server's <emphasis
|
|
|
- role="bold">/etc/HPCCSystems/source/</emphasis> directory.</para>
|
|
|
-
|
|
|
- <para><emphasis role="bold">Tip</emphasis>: The XML file that
|
|
|
- matches the active environment.xml is highlighted.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Press the <emphasis role="bold">Next</emphasis> button.</para>
|
|
|
-
|
|
|
- <para>The Configuration Manager Advanced View interface
|
|
|
- displays.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Check the <emphasis role="bold">Write Access </emphasis>box at
|
|
|
- the top of the page.</para>
|
|
|
- </listitem>
|
|
|
- </orderedlist>
|
|
|
- </sect3>
|
|
|
-
|
|
|
- <sect3 id="Configure_ESP_forHTTPS" role="brk">
|
|
|
- <title><emphasis role="bold">Configure ESP</emphasis></title>
|
|
|
-
|
|
|
- <orderedlist numeration="arabic">
|
|
|
- <listitem>
|
|
|
- <para>Select ESP - MyEsp in the Navigator panel on the left
|
|
|
- side.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Select the <emphasis role="bold">HTTPS</emphasis> tab. <figure>
|
|
|
- <title>Select HTTPS Tab</title>
|
|
|
-
|
|
|
- <mediaobject>
|
|
|
- <imageobject>
|
|
|
- <imagedata fileref="../../images/ssl-01.jpg" />
|
|
|
- </imageobject>
|
|
|
- </mediaobject>
|
|
|
- </figure></para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>In the <emphasis role="bold">passphrase</emphasis> entry
|
|
|
- control, enter the passphrase you used earlier when you created the
|
|
|
- private key.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>When prompted, provide the passphrase again.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Click the disk icon to save.</para>
|
|
|
- </listitem>
|
|
|
- </orderedlist>
|
|
|
- </sect3>
|
|
|
-
|
|
|
- <sect3 id="ConfigureOneorMoreSSLEnabledServiceBindings">
|
|
|
- <title><emphasis role="bold">Configure one or more SSL-Enabled Service
|
|
|
- Bindings</emphasis></title>
|
|
|
-
|
|
|
- <orderedlist numeration="arabic">
|
|
|
- <listitem>
|
|
|
- <para>Select the ESP Service Bindings tab.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Right-click on the list of services, then select <emphasis
|
|
|
- role="bold">Add</emphasis>.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Provide a name for the binding (e.g., myws_ecl_ssl)</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Select myws_ecl from the service drop-list.</para>
|
|
|
-
|
|
|
- <figure>
|
|
|
- <title>myws_ecl</title>
|
|
|
-
|
|
|
- <mediaobject>
|
|
|
- <imageobject>
|
|
|
- <imagedata fileref="../../images/ssl-02.jpg" />
|
|
|
- </imageobject>
|
|
|
- </mediaobject>
|
|
|
- </figure>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Select https from the protocol drop-list.</para>
|
|
|
-
|
|
|
- <figure>
|
|
|
- <title>Select HTTPS</title>
|
|
|
-
|
|
|
- <mediaobject>
|
|
|
- <imageobject>
|
|
|
- <imagedata fileref="../../images/ssl-04.jpg" />
|
|
|
- </imageobject>
|
|
|
- </mediaobject>
|
|
|
- </figure>
|
|
|
-
|
|
|
- <para><emphasis role="bold">Note:</emphasis> If you have not
|
|
|
- previously edited the port, the change from http to https triggers
|
|
|
- Configuration Manager to automatically change the port to the
|
|
|
- default port for https (18002). It only updates automatically if the
|
|
|
- port has not been edited.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Click the disk icon to save</para>
|
|
|
- </listitem>
|
|
|
- </orderedlist>
|
|
|
- </sect3>
|
|
|
- </sect2>
|
|
|
-
|
|
|
- <sect2 id="DistributeEnvironmentConfigFileToAllNodes" role="brk">
|
|
|
- <title><emphasis role="bold">Distribute the environment configuration file
|
|
|
- to all nodes, Restart, and Certify</emphasis></title>
|
|
|
-
|
|
|
- <para>Once your environment is set up as desired, you must copy the
|
|
|
- configuration file out to the other nodes.</para>
|
|
|
-
|
|
|
- <orderedlist numeration="arabic">
|
|
|
- <listitem>
|
|
|
- <para>If it is running, stop the system.</para>
|
|
|
-
|
|
|
- <para>Make sure system is stopped before attempting to move the
|
|
|
- environment.xml file.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Back up the original environment.xml file</para>
|
|
|
-
|
|
|
- <programlisting># for example
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Using a Web browser, go to the Configuration Manager's
|
|
|
+ interface.</para>
|
|
|
+
|
|
|
+ <para>Use the url of http://nnn.nnn.nnn.nnn:pppp, where
|
|
|
+ nnn.nnn.nnn.nnn is the IP address of the node running
|
|
|
+ Configuration Manager and pppp is the port (default is
|
|
|
+ 8015).</para>
|
|
|
+
|
|
|
