Configuring HTTPS for OAT (Linux)

Enable HTTPS to protect the web server of the HCL OpenAdmin Tool (OAT) for Informix® from eavesdropping, tampering, message forgery, and interference with the network.

Prerequisite: OpenSSL must be installed on the computer where the Apache server for OAT is installed. You can download and install OpenSSL from the OpenSSL Project website: www.openssl.org.

When HTTPS is enabled, messages from OAT clients are encrypted before they are sent to the OAT web server. Encryption prevents unauthorized users from listening over the line and stealing sensitive information. When HTTPS is enabled, OAT clients can also authenticate with the OAT host so that unauthorized users cannot deceive the OAT clients with false web servers.

Important: HTTPS encrypts communication only between the OAT web server and the client. It does not encrypt communication between an HCL Informix database server and the web server. HCL Informix version 9.4 and later enables encryption of data between the Informix server and OAT web server by using an encryption communication support module. For more information about encryption and Informix servers, read "Encryption over the wire with IDS 9.40" on the IBM® developerWorks® website.

When you install OAT with the HCL Informix Client Software Development Kit (Client SDK), the installation program provides the necessary software to run OAT, including pre-configured Apache, PHP, and PDO_informix. On Linux, the Apache web server that is installed with OAT is enabled for the mod_ssl cryptography module. This module is required to enable HTTPS.

To enable HTTPS in OAT on Linux, complete the following steps:
  1. Create an encryption key and a certificate for the web server so that OAT clients can authenticate the web server based on your certificate.
  2. Configure Apache to enable HTTPS.
For additional information about enabling HTTPS, read "Securing the OpenAdmin Tool for Informix web server with HTTPS" on the IBM developerWorks website.

Creating an encryption key

Keys are used in encryption and decryption. They usually come in pairs, the public key and private key. Public keys are used to encrypt messages and private keys are used to decrypt messages. A certificate is a document that authenticates a web server. A web server with HTTPS enabled has a certificate, signed by a trusted certificate authority, to verify the web server. After a web server is enabled for HTTPS, clients choose whether to establish a normal connection or a secure connection to the web server. To establish a normal connection, the client types http://web server_url in their web browser. To establish a secure connection, the client types https://web server_url.

To generate private and public key pairs and the certificate, you use the openssl executable file in the bin directory of your OpenSSL installation.

When you run the command to generate the private key, you are prompted to enter a passphrase to protect your private key. You must reenter this passphrase every time you run a command that requires the use of the private key. For example, you must enter the passphrase when you start your Apache web server or use your private key to generate a certificate. On Linux, for security reasons, use a passphrase to protect and encrypt your private key.

To generate a private key, run the following command on the computer where OpenSSL is installed:

openssl genrsa -des3 -out privkey.pem 2048

The private key is created in the privkey.pem file. Store this file in a secure location because it contains the decryption key for the web server. When you generate the certificate, this file is used to generate the associated public key, which is included in the certificate.

Creating a certificate

After you create a private key, create a certificate to authenticate the identity of the web server. To generate a certificate, you create a certificate signing request and send the certificate signing request to a trusted certificate authority. The authority issues a certificate.

To generate a certificate signing request, run the following command:
openssl req -new -key privkey.pem -out cert.csr

For more information about certificate signing requests, contact your certificate authority.

Alternatively, you can create a self-signed certificate without working through a certificate authority although self-signed certificates are not recommended.

To generate a self-signed certificate, run the following command:
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

OpenSSL prompts you for your information. The certificate is stored in the cacert.pem file. This file is displayed to web clients to verify your identity. It also includes the public key for web clients, so that they can encrypt communication.

For more information about encryption keys, see the OpenSSL documentation.

Configuring Apache to enable HTTPS

To enable HTTPS, update the Apache configuration file and the Apache SSL configuration file:

  1. Locate the Apache configuration file. The path includes the Apache version, for example:
    /oat/installation/directory/Apache_2.4.2/conf/httpd.conf
  2. In the Apache configuration file, remove the comment from this line: #Include conf/extra/httpd-ssl.conf.

    This line is commented out by default. When the comment is removed, the Apache SSL configuration file is included in the httpd.conf file.

  3. Locate the Apache SSL configuration file. The path includes the Apache version, for example:
    /oat/installation/directory/Apache_2.4.2/conf/extra/httpd-ssl.conf
  4. In the Apache SSL configuration file, verify that the SSL port number is set to an available port.

    HTTPS requires a separate SSL port. By default, the SSL port number is set to 443. If this port is not available, change the SSL port in the Listen directive and the Virtual Host section.

  5. In the Apache SSL configuration file, verify that the SSLCertificateKeyFile directive indicates the correct location of the private key file that you created: privkey.pem
  6. Verify that the SSLCertificateFile directive indicates the correct location of the certificate file that you created: cacert.pem.
  7. Optional: To control which ciphers the web server accepts, edit the SSLCipherSuite directive. For information about the SSLCipherSuite directive, see the Apache mod_ssl documentation.

For more information about HTTPS configurations, see the Apache website: www.apache.org.

Testing the configuration

You must restart the web server for the HTTPS changes to take effect. Restart the web server by running the StopApache script and then the StartApache script in the OAT installation directory. You are prompted to enter the pass phrase before you can start the web server.

After you restart the web server, open OAT in a web browser by using this URL: https://hostname:ssl_portnumber/openadmin. You are prompted to view and accept the certificate for the OAT web server before the OAT login page is displayed.


Copyright© 2018 HCL Technologies Limited