4.2. Enabling HTTPS

By default, the communication between a product and an OPSWAT Central Management server is not encrypted. If HTTPS is set, the server can enforce secure connections between clients and the server on SSL channels. This section describes how to enable SSL for OPSWAT Central Management.

Warning

Please be aware that enabling HTTPS on the OPSWAT Central Management server can cause devices that have installed OPSWAT Client to be unable to connect to this server. These devices require reinstallation of OPSWAT Client.

Requirements

In order to enable HTTPS on OPSWAT Central Management server, a trusted certificate issued by a certificate authority provider or a self-signed certificate must be provided.

See the section below for information on how to install a self-signed server certificate if a trusted certificate is not provided.

Enabling HTTPS for OPSWAT Central Management

Requirement: You need to have a certificate and key file of your certificate on your server, for example, C:\OCM_Keys\your.crt and C:\OCM_Keys\your.key .

To enable HTTPS on OPSWAT Central Management server:

  1. Go to nginx configuration folder under OPSWAT Central Management installation folder (e.g., C:\Program Files\OPSWAT\Central\nginx\conf).

  2. The code block below should be available int the ssl.conf file. Note: You need to replace

    1. <PATH_TO_CERT_FILE> with a path to your certificate file, for example "C:\OCM_Keys\your.crt> C:\OCM_Keys\your.crt"

    2. <PATH_TO_KEY_FILE> with a path to your key file, for example: "C:\OCM_Keys\your.key"

ssl on;
ssl_certificate <PATH_TO_CERT_FILE>;
ssl_certificate_key <PATH_TO_KEY_FILE>;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host:$server_port$request_uri;

Using the standard Windows path separator backslash '\' may have unexpected results if the directory or file names start with 'n'. The reason is that the sequence '\n' is interpreted as a new line by nginx.

For example, the following directive:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt\nginx\your.crt";

will be interpreted by nginx as:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt
ginx\your.crt";

As a workaround, instead of backslash '\', please use:

  1. Forward slash '/' or

  2. Double backslash '\\'.

Such as:

ssl_certificate "C:\\Program Files\\OPSWAT\\Metadefender Centralmgmt\\nginx\\your.crt";

3. Restart the OPSWAT Central Management by clicking the Restart button on the OPSWAT Central Management tray icon.

4. After the service is restarted, open the OPSWAT Central Management console UI, for example https://localhost:9000, to check whether the console can be loaded successfully

5. Update Device API setting to utilize HTTPS. Go to Server Configuration > Device API and change the Server URL from "http" to "https". Press Save.

images/download/attachments/1967189/image2019-5-24_10-44-0.png

OPSWAT Central Management below version 7.2.0 keeps the HTTPS configuration in nginx.conf. If you are upgrading from one such version to 7.2.0 or above, the setup should automatically generate ssl.conf from your modified nginx.conf file and reset nginx.conf to its default state. In case the generating process failed and the default ssl.conf is installed instead, please follow the instructions below to retrieve your HTTPS configuration.

  1. Navigate to nginx.conf's backup folder (located in C:\ProgramData\OPSWAT\Central\bak by default).

  2. Locate the HTTPS configuration block as shown above.

  3. Copy the configuration block to the active ssl.conf file (located in C:\Program Files\OPSWAT\Central\nginx\conf by default).

  4. Restart OPSWAT Central Management for the new configuration to take effect.

Adding product instances with HTTPS configuration

Adding a product instance configured for HTTPS connection may requires adding its root certificates to OPSWAT Central Management's Java Runtime Environment keystore. Please follow the instructions below to add the certificate.

  1. Locate the root certificate file (.crt) for the product instance.

  2. From an elevated command-line interface, enter the command:

    "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"

    Example:

    "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -alias "ocmCA" -file "C:\Users\admin\Downloads\ocm.crt"

    The host machine should have the JRE_HOME environment variable already set so the command can work properly. Replace the following fields with the correct information.

    • <password>: The keystore's password

    • <alias>: The certificate's alias.

    • <rootCA.crt path>: The path to the product instance's root certificate file.

  3. Restart OPSWAT Central Management for the changes to take effect.