+ <para>The Configuration Manager startup wizard displays.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select <emphasis role="bold">Advanced
|
|
|
+ View</emphasis>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select an XML file from the drop list.</para>
|
|
|
+
|
|
|
+ <para>This list is populated from versions of an environment XML
|
|
|
+ file in your server's <emphasis
|
|
|
+ role="bold">/etc/HPCCSystems/source/</emphasis>
|
|
|
+ directory.</para>
|
|
|
+
|
|
|
+ <para><emphasis role="bold">Tip</emphasis>: The XML file that
|
|
|
+ matches the active environment.xml is highlighted.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Press the <emphasis role="bold">Next</emphasis>
|
|
|
+ button.</para>
|
|
|
+
|
|
|
+ <para>The Configuration Manager Advanced View interface
|
|
|
+ displays.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Check the <emphasis role="bold">Write Access
|
|
|
+ </emphasis>box at the top of the page.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3 id="Configure_ESP_forHTTPS" role="brk">
|
|
|
+ <title><emphasis role="bold">Configure ESP</emphasis></title>
|
|
|
+
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>Select ESP - MyEsp in the Navigator panel on the left
|
|
|
+ side.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select the <emphasis role="bold">HTTPS</emphasis> tab.
|
|
|
+ <figure>
|
|
|
+ <title>Select HTTPS Tab</title>
|
|
|
+
|
|
|
+ <mediaobject>
|
|
|
+ <imageobject>
|
|
|
+ <imagedata fileref="../../images/ssl-01.jpg" />
|
|
|
+ </imageobject>
|
|
|
+ </mediaobject>
|
|
|
+ </figure></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>In the <emphasis role="bold">passphrase</emphasis> entry
|
|
|
+ control, enter the passphrase you used earlier when you created
|
|
|
+ the private key.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>When prompted, provide the passphrase again.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Click the disk icon to save.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3 id="ConfigureOneorMoreSSLEnabledServiceBindings">
|
|
|
+ <title><emphasis role="bold">Configure one or more SSL-Enabled
|
|
|
+ Service Bindings</emphasis></title>
|
|
|
+
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>Select the ESP Service Bindings tab.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Right-click on the list of services, then select <emphasis
|
|
|
+ role="bold">Add</emphasis>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Provide a name for the binding (e.g., myws_ecl_ssl)</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select myws_ecl from the service drop-list.</para>
|
|
|
+
|
|
|
+ <figure>
|
|
|
+ <title>myws_ecl</title>
|
|
|
+
|
|
|
+ <mediaobject>
|
|
|
+ <imageobject>
|
|
|
+ <imagedata fileref="../../images/ssl-02.jpg" />
|
|
|
+ </imageobject>
|
|
|
+ </mediaobject>
|
|
|
+ </figure>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select https from the protocol drop-list.</para>
|
|
|
+
|
|
|
+ <figure>
|
|
|
+ <title>Select HTTPS</title>
|
|
|
+
|
|
|
+ <mediaobject>
|
|
|
+ <imageobject>
|
|
|
+ <imagedata fileref="../../images/ssl-04.jpg" />
|
|
|
+ </imageobject>
|
|
|
+ </mediaobject>
|
|
|
+ </figure>
|
|
|
+
|
|
|
+ <para><emphasis role="bold">Note:</emphasis> If you have not
|
|
|
+ previously edited the port, the change from http to https
|
|
|
+ triggers Configuration Manager to automatically change the port
|
|
|
+ to the default port for https (18002). It only updates
|
|
|
+ automatically if the port has not been edited.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Click the disk icon to save</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+ </sect3>
|
|
|
+ </sect2>
|
|
|
+
|
|
|
+ <sect2 id="DistributeEnvironmentConfigFileToAllNodes" role="brk">
|
|
|
+ <title><emphasis role="bold">Distribute the environment configuration
|
|
|
+ file to all nodes, Restart, and Certify</emphasis></title>
|
|
|
+
|
|
|
+ <para>Once your environment is set up as desired, you must copy the
|
|
|
+ configuration file out to the other nodes.</para>
|
|
|
+
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>If it is running, stop the system.</para>
|
|
|
+
|
|
|
+ <para>Make sure system is stopped before attempting to move the
|
|
|
+ environment.xml file.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Back up the original environment.xml file</para>
|
|
|
+
|
|
|
+ <programlisting># for example
|
|
|
sudo cp /etc/HPCCSystems/environment.xml /etc/HPCCSystems/environment.bak
|
|
|
</programlisting>
|
|
|
|
|
|
- <para>Note: the "live" environment.xml file is located in your
|
|
|
- <emphasis role="bold">/etc/HPCCSystems/ </emphasis>directory.
