Setting up HTTPS for Delphix Reporting
Delphix Reporting / Setting up HTTPS for Delphix Reporting


This document walks you through how to setup HTTPS for Delphix Reporting. To achieve an end to end HTTPS support, the Delphix Reporting Engine needs to be configured in two parts:

  • Browser to Delphix Reporting

  • Delphix Reporting to Delphix Engines

Before you proceed, please note that HTTPS connection is “all or nothing”. Delphix Reporting will not fallback to HTTP connection if HTTPS connection is unsuccessful.

Browser to Delphix Reporting

Delphix Reporting uses Meteor framework as its server and front end. Meteor itself does not support HTTPS, therefore Nginx is needed as a middleman to accept the HTTPS requests and then delegate the requests to Meteor. The following instructions walk you through the steps to configure Nginx.

Preparing Certificates

The HTTPS protocol dictates that you have a CA-signed certificate to establish trust between the browser and the Delphix Reporting server. After you obtain your certificate (a pair of certificate and key file), please note the following:

  • CN value of your certificate should match the domain name.

  • Delphix recommends placing your certificate and the server key under: /etc/nginx/ssl/

For example, /etc/nginx/ssl/server.crt or /etc/nginx/ssl/server.key).

  • Update the file permission on server.key as follows:
$ chmod 600 /etc/nginx/ssl/server.key

Configuring Nginx

Nginx will be installed and configured to route HTTP traffic automatically with the Delphix Reporting 1.5.0.0 installer. You will need to configure Nginx so it forwards all HTTP traffic to HTTPS, then proxy the HTTPS traffic to meteor app:

  1. Copy the HTTPS config file from /opt/delphix/nginx/nginx.https.config to /etc/nginx/sites-available/

  2. Rename the HTTPS config file to delphix-reporting, replacing the current delphix-reporting file.

The complete path to the config file should be: /etc/nginx/sites-available/delphix-reporting

Modifying the HTTPS Configuration File

  1. Open the config file at /etc/nginx/sites-available/delphix-reporting.

  2. Replace <# server_name #> with your server name. Note: this field must match the CN value in your certificate. You can use openssl on CentOS to look up the CN value in your certificate:

    $ openssl x509 -noout -subject -in /etc/nginx/ssl/server.crt

  3. Replace <# certificate_path #> with the absolute path to your certificate. For example: /etc/nginx/ssl/server.crt

  4. Replace <# key_path #>: with the path to the server key associated with your certificate. For example /etc/nginx/ssl/server.key

  5. The provided configuration file uses standard ports (port 80 for HTTP and port 443 for HTTPS). If you wish to use different ports you can update the config file (/etc/nginx/sites-available/delphix-reporting):

    • Update the HTTP port in the first server block:

      ...
# http: route all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
...

    • Update the HTTPS port in the second server block:

      ..
# https: pass all requests to Meteor
server {
    listen 443 ssl;
    server_name <# server_name #>;
...

  6. Run nginx -t to test your config files to make sure they are syntactically correct. If the test passes, you will see the following message:

    $ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

    If there is an error with your configuration file, such as missing a semicolon, you will get the following message:

    $ nginx -t
nginx: [emerg] directive "server_name" is not terminated by ";" in /etc/nginx/sites-enabled/delphix-reporting:20
nginx: configuration file /etc/nginx/nginx.conf test failed

Restarting Nginx

To restart Nginx so that it uses the latest configuration enter the following command:

$ service nginx restart

All HTTP traffic will now be forwarded to HTTPS.

Delphix Reporting to Delphix Engines

To enable HTTPS traffic from Delphix Engines to Delphix Reporting, you will need to:

  • Generate a TrustStore to tell Delphix Reporting which certificates to trust

  • Configure Delphix Reporting to use HTTPS connection

Using TrustStores

A TrustStore file contains a list of certificates that Delphix Reporting should trust. By default, every Delphix Engine contains a self-signed certificate. If you updated your engines with CA-signed certificates and you have a copy of these certificates, you may skip to Copying your Certificate step.

