...
Code Block | ||||
---|---|---|---|---|
| ||||
sudo cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/. sudo chown root:syndeia-cloud /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx sudo chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP1/conf/application.conf |
6. On the Syndeia Cloud server, update the web-gateway service's conf/application.conf
file to now include an HTTPS.conf
file:
...
Note, you will probably also want to update your FW settings too, ex. for firewalld: change port to 9443
in L5 of /etc/firewalld/services/syndeia.xml
.
8. If you are setting up a port below 1000 for your HTTPS connection (such as 443), then add the following line to /etc/systemd/system/sc-web-gateway.service
within its [Service]
section:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
AmbientCapabilities=CAP_NET_BIND_SERVICE |
9. On Syndeia Cloud server, restart the Syndeia Cloud web-gateway service, ie: sudo systemctl restart sc-web-gateway
If you've updated firewalld too, use: sudo firewall-cmd --reload && systemctl restart sc-web-gateway
10. Update the web-gateway
entry in the lagom.services
section of /opt/icx/syndeia-cloud-current/devops-.../conf/application.conf
section to specify the external URL and HTTPS port (replace host.domain.tld
with your FQDN):
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
lagom.services {
cas_native = "http://localhost:9042"
[...]
web-gateway = "https://host.domain.tld:9443"
[...]
} |
...
Windows 2012-R2+
1. Obtain full-chained cert, ie: root/signing CA + intermediate + issued cert (+ private key?) ( Note, you may need to create a CSR via openssl
or Java keytool
or IIS and submit it to your CA / IT security admin).
...
5. On the Syndeia Cloud server, launch Cygwin Terminal and copy the PFX (PKCS12) to the system's SSL cert directory & update ownership + permissions, where host.domain.tld
= your server's FQDN, ie: syndeia-cloud.company.com:
Code Block | ||||
---|---|---|---|---|
| ||||
cp host.domain.tld_CA-name_ca-chain_priv-key.pfx /etc/ssl/certs/. # chown Administrator:syndeia-cloud may want to set ACLs as appropriate on /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx chmod ug:+rw /etc/ssl/certs/host.domain.tld_CA-name_ca-chain_priv-key.pfx |
6. On the Syndeia Cloud server, in the Cygwin Terminal, update the web-gateway service's conf/application.conf
file to now include an HTTPS.conf
file:
...
Code Block | ||||
---|---|---|---|---|
| ||||
# play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you in the conf dir play.server.https.keyStore.path = C:\\\cygwin64\\\etc\\\ssl\\\certs\\\host.domain.tld_CA-name.jkspfx # play.server.https.keyStore.type - The key store type, defaults to JKS play.server.https.keyStore.type = pkcs12 # play.server.https.keyStore.password - The password, defaults to a blank password if omitted play.server.https.keyStore.password = "keystorePW" # TLS/SSL port to run on play.server.https.port = 9443 # HTTP port to run on, or set to "disabled" if you want to force TLS/SSL play.server.http.port = disabled # Set the following additional security settings if running on production jdk.tls.ephemeralDHKeySize=2048 jdk.tls.rejectClientInitiatedRenegotiation=true |
...
8. On the Syndeia Cloud server, restart the Syndeia Cloud Web-Gateway service (sc-web-gateway).
9. Update the web-gateway
entry in the lagom.services
section of C:\cygwin64\opt\icx\syndeia-cloud-current\devops-...\conf\application.conf
section to specify the external URL and HTTPS port (replace host.domain.tld
with your FQDN):
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
lagom.services {
cas_native = "http://localhost:9042"
[...]
web-gateway = "https://host.domain.tld:9443"
[...]
} |
...