Installing an SSL Certificate

Download this manual as a PDF file

This section describes how to install SSL certificates on SL1 appliances.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all the menu options, click the Advanced menu icon ().

This section includes the following topics:

Requesting a Commercial SSL Certificate

To purchase a commercial SSL certificate, you must first create a private key and then use the private key to create a Certificate Signing Request (CSR). You must then send the CSR to a Certificate Authority (CA). Some well-known CAs are VeriSign, GeoTrust, Thawte, GoDaddy, and Comodo. The CA will charge you a fee and send you a certificate for use with your private key.

To create a CSR, perform the following on each SL1 appliance.

  1. Either go to the console of the SL1 appliance or use SSH to access the server. Open a shell session on the SL1 appliance. Log in as "em7admin".
  2. Generate a private key for the server. To do this, enter the following at the shell prompt:

    sudo openssl genrsa -aes256 -out [keyname].key 4096

    where:

  • [keyname] is a name for the private key. For example, you might want to name the private key for an administration portal adminport.key.

NOTE: Make sure the file is not named silossl.key, which is the name of the pre-existing ScienceLogic, self-signed certificate file.

  1. Enter a passphrase for the key when prompted.

    A best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.

  2. Remove the passphrase from the key before generating a Certificate Signing Request (CSR). To do this, enter the following command at the shell prompt, inserting the keyname you used where indicated:

    sudo openssl rsa -in [keyname].key -out [keyname].key.insecure
  3. Create a Certificate Signing Request (CSR) for the private key you created in the previous steps. To do this, enter the following command at the shell prompt:

    sudo openssl req -new -key [keyname].key.insecure -out [keyname].csr

    where:

  • [keyname] is a name for the CSR for the specific server. For example, you might want to name the private key for an administration portal adminport.key and name the CSR for that key adminport.csr.

NOTE: Make sure the keyname is not silossl.key. This is the name of the pre-existing ScienceLogic, self-signed certificate file.

  1. Enter the demographic information for your key.

     

    • Enter a two-letter Country Name (for example, US).
    • Enter your State or Province full name (for example, Virginia).
    • Enter your Locality Name or city (for example, Reston).
    • Enter your Organization Name or company (for example, ScienceLogic).
    • Enter the Common Name, that is, your server's hostname (for example, myhost.sciencelogic.com).
    • Enter your Email Address. This is where you want communication from the Certificate Authority to be sent.
  2. Send the .csr file you generated to a Certificate Authority. The Certificate Authority will provide details on how to send the .csr file. The Certificate Authority will then send you a .crt file. The .crt file is the public key that matches your private key for the SL1 appliance. Some Certificate Authorities, e.g. GoDaddy, might use an intermediate certificate to sign the provided certificate. If an intermediate certificate is used, the Certificate Authority will provide a bundle of chained certificates in a second .crt file.

Creating Your Own Certificate

There are two reasons you might create your own SSL certificate:

  • If your organization is a root Certificate Authority (for example, some departments of the United States government), you can create your own private key and public key for each ScienceLogic server.
  • If your security requirements permit a self-signed certificate, you can create your own private key and public key for each SL1 appliance.

Remember to create key pairs for all for each SL1 appliance in your SL1 system, and also remember to create two key pairs for each Administration Portal in your SL1 system.

If your organization is a Certificate Authority, see your organization's internal documentation on creating a certificate for NGINX.

To create a self-signed certificate:

  1. Either go to the console of the SL1 appliance or use SSH to open a shell session on the SL1 appliance.
  2. Log in as an administrator (such as em7admin).
  3. Generate a private key for the server. To do this, enter the following at the shell prompt:

    sudo openssl genrsa -aes256 -out [keyname].key 4096

    where [keyname] is a name for the private key. For example, you might want to name the private key for an Administration Portal  adminport.key.

    Make sure the file is not named silossl.key.. This is the name of the pre-existing ScienceLogic, self-signed certificate file.

  4. Enter a passphrase for the key when prompted.

    A best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.

