Page Comparison

...

5. On the Syndeia Cloud server, import into Java Key Store (JKS) from copy the PFX (PKCS12) to the system's SSL cert directory & update ownership + permissions, where host.domain.tld = your server's FQDN, ie: syndeia-cloud.company.com, and <path_to_keystore> = your JKS path, normally /etc/java or you can create /opt/icx/syndeia-cloud-<version>/web-gateway-1.0-SNAPSHOT/conf/keystore , and place it there (  Note, you will need to create a password for the keystore + specify the password created in the previous step to protect exporting the private key):  

keytool -importkeystore -srckeystore sudo cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/.
sudo chown root:syndeia-cloud /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx
-srcstoretypesudo pkcs12 -destkeystore <path_to_keystore>chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name.jks -deststoretype jks

 Note, you may get a warning about the keystore being in a proprietary format, you can ignore this.  

...

_ca-chain_priv-key.pfx
sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf

6.  On the Syndeia Cloud server, update the web-gateway servicegateway service's conf/application.conf file to now include an HTTPS.conf file:

sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf

7.  On the Syndeia Cloud server, create a new HTTPS.conf file in the web-gateway service's conf/ directory with the following settings to enable TLS/SSL, where $SC_snapshot_version = snapshot version of SC web-gateway you are running & <where <keystorePW> = the keystore password created in the previous step, ie:

# play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you in the conf dir
play.server.https.keyStore.path = /optetc/icx/syndeia-cloud-current/web-gateway-$SC_snapshot_version/conf/keystore/ssl/certs/host.domain.tld_CA-name.jkspfx

# play.server.https.keyStore.type - The key store type, defaults to JKS
play.server.https.keyStore.type = jkspkcs12

# play.server.https.keyStore.password - The password, defaults to a blank password if omitted
play.server.https.keyStore.password = "<keystorePW>"

# TLS/SSL port to run on
play.server.https.port = 9443
# HTTP port to run on, or set to "disabled" if you want to force TLS/SSL
play.server.http.port = disabled

# Set the following additional security settings if running on production
jdk.tls.ephemeralDHKeySize=2048
jdk.tls.rejectClientInitiatedRenegotiation=true

  Note, you will probably also want to update your FW settings too, ex. for firewalld:  change port to 9443 in L5 of /etc/firewalld/services/syndeia.xml.  

78. On Syndeia Cloud server, restart the Syndeia Cloud web-gateway service, ie: sudo systemctl restart sc-web-gateway

...

4. Copy .PFX over to Syndeia Cloud server which CSR was requested for

5. On  On the Syndeia Cloud server, import into Java Key Store (JKS) from copy the PFX (PKCS12) to the system's SSL cert directory & update ownership + permissions, where host.domain.tld = your server's FQDN, ie: syndeia-cloud.company.com, and <path_to_keystore> = your JKS path, normally %UserProfile%, ie: C:\Users\<username>\.keystore or you can create %ProgramFiles%\Intercax\syndeia-cloud-<version>\web-gateway-1.0-SNAPSHOT\conf\keystore , and place it there (  Note, you will need to create a password for the keystore + specify the password created in the previous step to protect exporting the private key):  

keytool -importkeystore -srckeystore cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/.
# chown Administrator:syndeia-cloud /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx
-srcstoretype pkcs12 -destkeystore <path_to_keystore>\chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name.jks -deststoretype jks

...

_ca-chain_priv-key.pfx

6.  On the Syndeia Cloud server, update the web-gateway service's conf\application.conf file gateway service's conf/application.conf file to now include an HTTPS.conf file:

sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf

7.  On the Syndeia Cloud server, create a new HTTPS.conf file in the web-gateway service's conf/ directory with the following settings to enable TLS/SSL,  where $SC_snapshot_version = snapshot version of SC web-gateway you are running & <where <keystorePW> = the keystore password created in the previous step, ie:

# play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you in the conf dir
play.server.https.keyStore.path = C:\Program Files\Intercax\syndeia-cloud-current\web-gateway-$SC_snapshot_version\conf\keystore\\\cygwin64\\\etc\\\ssl\\\certs\\\host.domain.tld_CA-name.jks

# play.server.https.keyStore.type - The key store type, defaults to JKS
play.server.https.keyStore.type = jkspkcs12

# play.server.https.keyStore.password - The password, defaults to a blank password if omitted
play.server.https.keyStore.password = "keystorePW"

# TLS/SSL port to run on
play.server.https.port = 9443
# HTTP port to run on, or set to "disabled" if you want to force TLS/SSL
play.server.http.port = disabled

# Set the following additional security settings if running on production
jdk.tls.ephemeralDHKeySize=2048
jdk.tls.rejectClientInitiatedRenegotiation=true

  Note, you will probably also want to update your FW settings too, ex. for Windows Firewall, double-click the ruleset for the Syndeia Cloud ruleset to bring up the properties and navigate to the appropriate tab to update the port

78. On the Syndeia Cloud server, restart the Syndeia Cloud Web-Gateway service (sc-web-gateway).