Enabling HTTPS for the OpsCenter server

Enable Hypertext Transfer Protocol Secure (HTTPS) support in OpsCenter and specify SSL information for better security.

opscenterd.conf 

The location of the opscenterd.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf
Enable Hypertext Transfer Protocol Secure (HTTPS) support in OpsCenter and specify SSL information for better security. You can enable or disable HTTPS support for OpsCenter. To enable HTTPS, follow the steps below. For additional security, enable HTTP Strict Transport Security to enforce OpsCenter to return an HSTS header for added protection against protocol downgrade attacks or cookie hijacks.
Note: Disabling HTTPS in an HSTS environment can be time-consuming. See the prerequisites in Disabling HTTPS with HSTS for the OpsCenter Server.

Procedure

  1. Open the OpsCenter configuration file, opscenterd.conf.
  2. Scroll to the [webserver] section.
    This snippet from opscenterd.conf shows the default [webserver] section to change:
    
    [webserver]
    port = 8888
    interface = 127.0.0.1
    # The following settings can be used to enable ssl support for the 
    # opscenter web application. Change these values to point to the 
    # ssl certificate and key that you wish to use for your OpsCenter 
    # install, as well as the port you would like
    # to serve ssl traffic from.
    #ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
    #ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem
    #ssl_port = 8443
    
  3. Remove the comment markers (#) in front of ssl_keyfile, ssl_certfile, and ssl_port.
    Use the default values for ssl_keyfile and ssl_certfile, or replace them with the path to your own private and public certificates.
    Tip: See the OpsCenter ports reference for ports information.
    If your organization is using certificates signed by a commercial certificate authority like Verisign or Thawte, you must provide the complete certificate chain. In addition to the certificate that you were issued, this includes a root certificate and typically one or more intermediate (or chained) certificates. Your certificate provider can help you determine the necessary list of certificates. The PEM format allows concatenating multiple certificates together. For certificates with a trust chain, add the whole chain into a single PEM file and specify the location in ssl_certfile. Digicert has more information detailing certificate concatenation in PEM files: https://www.digicert.com/ssl-support/pem-ssl-creation.htm.
  4. Optional: Enable the HTTP Strict Transport Security option to force OpsCenter to return an HSTS header in HTML responses that go over HTTPS. The HSTS maximum age represents the length of time in seconds that supported browsers should consider an HSTS header fresh, which is 1 year by default. If the max age has been exceeded, browsers refuse to connect to OpsCenter with unencrypted HTTP.
    
    [webserver]
    port = 8888
    interface = 127.0.0.1
    ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key
    ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem
    ssl_port = 8443
    hsts_enabled = True
    hsts_max_age = 31536000
  5. Save opscenterd.conf and restart OpsCenter.