|
|
|
- ConfigManager works on files in <emphasis
|
|
|
- role="bold">/etc/HPCCSystems/source </emphasis>directory. You must
|
|
|
- copy the XML file from this location to make an environment.xml file
|
|
|
- active.</para>
|
|
|
- </listitem>
|
|
|
+ <para>Note: the "live" environment.xml file is located in your
|
|
|
+ <emphasis role="bold">/etc/HPCCSystems/ </emphasis>directory.
|
|
|
+ ConfigManager works on files in <emphasis
|
|
|
+ role="bold">/etc/HPCCSystems/source </emphasis>directory. You must
|
|
|
+ copy the XML file from this location to make an environment.xml
|
|
|
+ file active.</para>
|
|
|
+ </listitem>
|
|
|
|
|
|
- <listitem>
|
|
|
- <para>Copy the NewEnvironment.xml file from the source directory to
|
|
|
- the /etc/HPCCSystems and rename the file to environment.xml</para>
|
|
|
+ <listitem>
|
|
|
+ <para>Copy the NewEnvironment.xml file from the source directory
|
|
|
+ to the /etc/HPCCSystems and rename the file to
|
|
|
+ environment.xml</para>
|
|
|
|
|
|
- <programlisting># for example
|
|
|
+ <programlisting># for example
|
|
|
sudo cp /etc/HPCCSystems/source/NewEnvironment.xml /etc/HPCCSystems/environment.xml
|
|
|
</programlisting>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Copy the <emphasis
|
|
|
- role="bold">/etc/HPCCSystems/environment.xml</emphasis> to
|
|
|
- the<emphasis role="bold"> /etc/HPCCSystems/ </emphasis>on every
|
|
|
- node.</para>
|
|
|
-
|
|
|
- <para>You might prefer to use a script to automate this step,
|
|
|
- especially if you have many nodes. See the Example Scripts section in
|
|
|
- the Appendix of the Installing and Running the HPCCPlatform
|
|
|
- manual.</para>
|
|
|
- </listitem>
|
|
|
-
|
|
|
- <listitem>
|
|
|
- <para>Restart the HPCC system and certify the components as
|
|
|
- usual.</para>
|
|
|
- </listitem>
|
|
|
- </orderedlist>
|
|
|
- </sect2>
|
|
|
-</sect1>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Copy the <emphasis
|
|
|
+ role="bold">/etc/HPCCSystems/environment.xml</emphasis> to
|
|
|
+ the<emphasis role="bold"> /etc/HPCCSystems/ </emphasis>on every
|
|
|
+ node.</para>
|
|
|
+
|
|
|
+ <para>You might prefer to use a script to automate this step,
|
|
|
+ especially if you have many nodes. See the Example Scripts section
|
|
|
+ in the Appendix of the Installing and Running the HPCCPlatform
|
|
|
+ manual.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Restart the HPCC system and certify the components as
|
|
|
+ usual.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+
|
|
|
+ <sect1 id="ssl4Roxie">
|
|
|
+ <title>Configuring SSL for Roxie</title>
|
|
|
+
|
|
|
+ <para>Roxie can also be configured to use the Secure Sockets Layer (SSL)
|
|
|
+ protocol. You may have already completed some of these steps if you
|
|
|
+ configured ESP Server to use SSL as described in the previous section.
