...
5. On the Syndeia Cloud server, import into Java Key Store (JKS) from copy the PFX (PKCS12) to the system's SSL cert directory & update ownership + permissions, where host.domain.tld
= your server's FQDN, ie: syndeia-cloud.company.com, and <path_to_keystore> = your JKS path, normally /etc/java
or you can create /opt/icx/syndeia-cloud-
<version>/web-gateway-1.0-SNAPSHOT/conf/keystore
, and place it there ( Note, you will need to create a password for the keystore + specify the password created in the previous step to protect exporting the private key):
Code Block | ||||
---|---|---|---|---|
| ||||
keytool -importkeystore -srckeystore sudo cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/. sudo chown root:syndeia-cloud /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx -srcstoretypesudo pkcs12 -destkeystore <path_to_keystore>chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name.jks -deststoretype jks |
Note, you may get a warning about the keystore being in a proprietary format, you can ignore this.
...
_ca-chain_priv-key.pfx
sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf |
6. On the Syndeia Cloud server, update the web-gateway servicegateway service's conf/application.conf
file to now include an HTTPS.conf
file:
Code Block | ||||
---|---|---|---|---|
| ||||
sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf |
7. On the Syndeia Cloud server, create a new HTTPS.conf
file in the web-gateway service's conf/
directory with the following settings to enable TLS/SSL, where $SC_snapshot_version = snapshot version of SC web-gateway you are running & <where <keystorePW> = the keystore password created in the previous step, ie:
Code Block | ||||
---|---|---|---|---|
| ||||
# play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you in the conf dir play.server.https.keyStore.path = /optetc/icx/syndeia-cloud-current/web-gateway-$SC_snapshot_version/conf/keystore/ssl/certs/host.domain.tld_CA-name.jkspfx # play.server.https.keyStore.type - The key store type, defaults to JKS play.server.https.keyStore.type = jkspkcs12 # play.server.https.keyStore.password - The password, defaults to a blank password if omitted play.server.https.keyStore.password = "<keystorePW>" # TLS/SSL port to run on play.server.https.port = 9443 # HTTP port to run on, or set to "disabled" if you want to force TLS/SSL play.server.http.port = disabled # Set the following additional security settings if running on production jdk.tls.ephemeralDHKeySize=2048 jdk.tls.rejectClientInitiatedRenegotiation=true |
Note, you will probably also want to update your FW settings too, ex. for firewalld: change port to 9443
in L5 of /etc/firewalld/services/syndeia.xml
.
78. On Syndeia Cloud server, restart the Syndeia Cloud web-gateway service, ie: sudo systemctl restart sc-web-gateway
...
4. Copy .PFX over to Syndeia Cloud server which CSR was requested for
5. On On the Syndeia Cloud server, import into Java Key Store (JKS) from copy the PFX (PKCS12) to the system's SSL cert directory & update ownership + permissions, where host.domain.tld
= your server's FQDN, ie: syndeia-cloud.company.com, and <path_to_keystore> = your JKS path, normally %UserProfile%
, ie: C:\Users\
<username>\.keystore
or you can create %ProgramFiles%\Intercax\syndeia-cloud-
<version>\web-gateway-1.0-SNAPSHOT\conf\keystore
, and place it there ( Note, you will need to create a password for the keystore + specify the password created in the previous step to protect exporting the private key):
Code Block | ||||
---|---|---|---|---|
| ||||
keytool -importkeystore -srckeystore cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/. # chown Administrator:syndeia-cloud /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx -srcstoretype pkcs12 -destkeystore <path_to_keystore>\chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name.jks -deststoretype jks |
...
_ca-chain_priv-key.pfx |
6. On the Syndeia Cloud server, update the web-gateway service's conf\application.conf
file gateway service's conf/application.conf
file to now include an HTTPS.conf
file:
Code Block | ||||
---|---|---|---|---|
| ||||
sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf |
7. On the Syndeia Cloud server, create a new HTTPS.conf
file in the web-gateway service's conf/
directory with the following settings to enable TLS/SSL, where $SC_snapshot_version = snapshot version of SC web-gateway you are running & <where <keystorePW> = the keystore password created in the previous step, ie:
Code Block | ||||
---|---|---|---|---|
| ||||
# play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you in the conf dir play.server.https.keyStore.path = C:\Program Files\Intercax\syndeia-cloud-current\web-gateway-$SC_snapshot_version\conf\keystore\\\cygwin64\\\etc\\\ssl\\\certs\\\host.domain.tld_CA-name.jks # play.server.https.keyStore.type - The key store type, defaults to JKS play.server.https.keyStore.type = jkspkcs12 # play.server.https.keyStore.password - The password, defaults to a blank password if omitted play.server.https.keyStore.password = "keystorePW" # TLS/SSL port to run on play.server.https.port = 9443 # HTTP port to run on, or set to "disabled" if you want to force TLS/SSL play.server.http.port = disabled # Set the following additional security settings if running on production jdk.tls.ephemeralDHKeySize=2048 jdk.tls.rejectClientInitiatedRenegotiation=true |
Note, you will probably also want to update your FW settings too, ex. for Windows Firewall, double-click the ruleset for the Syndeia Cloud ruleset to bring up the properties and navigate to the appropriate tab to update the port
78. On the Syndeia Cloud server, restart the Syndeia Cloud Web-Gateway service (sc-web-gateway).