Configure Mission Portal to use HTTPS instead of HTTP

The default behaviour is for the MP to listen on port 80. In some environments and use cases, this is undesirable from a security standpoint.

This article describes how to re-configure the out-of-the-box behaviour of Mission Portal (MP) so that it listens and accepts sessions using the more secure https protocol with self-signed certificates generated by a script made by CFEngine staff. (For users who prefer to generate/replace with your own certificates, please following a link under Reference: section)

 

Prerequisites

  • CFEngine Enterprise HUB version 3.5.0 or greater.
  • A shell or ssh session into the CFEngine hub

 

Copy the Configuration Files

Attached to this article, you'll find two files. One is called gencert.sh, the other httpd-mp-ssl.conf. You'll need to copy these to your hub. To download each file, you should right click on the file and select "Save link as...". Once you have each file on your machine, copy them to your hub machine and put them into a temporary directory. 

 

Generate the Certificates

Assuming you're logged in to the hub, change into the temporary directory where you copied the two files. Run the script by first making sure it's executable e.g. chmod +x gencert.sh

Run the script with your FQDN; for example

$ ./gencert.sh HUB.test.cfengine.com
b82ee94135364487d243cfafbca2d89d

You should now have two new files:

CFEngine-Enterprise.crt.pem and CFEngine-Enterprise.key.pem

Move or copy these files into a dedicated directory. You can create this if it doesn't exist. A suggested location is:

$ mkdir -p /var/cfengine/httpd/cert
$ mv ./CFEngine-Enterprise.crt.pem ./CFEngine-Enterprise.key.pem /var/cfengine/httpd/cert

 

Prepare HTTPs Configuraiton File

The second file that you copied (httpd-mp-ssl.conf) should be copied to the following location:

/var/cfengine/httpd/conf/extra

Then running a command to apply your FQDN to the configuration

$ sed -i "s/policyhub.example.org/HUB.test.cfengine.com/g" /var/cfengine/httpd/conf/extra/httpd-mp-ssl.conf
$ cat /var/cfengine/httpd/conf/extra/httpd-mp-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost _default_:80>
     RewriteEngine On
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost _default_:443>
    ServerName HUB.test.cfengine.com
    ErrorLog logs/HUB.test.cfengine.com_ssl_error_log
    TransferLog logs/HUB.test.cfengine.com_ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /var/cfengine/httpd/cert/CFEngine-Enterprise.crt.pem
    SSLCertificateKeyFile /var/cfengine/httpd/cert/CFEngine-Enterprise.key.pem
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/HUB.test.cfengine.com_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

 

Edit the main httpd.conf File

You should find the httpd.conf file in the following location:

/var/cfengine/httpd/conf

Open httpd.conf in an editor of your choice and make the following changes:

Under the Virtual hosts section:

# Virtual hosts
Include conf/extra/httpd-mp-ssl.conf  
  
  

Restart the httpd

Issue the following commands on your hub's command line:

$ LD_LIBRARY_PATH=/var/cfengine/lib:$LD_LIBRARY_PATH /var/cfengine/httpd/bin/apachectl stop
$ LD_LIBRARY_PATH=/var/cfengine/lib:$LD_LIBRARY_PATH /var/cfengine/httpd/bin/apachectl start
$ netstat -natp | grep -E LISTEN.*httpd
tcp        0      0 :::80                       :::*                        LISTEN      2576/httpd          
tcp        0      0 :::443                      :::*                        LISTEN      2576/httpd

 

That should be it. The apache demon should now be listening on port 80/http and 443/https and you should be able to connect to the Mission Portal by using the IP address or host name, prefixed with https://. If you try to connect to http://, apache will use mod_rewrite to https:// automatically

 

Reference:

Have more questions? Submit a request

Comments

Powered by Zendesk