Enabling and Disabling HTTPS for the OpsCenter server
About the Enabling task
Enable Hypertext Transfer Protocol Secure (HTTPS) support in OpsCenter and specify SSL information for better security. You can enable or disable HTTPS support for OpsCenter. To enable HTTPS, follow the steps below. For additional security, enable HTTP Strict Transport Security to enforce OpsCenter to return an HSTS header for added protection against protocol downgrade attacks or cookie hijacks.
|
Disabling HTTPS in an HSTS environment can be time-consuming. See the prerequisites in Disabling HTTPS with HSTS for the OpsCenter Server. |
Procedure
-
Open the OpsCenter configuration file, opscenterd.conf. The location of this file depends on the type of installation:
-
Package installations: /etc/opscenter/opscenterd.conf
-
Tarball installations: install_location/conf/opscenterd.conf
-
-
Scroll to the
[webserver]section.This snippet from opscenterd.conf shows the default
[webserver]section to change:[webserver] port = 8888 interface = 127.0.0.1 # The following settings can be used to enable ssl support for the # opscenter web application. Change these values to point to the # ssl certificate and key that you wish to use for your OpsCenter # install, as well as the port you would like # to serve ssl traffic from. #ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key #ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem #ssl_port = 8443
-
Remove the comment markers (
#) in front ofssl_keyfile,ssl_certfile, andssl_port.Use the default values for
ssl_keyfileandssl_certfile, or replace them with the path to your own private and public certificates.See the OpsCenter ports reference for ports information.
If your organization is using certificates signed by a commercial certificate authority like Verisign or Thawte, you must provide the complete certificate chain. In addition to the certificate that you were issued, this includes a root certificate and typically one or more intermediate (or chained) certificates. Your certificate provider can help you determine the necessary list of certificates. The PEM format allows concatenating multiple certificates together. For certificates with a trust chain, add the whole chain into a single PEM file and specify the location in
ssl_certfile. Digicert has more information detailing certificate concatenation in PEM files: https://www.digicert.com/ssl-support/pem-ssl-creation.htm. -
Optional: Enable the HTTP Strict Transport Security option to force OpsCenter to return an HSTS header in HTML responses that go over HTTPS. The HSTS maximum age represents the length of time in seconds that supported browsers should consider an HSTS header fresh, which is 1 year by default. If the max age has been exceeded, browsers refuse to connect to OpsCenter with unencrypted HTTP.
[webserver] port = 8888 interface = 127.0.0.1 ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem ssl_port = 8443 hsts_enabled = True hsts_max_age = 31536000
For further information, see https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet and https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security.
-
Save opscenterd.conf and restart OpsCenter.
About the Disabling task
Disable HTTPS with HSTS for the OpsCenter server. To disable HTTPS without HSTS, simply comment out the SSL entries. If HTTPS is used in an HSTS environment, follow the steps in this procedure to phase out the HSTS header before altogether disabling HTTPS with HSTS.
Prerequisites
Removing HTTPS from an OpsCenter server is an uncommon action in production systems, but may be necessary during development and testing.
HSTS complicates the process of disabling HTTPS because browsers that have recently received an HSTS header will refuse to connect to OpsCenter over unencrypted HTTP even if the HTTPS service has been disabled.
When disabling HTTPS with HSTS, first lower hsts_max_age to a very small value such as 10 seconds (the default is 31536000 seconds, which equates to 1 year).
Drastically lowering the value effectively disables HSTS on each browser that subsequently connects to OpsCenter and receives the updated header, ensuring that the header expires almost immediately.
Continue to run OpsCenter with HTTPS enabled and a very short hsts_max_age for a sufficient period of time so that all browsers that visit OpsCenter receive the updated header.
At that point, HTTPS and HSTS can be disabled entirely without disrupting the ability of supported browsers to connect to Opscenter.
If HTTPS has already been disabled and browsers are currently unable to connect to OpsCenter, the following options are available:
-
HTTPS can be re-enabled and
hsts_max_agelowered as described above. -
Manually clear the HSTS header cache in browsers. This requires visiting every browser that accesses OpsCenter, and referring to browser manufacturer documentation on clearing the HSTS header cache.
Procedure
-
Locate the OpsCenter opscenterd.conf file to edit. The location of this file depends on the type of installation:
-
Package installations: /etc/opscenter/opscenterd.conf
-
Tarball installations: install_location/conf/opscenterd.conf
-
-
Open the configuration file, opscenterd.conf.
-
In the
[webserver]section, make the following changes as appropriate:-
If HSTS is enabled with a long max age, lower the
hsts_max_agevalue. -
Save opscenterd.conf and restart OpsCenter.
-
Run OpsCenter in this state for a while until you’re confident that all browser clients have connected and received updated hsts-headers with a short max-age.
-
-
Open opscenterd.conf again. Comment out the ssl and max age options. Set
hsts_enabledtoFalse(or comment out) as shown in the following example:[webserver] port = 8888 interface = 127.0.0.1 #ssl_keyfile = /var/lib/opscenter/ssl/opscenter.key #ssl_certfile = /var/lib/opscenter/ssl/opscenter.pem #ssl_port = 8443 hsts_enabled = False #hsts_max_age = 31536000
-
Save opscenterd.conf and restart OpsCenter.
If any clients with HSTS headers are unable to connect, either re-enable https with a short max age or consult your browser vendor docs about clearing the HSTS header cache.
