Installing a TLS (SSL) Certificate

Download this manual as a PDF file

This chapter describes how to acquire and install a TLS (SSL) certificate for your Skylar One system.

Use the following menu options to navigate the Skylar One user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Using TLS Certificates

TLS is an acronym for Transport Layer Security, a cryptographic protocol that provides security for network communications to ensure privacy, integrity, and authenticity. It is a more secure and modern successor to the now-deprecated Secure Sockets Layer (SSL) protocol.

Both protocols encrypt data and authenticate users to facilitate the secure exchange of data. Usually, URLs that include "HTTPS" are using TLS for security.

To implement TLS, a certificate resides on the web server and is used to encrypt the data and to identify the website. The certificate contains information about the certificate holder, the domain for which the certificate was issued, the name of the Certificate Authority who issued the certificate, and the root and the country in which the certificate was issued.

There are two ways to acquire a TLS certificate:

  • You can acquire a certificate from a vendor (called a "certificate authority"), such as VeriSign or GeoTrust.
  • You can "self-sign" your own certificate. Using available tools (both open source and proprietary), you can create and sign your own SSL certificate instead of purchasing one from a certificate authority.

Skylar One includes a self-signed certificate from ScienceLogic. Self-signed certificates can trigger a warning message in some browsers. For this reasons, some customers might prefer to purchase a TLS certificate from a certificate authority and install the certificate on one or more servers.

Certificates for ScienceLogic Servers

Each Skylar One appliance includes a self-signed certificate from ScienceLogic.

Each Skylar One appliance uses the Nginx web server and OpenSSL.

If you want to use commercial TLS certificates with Skylar One, you must acquire certificates for the following Skylar One appliances:

  • For each Administration Portal, Database Server, or All-In-One Appliance you must acquire at least one certificate for the standard user interface and the Configuration Utility.
  • For each Data Collector, you must acquire one certificate, for use with the Configuration Utility.
  • For each Message Collector, you must acquire one certificate, for use with the Configuration Utility.

Requesting a Commercial TLS Certificate

To acquire a commercial TLS certificate, you must first create a private key and then use the private key to create a Certificate Signing Request (CSR). You must then send the CSR to a Certificate Authority (CA). Some well-known CAs are VeriSign, GeoTrust, Thawte, GoDaddy, and Comodo. The CA will charge you a fee and send you a certificate for use with your private key.

To create a CSR, perform the following on each Skylar One appliance.

  1. Either go to the console of the Skylar One appliance or use SSH to access the server. Open a shell session on the Skylar One appliance. Log in as "em7admin". Then, do one of the following:

    • If you are running a Security Technical Implementation Guide (STIG) deployment of Skylar One, complete steps 2 and 3.

    • If you are running a non-STIG deployment of Skylar One, complete steps 4 and 5.

  2. To generate a private key for the server in your STIG deployment of Skylar One, enter the following at the shell prompt:

    sudo openssl genrsa -out <keyname>_unencrypted.key 4096

    where:

    • <keyname> is a name for the private key. For example, you might want to name the private key for an administration portal adminport.key.

      Make sure the file is not named silossl.key, which is the name of the pre-existing ScienceLogic, self-signed certificate file.

  3. Encrypt this generated key by entering the following: 

    sudo openssl pkcs8 -topk8 -v2 aes256 -in <keyname>_unencrypted.key -out <keyname>.key

    After encrypting the key, proceed to step 6.

  1. To generate a private key for the server in your non-STIG deployment of Skylar One, enter the following at the shell prompt: 

    sudo openssl genrsa -aes256 -out <keyname>.key 4096

    where:

    • <keyname> is a name for the private key. For example, you might want to name the private key for an administration portal adminport.key.

      Make sure the file is not named silossl.key, which is the name of the pre-existing ScienceLogic, self-signed certificate file.

  2. Enter a passphrase for the key when prompted.

    A best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.

