By default RealOpInsight is deployed in unsecured (HTTP) mode. This guide describes how to enable TLS to access RealOpInsight over a secured (HTTPS) connection.
Requirements - Obtain a TLS/SSL Certificate
You can use a self-signed certificate or a public certificate. According to your organization security policies you may easily generate a self-signed certificate using OpenSSL or even use https://letsencrypt.org/ to generate a free public certificate.
Note in addition that, running RealOpInsight in TLS/HTTPS mode assumes a Diffie–Hellman (DH) key exchange and requires the following parameters:
A TLS certificate file in PEM format
The certificate’s private key in PEM format
A Diffie–Hellman (DH) parameter file in PEM format. The following command show how to use OpenSSL to generate a .pem file containing a DH parameters with a length of 1024 bits:
openssl dhparam -out dhparam.pem 1024
Copy Certificate Files
- Copy the certificate file to
/opt/realopinsight/etc/cert/cert.pem. - Copy the certificate’s private key file to
/opt/realopinsight/etc/cert/privkey.pem. - Copy the DH parameter file to
/opt/realopinsight/etc/cert/dhparam.pem.
Update RealOpInsight Systemd Service
Use a text editor and open the file /opt/realopinsight/etc/realopinsight-server.service.env
$ sudo vi /opt/realopinsight/etc/realopinsight-server.service.env
Find the line starting with HTTPS_OPTIONS and ensure that the following parameters are as follows:
--ssl-certificateshall point to the certificate file.--ssl-private-keyshall point to the certificate’s private key file.--ssl-tmp-dhshall point to the DH parameter file.
Use a text editor and open the file /lib/systemd/system/realopinsight-server.service
$ sudo vi /lib/systemd/system/realopinsight-server.service
Find the line starting with ExecStart and replace the argument $HTTP_OPTIONS by $HTTPS_OPTIONS.
Restart RealOpInsight Systemd Service
Reload systemd manager configuration
$ sudo systemctl daemon-reload
Restart RealOpInsight service
$ sudo systemctl restart realopinsight-server.service
Check that the service restart successfully
$ sudo systemctl status realopinsight-server.service
Check that everything went fine by looking at the following log files:
- Syslog (
/var/log/system). - RealOpInsight log file (
/opt/realopinsight/log/realopinsight.log).
If everything is fine, you should be able to able access RealOpInsight over HTTPS: https://<SERVER_ADDR>:4583/ui/