  5. Remove the passphrase from the key before you continue. To do this, enter the following command at the shell prompt, inserting the keyname you used where indicated:

    sudo openssl rsa -in [keyname].key -out [keyname].key.insecure
  6. Create a self-signed certificate based on the private key you generated in the previous steps. To do this, enter the following at the shell prompt:

    sudo openssl req -new -x509 -nodes -sha1 -days 365 -key [keyname].key -out [keyname].crt

    where:

  • [keyname].key is the private key for the SL1 appliance .
  • [keyname].crt is the public key (certificate) for the SL1 appliance.

     

    For example, you might want to name the private key for an Administration Portal  adminport.key, and name the certificate file for that key adminport.crt. The resulting .crt file is the public key that matches your private key for the SL1 appliance.

    Make sure the files are not named silossl.crt and silossl.key. These are the names of the pre-existing ScienceLogic, self-signed certificate files.

  1. Copy your private key and certificate files to /etc/nginx.
  2. On Collectors. Add the private key and certificate file to each Collector for the Configuration Utility. To do this, add the names of the new .key and .crt files to the following files:

    /etc/nginx/conf.d/em7ngx_web_ui.conf

    /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf

  3. On the Administration Portal, Database Server, or All-in-One Appliance. Add the private key and certificate file for the user interface. To do this, add the names of the new .key and .crt files to the following files:

    /etc/nginx/conf.d/em7ngx_web_ui.conf

    /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf

  4. Restart the Web Configuration Utility and web server by entering the following command:

    sudo systemctl restart nginx

Installing the Certificate on an SL1 Appliance

ScienceLogic does not provide support for third party certificates. Be advised that installing a new SSL certificate can affect the operation of SSL services.

Most certificate authorities provide support and resources on installing and enabling their certificates in Nginx web servers. If you have questions, please refer to your Certificate Authority.

The following steps will stop and restart the SL1 appliance and temporarily make the Administration Portal site unavailable. Confirm with your System Administrator that you are permitted to restart the ScienceLogic Web Service.

NOTE: These instructions assume that you are familiar with the Linux shell and the "vi" editor.

To install a commercial SSL certificate on a SL1 appliance, perform the following:

  1. Purchase a certificate from a certificate authority.
  2. Copy the certificate files (*.key and all *.crt files) to a server that can access the SL1 appliance via SFTP.

NOTE: Make sure the files are not named silossl.crt and silossl.key. These are the names of the pre-existing ScienceLogic, self-signed certificate files.

  1. Use SFTP or SCP to copy the .crt file(s) and the .key file to the SL1 appliance in the /etc/nginx directory.
  1. Either go to the console of the SL1 appliance or use SSH to access the server. Open a shell session on the SL1 appliance. Log in as "em7admin".

  1. If an intermediate certificate has been used to sign the certificate file, execute the following commands to combine the server certificate and the bundle of chained certificates provided by the Certificate Authority, entering the server certificate name, bundle name, and combined certificate name where indicated:
  2. cd /etc/nginx

    cat [server certificate name].crt [bundle name].crt > [combined certificate name].crt

    Use the combined .crt file name when updating the nginx configuration.

  3. For each appliance, edit the following files to configure the certificate for the Configuration Utility:
  • /etc/nginx/conf.d/em7webconfig.conf
  • /etc/nginx/conf.d/em7_sladmin.conf
  • Edit the following lines, removing references to silossl.crt and silossl.key and replacing with the names of the new .key and .crtfiles:

ssl_certificate /etc/nginx/[name of .crt file];

 

ssl_certificate_key /etc/nginx/[name of .key file];

 

  1. In addition, for each Administration Portal, Database Server, and All-In-One Appliance, you must also edit the following files to configure the certificate for the user interface:
  • /etc/nginx/conf.d/em7ngx_web_ui.conf
  • /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf
  • Edit the following lines, removing references to silossl.pem and silossl.key and replacing with the names of the new key files:

ssl_certificate /etc/nginx/[name of .crt file];

 

ssl_certificate_key /etc/nginx/[name of .key file];

 

  1. Next, you will need to restart the webconfig and webserver. To do this, execute the following command:
  • For all appliances, enter:

sudo systemctl restart nginx

 

  1. To test the SSL certificate, open a browser session and connect to the Administration Portal, Database Server, or All-In-One Appliance using https.
  • From the Administration Portal, go to System > Settings > Appliances.
  • In the Appliance Manager page, select the toolbox icon () for each server. Notice that the URL for the Configuration Utility includes https.