  1. Remove the passphrase from the key before generating a Certificate Signing Request (CSR). To do this, enter the following command at the shell prompt, inserting the keyname you used where indicated:

    sudo openssl rsa -in <keyname>.key -out <keyname>.key.insecure

  2. Create a Certificate Signing Request (CSR) for the private key you created in the previous steps. To do this, enter the following command at the shell prompt:

    sudo openssl req -new -key <keyname>.key.insecure -out <keyname>.csr

    where:

    • <keyname> is a name for the CSR for the specific server. For example, you might want to name the private key for an administration portal adminport.key and name the CSR for that key adminport.csr.

      Make sure the keyname is not silossl.key. This is the name of the pre-existing ScienceLogic, self-signed certificate file.

  1. Enter the demographic information for your key.

    • Enter a two-letter Country Name (for example, US).
    • Enter your State or Province full name (for example, Virginia).
    • Enter your Locality Name or city (for example, Reston).
    • Enter your Organization Name or company (for example, ScienceLogic).
    • Enter the Common Name, that is, your server's hostname (for example, myhost.sciencelogic.com).
    • Enter your Email Address. This is where you want communication from the Certificate Authority to be sent.
  2. Send the .csr file you generated to a Certificate Authority. The Certificate Authority will provide details on how to send the .csr file. The Certificate Authority will then send you a .crt file. The .crt file is the public key that matches your private key for the Skylar One appliance. Some Certificate Authorities, e.g. GoDaddy, might use an intermediate certificate to sign the provided certificate. If an intermediate certificate is used, the Certificate Authority will provide a bundle of chained certificates in a second .crt file.

Creating Your Own Certificate

There are two reasons you might create your own TLS certificate:

  • If your organization is a root Certificate Authority (for example, some departments of the United States government), you can create your own private key and public key for each ScienceLogic server.
  • If your security requirements permit a self-signed certificate, you can create your own private key and public key for each Skylar One appliance.

Remember to create key pairs for all for each Skylar One appliance in your Skylar One system, and also remember to create two key pairs for each Administration Portal in your Skylar One system.

If your organization is a Certificate Authority, see your organization's internal documentation on creating a certificate for NGINX.

To create a self-signed certificate:

  1. Either go to the console of the Skylar One appliance or use SSH to open a shell session on the Skylar One appliance.

  2. Log in as an administrator (such as em7admin).

  3. Generate a private key for the server. To do this, enter the following at the shell prompt:

    sudo openssl genrsa -aes256 -out <keyname>.key 4096

    where <keyname> is a name for the private key. For example, you might want to name the private key for an Administration Portal  adminport.key.

    Make sure the file is not named silossl.key.. This is the name of the pre-existing ScienceLogic self-signed certificate file.

  4. Enter a passphrase for the key when prompted.

    A best practice is to make a backup copy of the key file and the passphrase and store both in a secure location.

  5. Remove the passphrase from the key before you continue. To do this, enter the following command at the shell prompt, inserting the keyname you used where indicated:

    sudo openssl rsa -in <keyname>.key -out <keyname>.key.insecure

  6. Create a self-signed certificate based on the private key you generated in the previous steps. To do this, enter the following at the shell prompt:

    sudo openssl req -new -x509 -nodes -sha1 -days 365 -key <keyname>.key -out <keyname>.crt

    where:

  • <keyname>.key is the private key for the Skylar One appliance .

  • <keyname>.crt is the public key (certificate) for the Skylar One appliance.

    For example, you might want to name the private key for an Administration Portal  adminport.key, and name the certificate file for that key adminport.crt. The resulting .crt file is the public key that matches your private key for the Skylar One appliance.

    Make sure the files are not named silossl.crt and silossl.key. These are the names of the pre-existing ScienceLogic self-signed certificate files.

