4.2 Enabling HTTPS

By default, the communication between a product and an OPSWAT Central Management server is not encrypted. If HTTPS is set, the server can enforce secure connections between clients and the server on SSL channels. This section describes how to enable SSL for OPSWAT Central Management.

Warning

Please be aware that enabling HTTPS on the OPSWAT Central Management server can cause devices that have installed OPSWAT Client to be unable to connect to this server. These devices require reinstallation of OPSWAT Client.

Requirements

In order to enable HTTPS on OPSWAT Central Management server, a trusted certificate issued by a certificate authority provider or a self-signed certificate must be provided.

See the section below for information on how to install a self-signed server certificate if a trusted certificate is not provided.

Enabling HTTPS for OPSWAT Central Management

Requirement: You need to have a certificate and key file of your certificate on your server, for example, C:\OCM_Keys\your.crt and C:\OCM_Keys\your.key .

To enable HTTPS on OPSWAT Central Management server:

  1. Go to nginx folder under OPSWAT Central Management installation folder (e.g., C:\Program Files\OPSWAT\Central\nginx\conf).

  2. Add the configuration in the below code block into the Server section in nginx.conf file. Note: You need to replace

    1. <PATH_TO_CERT_FILE> with a path to your certificate file, for example C:\OCM_Keys\your.crt> C:\OCM_Keys\your.crt

    2. <PATH_TO_KEY_FILE> with a path to your key file, for example: C:\OCM_Keys\your.key

ssl on;
ssl_certificate <PATH_TO_CERT_FILE>;
ssl_certificate_key <PATH_TO_KEY_FILE>;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host:$server_port$request_uri;

Using the standard Windows path separator backslash '\' may have unexpected results if the directory or file names start with 'n'. The reason is that the sequence '\n' is interpreted as a new line by nginx.

For example, the following directive:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt\nginx\your.crt";

will be interpreted by nginx as:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt
ginx\your.crt";

As a workaround, instead of backslash '\', please use:

  1. Forward slash '/' or

  2. Double backslash '\\'.

Such as:

ssl_certificate "C:\\Program Files\\OPSWAT\\Metadefender Centralmgmt\\nginx\\your.crt";

3. Restart the OPSWAT Central Management by clicking the Restart button on the OPSWAT Central Management tray icon.

4. After the service is restarted, open the OPSWAT Central Management console UI, for example https://localhost:9000, to check whether the console can be loaded successfully

5. Update Device API setting to utilize HTTPS. Go to Server Configuration > Device API and change the Server URL from "http" to "https". Press Save.

images/download/attachments/36836543/image2019-5-24_10-44-0.png