Updating the Web Server Configuration to Enable SSL (Linux)
Note: These instructions apply to Apache version 2.4.6.
1. Stop the Apache and Tomcat services. From a terminal console, enter the following commands for a Linux server:
/opt/aptare/bin/tomcat-agent stop
/opt/aptare/bin/tomcat-portal stop
/opt/aptare/bin/apache stop
2. Update the Apache configuration file (/opt/apache/conf/httpd.conf) to enable SSL:
• Un-comment #LoadModule ssl_module modules/mod_ssl.so by removing the #
• Un-comment #Include conf/extra/httpd-ssl.conf by removing the #
• Un-comment #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
3. Update the Apache SSL configuration file (/opt/apache/conf/extra/httpd-ssl.conf). See
Default Apache SSL Configuration File for the sample SSL configuration file shipped with HDS installations. Note that this line may not be in your configuration.
• Disable the SSLMutex by adding a # at the beginning of the SSLMutex line (if this line is listed in your configuration).
• Un-comment #Include conf/extra/httpd-ssl.conf by removing the #
• Ensure that an IP address is available for the Portal and/or Data Collection, as required
4. If any of the above configuration is missing for either the Portal or Data Collector, the host configuration information must be added to enable SSL. Refer to
Default Apache SSL Configuration File as a guide.
6. Add an entry in the host file for the Virtual Host.
If implementing SSL for the Portal only
a Verify that there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName hbsmportal.domainname:443
Document Root /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c If the Portal VirtualHost section is not found, the configuration for the Portal VirtualHost must be added.
d If there is a configuration section for the Data Collection virtual host, ensure that this section is disabled by added a # to the beginning of each line in the section, as shown below.
#<VirtualHost hbsmagent.domainname:443>
If implementing SSL for Data Collection only
a Verify there is a VirtualHost section for the data collection with the IP address of the Data Receiver. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName hbsmagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
b Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
c If the data collection VirtualHost section is not found, the configuration for the data collection VirtualHost must be added.
d If there is a configuration section for the Portal virtual host, ensure that this section is disabled by added a
# to the beginning of each line in the section, as shown below.
#<VirtualHost aptareportal.domainname:443>
If implementing SSL for both the Portal and Data Collection
Note: To implement SSL for both the Portal and Data Collection, the portal server must be configured with two IP addresses, one for the Portal and one for Data Collection. The two required IP addresses may be implemented using two NICs. If only a single NIC is available, a virtual interface may be added for the second IP address. See
Adding a Virtual Interface to a Linux Server.
a Verify there is a VirtualHost section with the IP address assigned to the Portal host. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_PORTAL:443>
ServerName hbsmportal.domainname:443
DocumentRoot /opt/aptare/portal
b Replace IP_ADDRESS_PORTAL in the VirtualHost declaration with the IP address assigned to the Portal host.
c Verify there is a VirtualHost section with the Data Receiver IP address. This section starts with the following lines. These lines must be present and enabled.
<VirtualHost IP_ADDRESS_DATARCVR:443>
ServerName hbsmagent.domainname:443
DocumentRoot /opt/aptare/datarcvr
d Replace IP_ADDRESS_DATARCVR in the VirtualHost declaration with the IP address assigned to the Data Receiver.
7. For each active virtual host section in the configuration file, ensure that declaration lines beginning with the following are un-commented (they do not have a # at the beginning of the line):
• SSLEngine
• SSLCipherSuite
• SSLCertificateFile
• SSLCertificateKeyFile
8. Update the APTARE apache script in /opt/aptare/bin used to start Apache to include the -D SSL parameter:
Ret="`$APACHE_HOME/bin/apachectl -D SSL -k start 2>&1"
9. If implementing SSL for Data Collection complete the following steps:
a Ensure that the Data Collector global properties
(/opt/aptare/datacvrconf.collectorConfig.global.properties) file does NOT have the protocol (http or https) in the URL specified in that file.
b If using a self-signed certificate, run the InstallCert utility on the Data Collection server to allow the background data collection processes to automatically accept the unsigned, unverified certificate.
To use this tool run:
"java -classpath /opt/aptare/mbs/bin InstallCert aptareagent.put-your-domain-here.com:443"
The InstallCert utility is not shipped with HDS products. Contact the Global Support Center to obtain a copy of this utility.
Note: If you are using a self-signed certificate and the Data Collector is upgraded, the validation of the certificate may be lost and you may have to rerun the InstallCert utility for data collection to work.
c Verify that the following line is in the Portal configuration file (/opt/aptare/portalconf/portal.properties):
portal.trustAllCertificates=true
If not present, add it.
10. Restart Apache and both Tomcat (portal and agent) services.
/opt/aptare/bin/apache start
/opt/aptare/bin/tomcat-portal stop
/opt/aptare/bin/tomcat-agent start