  1. Copy your private key and certificate files to /etc/nginx.

  2. On Collectors. Add the private key and certificate file to each Collector for the Configuration Utility. To do this, add the names of the new .key and .crt files to the following files:

    /etc/nginx/conf.d/em7ngx_web_ui.conf

    /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf

  3. On the Administration Portal, Database Server, or All-in-One Appliance. Add the private key and certificate file for the user interface. To do this, add the names of the new .key and .crt files to the following files:

    /etc/nginx/conf.d/em7ngx_web_ui.conf

    /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf

  4. Restart the Web Configuration Utility and web server by entering the following command:

    sudo systemctl restart nginx

Installing the Certificate on a Skylar One Appliance

ScienceLogic does not provide support for third party certificates. Be advised that installing a new TLS certificate can affect the operation of TLS services.

Most certificate authorities provide support and resources on installing and enabling their certificates in Nginx web servers. If you have questions, please refer to your Certificate Authority.

The following steps will stop and restart the Skylar One appliance and temporarily make the Administration Portal site unavailable. Confirm with your System Administrator that you are permitted to restart the ScienceLogic Web Service.

These instructions assume that you are familiar with the Linux shell and the "vi" editor.

To install a commercial TLS certificate on a Skylar One appliance, perform the following:

  1. Acquire a certificate from a certificate authority.
  2. Copy the certificate files (*.key and all *.crt files) to a server that can access the Skylar One appliance via SFTP.

    Make sure the files are not named silossl.crt and silossl.key. These are the names of the pre-existing ScienceLogic self-signed certificate files.

  1. Use SFTP or SCP to copy the .crt file(s) and the .key file to the Skylar One appliance in the /etc/nginx directory.
  2. Either go to the console of the Skylar One appliance or use SSH to access the server. Open a shell session on the Skylar One appliance. Log in as "em7admin".
  1. If an intermediate certificate has been used to sign the certificate file, execute the following commands to combine the server certificate and the bundle of chained certificates provided by the Certificate Authority, entering the server certificate name, bundle name, and combined certificate name where indicated:

    2. cd /etc/nginx

    cat <server certificate name>.crt <bundle name>.crt > <combined certificate name>.crt

    Use the combined .crt file name when updating the nginx configuration.

  2. For each appliance, edit the following files to configure the certificate for the Configuration Utility:
  • /etc/nginx/conf.d/em7webconfig.conf
  • /etc/nginx/conf.d/em7_sladmin.conf
  • Edit the following lines, removing references to silossl.crt and silossl.key and replacing them with the names of the new .key and .crt files:

ssl_certificate /etc/nginx/<name of .crt file>;

ssl_certificate_key /etc/nginx/<name of .key file>;

  1. In addition, for each Administration Portal, Database Server, and All-In-One Appliance, you must also edit the following files to configure the certificate for the user interface:
  • /etc/nginx/conf.d/em7ngx_web_ui.conf
  • /etc/nginx/conf.d/em7ngx_em7proxy_web_ui.conf
  • Edit the following lines, removing references to silossl.pem and silossl.key and replacing them with the names of the new key files:

ssl_certificate /etc/nginx/<name of .pem file>;

ssl_certificate_key /etc/nginx/<name of .key file>;

  1. If you are using the Enterprise Key Management Service (EKMS), then for each appliance, you must also edit the following file to configure the certificate for that service:
  • /etc/nginx/conf.d/vault.conf
  • Edit the following lines, removing references to silossl.pem and silossl.key and replacing them with the names of the new key files:

ssl_certificate /etc/nginx/<name of .pem file>;

ssl_certificate_key /etc/nginx/<name of .key file>;

  1. Next, you will need to restart the webconfig and webserver. To do this, execute the following command:
  • For all appliances, enter:

sudo systemctl restart nginx

  1. To test the certificate, open a browser session and connect to the Administration Portal, Database Server, or All-In-One Appliance using HTTPS.
  • From the Administration Portal, go to the Appliance Manager page (System > Settings > Appliances).
  • Select the toolbox icon () for each server. Notice that the URL for the Configuration Utility includes https.