Enable HTTPS support for the OnApp UI

Question

How can I enable HTTPS support on my OnApp control panel?

Environment

All OnApp Versions

Answer

You can enable HTTPS support on the OnApp Control Panel, and it should only take you a few minutes.

As of about Vr 3.x and above, the steps A and B are irrelevant.

Since httpd is configured by default on clouds:

a) Install mod_ssl rpm using the yum installer.

b) Need to decide if using self-signed certificate (mostly for internal use / testing) or a verified SSL certificate from SSL provider.

For Self-signed Certificate:
- Generate certificate using openssl command.

For verified SSL certificate from SSL provider (Comodo, Verisign, GeoTrust,GoDaddy, etc.):
- Generate the CSR on the CP to send to the SSL provider, generate 2048bit key rather than 1024 bit as recommended by provider.

 - Use providers certificate files for next steps.

c) Place the .key and .crt files in a known location on the server (/etc/httpd/conf.d/ssl is a good place).
d) Make symbolic links to the .crt and .key files in the default directories assigned by openssl.

SSLCertificateFile /etc/pki/tls/certs
    Command: ln -s /etc/httpd/conf.d/ssl/server.crt /etc/pki/tls/certs/server.crt

SSLCertificateKeyFile /etc/pki/tls/private
    Command: ln -s /etc/httpd/conf.d/ssl/server.key /etc/pki/tls/private/server.key

SSLCACertificateFile /etc/pki/tls/certs
    Command: ln -s /etc/httpd/conf.d/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

e) Change the .crt and .key file names in the ssl.conf file, so they read as follows:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

f) Make sure the following line is listed in /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/ssl.conf:

LoadModule ssl_module modules/mod_ssl.so

g) Set the document root in the VirtualHost section of /etc/httpd/conf.d/ssl.conf:

DocumentRoot "/onapp/interface/public"

h) Set the correct locations for .crt and .key files in the /etc/httpd/conf.d/onapp.conf file as well, similar to ssl.conf:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

i) Restart httpd service:

/etc/init.d/httpd stop
/etc/init.d/httpd start

There is currently no setting to force https logins, but this can be done instead:

1. Remove Listen 80 directive from httpd.conf file.
2. Remove VirtualHost *:80 section from /etc/httpd/conf.d/onapp.conf.
3. Restart Apache.

Additional Info

Concerning OnApp upgrades, make sure appropriate values are set in /onapp/onapp-cp.conf:

# OnApp Control Panel SSL certificates (please do not change if you aren't familar with SSL certificates)
# * The data below to generate self-signed PEM-encoded X.509 certificate
SSL_CERT_COUNTRY_NAME=UK
SSL_CERT_ORGANIZATION_NAME='OnApp Limited'
SSL_CERT_ORGANIZATION_ALUNITNAME='OnApp Cloud'
SSL_CERT_COMMON_NAME=`hostname --fqdn 2>/dev/null`

#   SSLCertificateFile, SSLCertificateKeyFile Apache directives' values
#   ssl_certificate, ssl_certificate_key Nginx directives' values
SSLCERTIFICATEFILE=/etc/pki/tls/certs/ca.crt
SSLCERTIFICATECSRFILE=/etc/pki/tls/private/ca.csr
SSLCERTIFICATEKEYFILE=/etc/pki/tls/private/ca.key

# * PEM-encoded CA Certificate (if custom one exists)
#   SSLCACertificateFile, SSLCertificateChainFile Apache directives' values
#   ssl_client_certificate Nginx directives' values
SSLCACERTIFICATEFILE=
SSLCERTIFICATECHAINFILE=

#   SSLCipherSuite, SSLProtocol Apache directives' values
#   ssl_ciphers, ssl_protocols Nginx directives' values
SSLCIPHERSUITE=
SSLPROTOCOL=

This way /etc/httpd/conf.d/onapp.conf will contain the correct values after an upgrade.