|
|
|
+ Please refer to the <link linkend="ssl4esp">SSL For ESP</link> section
|
|
|
+ for more information on creating keys and certificates.</para>
|
|
|
+
|
|
|
+ <sect2 id="ConfigureHTTPS_RoxieCluster">
|
|
|
+ <title><emphasis role="bold">Configure HTTPS on your Roxie
|
|
|
+ Cluster</emphasis></title>
|
|
|
+
|
|
|
+ <sect3 id="Start_TheConfigMgrAdvancedMode">
|
|
|
+ <title><emphasis role="bold">Start Configuration Manager in Advanced
|
|
|
+ Mode</emphasis></title>
|
|
|
+
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>Start the Configuration Manager Service on one node
|
|
|
+ (usually the first node is considered the head node and is used
|
|
|
+ for this task, but this is up to you).</para>
|
|
|
+
|
|
|
+ <para><programlisting>sudo /opt/HPCCSystems/sbin/configmgr
|
|
|
+</programlisting></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Using a Web browser, go to the Configuration Manager's
|
|
|
+ interface.</para>
|
|
|
+
|
|
|
+ <para>Use the url of http://nnn.nnn.nnn.nnn:pppp, where
|
|
|
+ nnn.nnn.nnn.nnn is the IP address of the node running
|
|
|
+ Configuration Manager and pppp is the port (default is
|
|
|
+ 8015).</para>
|
|
|
+
|
|
|
+ <para>The Configuration Manager startup wizard displays.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select <emphasis role="bold">Advanced
|
|
|
+ View</emphasis>.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select an XML file from the drop list.</para>
|
|
|
+
|
|
|
+ <para>This list is populated from versions of an environment XML
|
|
|
+ file in your server's <emphasis
|
|
|
+ role="bold">/etc/HPCCSystems/source/</emphasis>
|
|
|
+ directory.</para>
|
|
|
+
|
|
|
+ <para><emphasis role="bold">Tip</emphasis>: The XML file that
|
|
|
+ matches the active environment.xml is highlighted.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Press the <emphasis role="bold">Next</emphasis>
|
|
|
+ button.</para>
|
|
|
+
|
|
|
+ <para>The Configuration Manager Advanced View interface
|
|
|
+ displays.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Check the <emphasis role="bold">Write Access
|
|
|
+ </emphasis>box at the top of the page.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3 id="Configure_Roxie_forHTTPS" role="brk">
|
|
|
+ <title><emphasis role="bold">Configure Roxie SSL</emphasis></title>
|
|
|
+
|
|
|
+ <orderedlist numeration="arabic">
|
|
|
+ <listitem>
|
|
|
+ <para>Select your Roxie Cluster in the Navigator panel on the
|
|
|
+ left side.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Select the <emphasis role="bold">Ports</emphasis>
|
|
|
+ tab.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Right-click on the list of ports, then select <emphasis
|
|
|
+ role="bold">Add</emphasis>.<figure>
|
|
|
+ <title>Select Port Tab</title>
|
|
|
+
|
|
|
+ <mediaobject>
|
|
|
+ <imageobject>
|
|
|
+ <imagedata fileref="../../images/CM-RoxSSL01.jpg" />
|
|
|
+ </imageobject>
|
|
|
+ </mediaobject>
|
|
|
+ </figure></para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>The default port number is 9876. Change the default port
|
|
|
+ number, for example, to 19876.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Change the protocol from <emphasis>Native</emphasis> to
|
|
|
+ <emphasis>SSL</emphasis> from the drop menu (image).</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>In the <emphasis role="bold">passphrase</emphasis> entry
|
|
|
+ control, enter the passphrase you used earlier when you created
|
|
|
+ the private key. Leave this field empty if you did not use a
|
|
|
+ passphrase.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>When prompted, provide the passphrase again.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Enter the certificate filename.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Enter the key filename.</para>
|
|
|
+ </listitem>
|
|
|
+
|
|
|
+ <listitem>
|
|
|
+ <para>Click the disk icon to save.</para>
|
|
|
+ </listitem>
|
|
|
+ </orderedlist>
|
|
|
+
|
|
|
+ <para>The default lookup location for the certificate and key files
|
|
|
+ is in <emphasis>/var/lib/HPCCSystems/myroxie</emphasis>. You can
|
|
|
+ specify a full path if you want these files in a different location.
|
|
|
+ The certificate and key files must be available for each Roxie
|
|
|
+ node.</para>
|
|
|
+ </sect3>
|
|
|
+
|
|
|
+ <sect3 id="Distribute_Environment_ConfigFileToAllNodes" role="brk">
|
|
|
+ <title><emphasis role="bold">Distribute the environment
|
|
|
+ configuration file to all nodes, Restart, and
|
|
|
+ Certify</emphasis></title>
|
|
|
+
|
|
|
+ <para>Once your environment is set up as desired, you must copy the
|
|
|
+ configuration file out to the other nodes. For more information
|
|
|
+ about how to distribute your environment, please see the section
|
|
|
+ <link linkend="DistributeEnvironmentConfigFileToAllNodes">Distribute
|
|
|
+ the environment configuration file</link> above.</para>
|
|
|
+ </sect3>
|
|
|
+ </sect2>
|
|
|
+ </sect1>
|
|
|
+ </chapter>
|
|
|
+
|