The default behaviour is for the MP to listen on port 80. In some environments and use cases, this is undesirable from a security standpoint.
This article describes how to re-configure the out-of-the-box behaviour of Mission Portal (MP) so that it listens and accepts sessions using the more secure https protocol with self-signed certificates generated by a script made by CFEngine staff. (For users who prefer to generate/replace with your own certificates, please following a link under Reference: section)
Prerequisites
- CFEngine Enterprise HUB version 3.5.0 or greater.
- A shell or ssh session into the CFEngine hub
Copy the Configuration Files
Attached to this article, you'll find two files. One is called gencert.sh, the other httpd-mp-ssl.conf. You'll need to copy these to your hub. To download each file, you should right click on the file and select "Save link as...". Once you have each file on your machine, copy them to your hub machine and put them into a temporary directory.
Generate the Certificates
Assuming you're logged in to the hub, change into the temporary directory where you copied the two files. Run the script by first making sure it's executable e.g. chmod +x gencert.sh
Run the script with your FQDN; for example
$ ./gencert.sh HUB.test.cfengine.com
b82ee94135364487d243cfafbca2d89d
You should now have two new files:
CFEngine-Enterprise.crt.pem and CFEngine-Enterprise.key.pem
Move or copy these files into a dedicated directory. You can create this if it doesn't exist. A suggested location is:
$ mkdir -p /var/cfengine/httpd/cert
$ mv ./CFEngine-Enterprise.crt.pem ./CFEngine-Enterprise.key.pem /var/cfengine/httpd/cert
Prepare HTTPs Configuraiton File
The second file that you copied (httpd-mp-ssl.conf) should be copied to the following location:
/var/cfengine/httpd/conf/extra
Then running a command to apply your FQDN to the configuration
$ sed -i "s/policyhub.example.org/HUB.test.cfengine.com/g" /var/cfengine/httpd/conf/extra/httpd-mp-ssl.conf
$ cat /var/cfengine/httpd/conf/extra/httpd-mp-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost _default_:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost _default_:443>
ServerName HUB.test.cfengine.com
ErrorLog logs/HUB.test.cfengine.com_ssl_error_log
TransferLog logs/HUB.test.cfengine.com_ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /var/cfengine/httpd/cert/CFEngine-Enterprise.crt.pem
SSLCertificateKeyFile /var/cfengine/httpd/cert/CFEngine-Enterprise.key.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog logs/HUB.test.cfengine.com_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Edit the main httpd.conf File
You should find the httpd.conf file in the following location:
/var/cfengine/httpd/conf
Open httpd.conf in an editor of your choice and make the following changes:
Under the Virtual hosts section:
# Virtual hosts
Include conf/extra/httpd-mp-ssl.conf
Restart the httpd
Issue the following commands on your hub's command line:
$ LD_LIBRARY_PATH=/var/cfengine/lib:$LD_LIBRARY_PATH /var/cfengine/httpd/bin/apachectl stop
$ LD_LIBRARY_PATH=/var/cfengine/lib:$LD_LIBRARY_PATH /var/cfengine/httpd/bin/apachectl start
$ netstat -natp | grep -E LISTEN.*httpd
tcp 0 0 :::80 :::* LISTEN 2576/httpd
tcp 0 0 :::443 :::* LISTEN 2576/httpd
That should be it. The apache demon should now be listening on port 80/http and 443/https and you should be able to connect to the Mission Portal by using the IP address or host name, prefixed with https://. If you try to connect to http://, apache will use mod_rewrite to https:// automatically
Reference: