Enable TLS/HTTPS Encryption

By default RealOpInsight is deployed in unsecured (HTTP) mode. This guide describes how to enable TLS to access RealOpInsight over a secured (HTTPS) connection.

Requirements - Obtain a TLS/SSL Certificate

You can use a self-signed certificate or a public certificate. According to your organization security policies you may easily generate a self-signed certificate using OpenSSL or even use https://letsencrypt.org/ to generate a free public certificate.

Note in addition that, running RealOpInsight in TLS/HTTPS mode assumes a Diffie–Hellman (DH) key exchange and requires the following parameters:

  • A TLS certificate file in PEM format

  • The certificate’s private key in PEM format

  • A Diffie–Hellman (DH) parameter file in PEM format. The following command show how to use OpenSSL to generate a .pem file containing a DH parameters with a length of 1024 bits:

    openssl dhparam -out dhparam.pem 1024
    

Copy Certificate Files

  • Copy the certificate file to /opt/realopinsight/etc/cert/cert.pem.
  • Copy the certificate’s private key file to /opt/realopinsight/etc/cert/privkey.pem.
  • Copy the DH parameter file to /opt/realopinsight/etc/cert/dhparam.pem.

Update RealOpInsight Systemd Service

Use a text editor and open the file /opt/realopinsight/etc/realopinsight-server.service.env

$ sudo vi /opt/realopinsight/etc/realopinsight-server.service.env

Find the line starting with HTTPS_OPTIONS and ensure that the following parameters are as follows:

  • --ssl-certificate shall point to the certificate file.
  • --ssl-private-key shall point to the certificate’s private key file.
  • --ssl-tmp-dh shall point to the DH parameter file.

Use a text editor and open the file /lib/systemd/system/realopinsight-server.service

$ sudo vi /lib/systemd/system/realopinsight-server.service

Find the line starting with ExecStart and replace the argument $HTTP_OPTIONS by $HTTPS_OPTIONS.

Restart RealOpInsight Systemd Service

Reload systemd manager configuration

$ sudo systemctl daemon-reload

Restart RealOpInsight service

$ sudo systemctl restart realopinsight-server.service

Check that the service restart successfully

$ sudo systemctl status realopinsight-server.service

Check that everything went fine by looking at the following log files:

  • Syslog (/var/log/system).
  • RealOpInsight log file (/opt/realopinsight/log/realopinsight.log).

If everything is fine, you should be able to able access RealOpInsight over HTTPS: https://<SERVER_ADDR>:4583/ui/