Viewing your CA Certificate

To view your CA certificate on a 5.2.4.0 or later Delphix Engine, use the system admin CLI:

delphix.engine> cd service

delphix.engine service> cd tls

delphix.engine service tls> cd caCertificate

delphix.engine service tls caCertificate> ls

Objects

NAME                           REFERENCE            ACCEPTED     NOTAFTER                

CN=CN=Delphix Engine delp...   CA_CERTIFICATE-..    true         2022-04-24T19:23:26.000Z
Operations

create

fetch

showProvidedCertificate

delphix.engine service tls caCertificate> select "CN=Delphix Engine delphix.engine CA, O=Delphix, C=US"

delphix.engine service tls caCertificate 'CN=...'> toPEM

delphix.engine service tls caCertificate 'CN=...' toPEM *> commit

   type: PemCertificate

   contents: -----BEGIN CERTIFICATE-----

   MIIDXDCCAkSgAwIBAgIEefhVnzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJVUzEQMA4GA1UE

   ...

   aJa2s/bFLVHOFqdLTK8UCieFGVcIk63V/JVs7E+CwE8iPdI+jXhe+tZFEY04iIqN6r1CT5p5Ukqt

   VFBxDZ6CF+zx

   -----END CERTIFICATE-----
To upload a CA-signed certificate to each engine (recommended), please follow the directions in Replacing the HTTPS (HTTP Secure) Certificate.

Copying your Certificate

  1. If you have a copy of your certificates already, you can upload them on to your Delphix Reporting VM directly. Otherwise, copy and paste the certificate PEM string (beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- ) from above as a .crt file on your Delphix Reporting VM.

  2. Place the certificate files under a temp directory, for example, /tmp/certs. You may discard these certificate files once you imported them to the TrustStore.

 If all of your engines are signed by one CA, it’s sufficient to only upload the CA certificate. Otherwise please upload the certificate from all your Delphix Engines.

Please contact Delphix Support if you lost your engine certificates or you weren’t able to use the CLI to view the CA certificate (for example, if your Delphix Engines are running older versions than 5.2.4.0).

Creating a New TrustStore

To create a new TrustStore, run the following command on Delphix Reporting VM:

$ keytool -import -alias CA -file /tmp/certs/CA.crt -keystore /var/delphix/dlpx.truststore
Enter keystore password:  
Re-enter new password:
Owner: CN=Delphix Engine CA
Issuer: CN=Delphix Engine CA, O=Delphix, C=US
Serial number: 6d7dc112
Valid from: Fri Apr 27 13:37:53 PDT 2018 until: Sat Apr 27 13:37:53 PDT 2019
Certificate fingerprints:
   MD5:  04:D7:CF:81:DF:2D:E2:72:63:6F:D3:A8:9C:76:BD:BC

   SHA1: 1B:3F:01:B0:BB:75:FA:85:BD:B7:9A:9F:BA:97:47:29:7A:13:BE:43
...
Trust this certificate? [no]:  yes
Certificate was added to keystore


Please note the following:

  • The alias value is for distinguishing the certificate when you view the TrustStore. You can enter anything here but make sure you can link it back to the Delphix Engine that this certificate came from.

  • -keystore option specifies the name and the path of the output TrustStore file. While you could place this file anywhere on disk, we recommend you name it dlpx.truststore and place it under /var/delphix (as shown above).

  • Please be sure to remember the keystore password. You will need it in the later step. If you lose it, Delphix Report WILL NOT be able to recover it.

  • Make sure to mark this certificate as trusted by entering yes when prompted (as shown above).

  • If all of your Delphix Engines are signed by one CA, it’s sufficient to only include the CA certificate in the TrustStore. Otherwise please repeat this command to import the certificates from every Delphix Engine.

Turning on HTTPS Connection via the Command Line Tool

  1. After the TrustStore is configured, run the following command as root:

    $ delphix-https-config

    This command will invoke a CLI application to allow you to enable HTTPS connection.

  2. Enable HTTPS and configure the path to your TrustStore. Here's an example of how to enable HTTPS and configure the TrustStore path and password:

    > update useHttps
Updating useHttps> true
useHttps updated.

> update trustStorePath
Updating trustStorePath> /var/delphix/dlpx.truststore
trustStorePath updated.

> update trustStorePassword
Updating trustStorePassword>
Please enter your password again...
Updating trustStorePassword>
trustStorePassword updated.

    Make sure to enter the absolute path to the TrustStore (i.e. /var/delphix/dlpx.truststore) and the password you used to create the TrustStore file. Additionally, you may also specify whether self-signed certificates are allowed.

It is important to remember your TrustStore password. For security reasons, once the trustStorePassword is set, this application will not let you update any other settings without entering your TrustStore password.

 If you enable HTTPS, you must also configure trustStorePath and trustStorePassword, otherwise, the Delphix service will not work correctly.

Restarting the Delphix Collector Service

After you updated the HTTPS configurations, please restart the Delphix Reporting Service so the new settings can take effect:

$ service delphix-collector restart

Delphix Reporting should now connect to Delphix Engines via HTTPS.