Enable Hypertext Transfer Protocol Secure (HTTPS) support in OpsCenter and specify
SSL information for better security.
opscenterd.conf
The location of the opscenterd.conf file
depends on the type of installation:
- Package installations: /etc/opscenter/opscenterd.conf
- Tarball installations:
install_location/conf/opscenterd.conf
Enable Hypertext Transfer Protocol Secure (HTTPS) support in OpsCenter and specify
SSL information for better security. You can enable or disable HTTPS support for
OpsCenter. To enable HTTPS, follow the steps below. For additional security, enable HTTP
Strict Transport Security to enforce OpsCenter to return an HSTS header for added
protection against protocol downgrade attacks or cookie hijacks.
Procedure
-
Open the OpsCenter configuration file,
.
-
Scroll to the
[webserver]
section.
This snippet from
opscenterd.conf shows the default
[webserver]
section to
change:
[webserver]
port = 8888
interface = 127.0.0.1
# The following settings can be used to enable ssl support for the
# opscenter web application. Change these values to point to the
# ssl certificate and key that you wish to use for your OpsCenter
# install, as well as the port you would like
# to serve ssl traffic from.
#ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
#ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem
#ssl_port = 8443
-
Remove the comment markers (
#
) in front of
ssl_keyfile
, ssl_certfile
, and
ssl_port
.
Use the default values for
ssl_keyfile
and
ssl_certfile
, or replace them with the path to your own
private and public certificates.
If your organization is using certificates signed by a commercial certificate
authority like Verisign or Thawte, you must provide the complete certificate
chain. In addition to the certificate that you were issued, this includes a root
certificate and typically one or more intermediate (or chained) certificates.
Your certificate provider can help you determine the necessary list of
certificates. The PEM format allows concatenating multiple certificates
together. For certificates with a trust chain, add the whole chain into a single
PEM file and specify the location in
ssl_certfile
. Digicert has
more information detailing certificate concatenation in PEM files:
https://www.digicert.com/ssl-support/pem-ssl-creation.htm.
- Optional:
Enable the HTTP Strict Transport Security option to force OpsCenter to return
an HSTS header in HTML responses that go over HTTPS. The HSTS maximum age
represents the length of time in seconds that supported browsers should consider
an HSTS header fresh, which is 1 year by default. If the max age has been
exceeded, browsers refuse to connect to OpsCenter with unencrypted HTTP.
[webserver]
port = 8888
interface = 127.0.0.1
ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem
ssl_port = 8443
hsts_enabled = True
hsts_max_age = 31536000
-
Save opscenterd.conf and restart OpsCenter.