Installing an SSL Certificate

Download this manual as a PDF file

This section describes how to install SSL certificates on SL1 servers.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Certificates for SL1 Servers

When installing an SSL certificate, you can either purchase a commercial SSL certificate or (if your security requirements allow a self-signed certificate) you can create your own certificate.

If you want to use commercial SSL certificates with SL1, you must purchase certificates for the following ScienceLogic servers:

  • For each Administration Portal, you must purchase two certificates, one for the standard user interface and one for the Configuration Utility.
  • For each Database Server, you must purchase one certificate, for use with the Configuration Utility.
  • For each Data Collector, you must purchase one certificate, for use with the Configuration Utility.
  • For each Message Collector, you must purchase one certificate, for use with the Configuration Utility.
  • For each Integration Server, you must purchase one certificate to allow secure cURL communication with the server.

Requesting a Commercial SSL Certificate

To purchase a commercial SSL certificate, you must first create a private key and then use the private key to create a Certificate Signing Request (CSR). You must then send the CSR to a Certificate Authority (CA). Some well-known CAs are VeriSign, GeoTrust, Thawte, GoDaddy, and Comodo. The CA will charge you a fee and send you a certificate for use with your private key.

To create a CSR, perform the following on each SL1 appliance:

  1. Either go to the console of the SL1 appliance or use SSH to access the server. Open a shell session on the Administration Portal. Log in as "root".

NOTE: For details on enabling and using SSH, see the section on System Administration. For details and warnings about root access and instructions on how to make root access secure, see the section on System Administration.

  1. First, you must generate a private key for the server. To do this, enter the following at the shell prompt:

openssl genrsa -des3 -out keyname.key 1024

 

where keyname.key is a name for the private key. For example, you might want to name the private key for an administration portal adminport.key.

NOTE: Make sure the files are NOT named em7.key. This is the name of the pre-existing ScienceLogic, self-signed certificate file.

  1. You will be prompted to enter a pass phrase for the key.
  2. Best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.
  3. Next, you must create a Certificate Signing Request (CSR) for the private key you created in the previous steps. To do this, enter the following at the shell prompt:

openssl req -new -key keyname.key -out keyname.csr

 

where keyname.csr is a name for the CSR for the specific server. For example, you might want to name the private key for an administration portal adminport.key and name the CSR for that key adminport.csr.

  1. You will be prompted to enter the Common Name. Enter the fully qualified domain name of the server where the certificate will be used and SSL and https will be run. For example, if the SL1 appliance is accessed at https://company.adminportal.com, you would enter "company.adminportal.com" as the Common Name.
  2. You can now send the .csr file to a Certificate Authority. The Certificate Authority will provide details on how to send the .csr file. The Certificate Authority will send you a .crt file. The .crt file is the public key that matches your private key for the ScienceLogic server.

Creating Your Own Certificate

There are two ways to create your own SSL certificate:

  • If your organization is a root Certificate Authority (for example, some departments of the US government), you can create your own private key and public key for each ScienceLogic server.
  • If your security requirements allow a self-signed certificate, you can create your own private key and public key for each SL1 appliance.

Remember to create key pairs for each SL1 appliance in your SL1 system and also remember to create two key pairs for each Administration Portal server in your SL1 system. For a list of required certificates, see the section Certificates for ScienceLogic Servers.

If your organization is a Certificate Authority, see your organization's internal documentation on creating a certificate for Apache2.

If you want to create a self-signed certificate, perform the following:

  1. First, you must generate a private key for the server. To do this, enter the following at the shell prompt:

openssl genrsa -des3 -out keyname.key 1024

 

where keyname.key is a name for the private key. For example, you might want to name the private key for an administration portal adminport.key.

NOTE: Make sure the files are not named em7.key. This is the name of the pre-existing ScienceLogic self-signed certificate file.

  1. You will be prompted to enter a passphrase for the key.
  2. Best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.
  3. Next, you must create a self-signed certificate based on the private key you generated in the previous steps.

To do this, enter the following at the shell prompt:

$ openssl req -new -x509 -nodes -sha1 -days 365 -key keyname.key -out keyname.crt

 

where keyname.key is the private key for the SL1 appliance and keyname.crt is the public key (certificate) for the SL1 appliance. For example, you might want to name the private key for an administration portal adminport.key and name the certificate file for that key adminport.crt.

  1. The resulting .crt file is the public key that matches your private key for the SL1 appliance.

Installing the Certificate on an SL1 Server

ScienceLogic does not provide support for third party certificates. Be advised that installing a new SSL certificate can affect the operation of SSL services.

Most certificate authorities provide support and resources on installing and enabling their certificates in Nginx web servers. If you have questions, please refer to your Certificate Authority.

The following steps will stop and restart the SL1 appliance and temporarily make the Administration Portal site unavailable. Confirm with your System Administrator that you are permitted to restart the ScienceLogic Web Service.

NOTE: These instructions assume that you are familiar with the Linux shell and the "vi" editor.

To install a commercial SSL certificate on a SL1 appliance, perform the following:

  1. Purchase a certificate from a certificate authority.
  2. Copy the certificate files (*.key and all *.crt files) to a server that can access the SL1 appliance via SFTP.

NOTE: Make sure the files are not named silossl.crt and silossl.key. These are the names of the pre-existing ScienceLogic, self-signed certificate files.

  1. Use SFTP or SCP to copy the .crt file(s) and the .key file to the SL1 appliance in the /etc/nginx directory.
  2. Either go to the console of the SL1 appliance or use SSH to access the server. Open a shell session on the SL1 appliance. Log in as "em7admin".
  1. If an intermediate certificate has been used to sign the certificate file, execute the following commands to combine the server certificate and the bundle of chained certificates provided by the Certificate Authority, entering the server certificate name, bundle name, and combined certificate name where indicated:

    2. cd /etc/nginx

    cat [server certificate name].crt [bundle name].crt > [combined certificate name].crt

    Use the combined .crt file name when updating the nginx configuration.

  2. For each appliance, edit the following files to configure the certificate for the Configuration Utility:
  • /etc/nginx/conf.d/em7webconfig.conf
  • /etc/nginx/conf.d/em7_sladmin.conf
  • Edit the following lines, removing references to silossl.crt and silossl.key and replacing with the names of the new .key and .crtfiles:

ssl_certificate /etc/nginx/[name of .crt file];

ssl_certificate_key /etc/nginx/[name of .key file];

  1. In addition, for each Administration Portal, Database Server, and All-In-One Appliance, you must also edit the following files to configure the certificate for the user interface:
  • /etc/nginx/conf.d/em7ngx_web_ui.conf
  • /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf
  • Edit the following lines, removing references to silossl.pem and silossl.key and replacing with the names of the new key files:

ssl_certificate /etc/nginx/[name of .crt file];

ssl_certificate_key /etc/nginx/[name of .key file];

  1. Next, you will need to restart the webconfig and webserver. To do this, execute the following command:
  • For all appliances, enter:

sudo systemctl restart nginx

  1. To test the SSL certificate, open a browser session and connect to the Administration Portal, Database Server, or All-In-One Appliance using https.
  • From the Administration Portal, go to System > Settings > Appliances.
  • In the Appliance Manager page, select the toolbox icon () for each server. Notice that the URL for the Configuration Utility includes https.