Use custom SSL certificate for https
This document describes how to configure PhenixID Server to use a custom SSL certificate for https.
System requirements
- The SSL certificate to be used stored as a keystore file (.p12) and the keystore password
Upload the certificate to the server
1. Follow this guide to upload the certificate as a PhenixID keystore.
2. Note the ID of this keystore as this will be referred later in this instruction
Protect Configuration Manager with the uploaded certificate
The HTTP Connections are used as configuration for HTTP from referenced modules. Use the Advanced tab and locate the HTTP connections.
Create a HTTP Connection to be used by Configuration Manager
The HTTP Connection object to be used should be configured similarly this:
[ {
"id" : "https",
"port" : "443",
"ssl" : "true",
"sslKeyStore" : "9ca66f36-efe0-472d-99fd-da8e27b470c0"
} ]Explanation of parameters:
- id: The configuration will be referenced by it's id, in this case "https".
- port: The port to be used by this configuration.
- ssl: If SSL should be enabled or not.
- sslKeyStore: a reference to the SSL keystore configured in previous step
Example configuration:
Enable the configured http connection for "Configuration Manager"
Please make a copy of boot.json as this file has to be modified to use the newly configured http configuration.
- Remove all "ssl" parameters e.g. "ssl":"true"
- Remove all "port" parameters e.g. "port":"8443"
- Add the previously configured http configuration to phenixidentity~phenix-prism and phenixidentity~auth-http modules by adding "httpConfig":"<ID_OF_HTTPConnection>"
An example of a configuration is found below:
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"_auth_redirect_url": "/config/authenticate/config",
"base_url": "/config",
"httpConfig" : "https",
"enable_module_deployment": "true",
"enable_roles": "true",
"enable_language": "false",
"display_name": "Configuration Manager",
"prism_modules": [
{
"name": "com.phenixidentity~phenix-prism-start",
"config": {
"display_name": "Start",
"base_uri": "start",
"requires_role": "sysadmin"
}
},
{
"name": "com.phenixidentity~phenix-prism-report",
"enabled": "true",
"config": {
"display_name": "Reports",
"base_uri": "report",
"requires_role": "sysadmin"
}
},
{
"name": "com.phenixidentity~phenix-prism-guides",
"config": {
"display_name": "Scenarios",
"base_uri": "scenarios",
"requires_role": "sysadmin"
}
},
{
"name": "com.phenixidentity~phenix-prism-config",
"enabled": "true",
"config": {
"display_name": "Advanced",
"base_uri": "configuration",
"requires_role": "sysadmin"
}
}
]
}
},
{
"name": "com.phenixidentity~auth-http",
"enabled": "true",
"config": {
"httpConfig" : "https",
"root_uri": "/config"
}
}Restart the server
- Save all modified files.
- Restart the PhenixID Server in order to read the updates from boot.json.
Protect Selfservice with the uploaded certificate
Enable custom listener for Self Service
1. Edit the scenario and go to the Advanced tab for Self Service
2. Enable "Use custom listener"
3. Set a temporary http/https port such as 62444
4. Enable "Use SSL/TLS"
5. Click save
Locate the HTTP connection object
6. Open the ADVANCED tab
7. Locate the HTTP connection object with the temporary port
8. Click the HTTP connections "pen icon" to edit the object.
Configure the HTTP connection object
9. Replace the temporary port with the one to use (443)
10. Add parameter "sslKeyStore" : "<ID of the keystore previously noted>",
11. Click Stage changes
12. Click Commit changes
13. Click Commit
Protect OTP Admin with the uploaded certificate
Follow the instructions from "Protect Selfservice with the uploaded certificate", but start with the MFA Admin scenario instead of Self Service.
Protect One Touch with the uploaded certificate
Follow the instructions from "Protect Selfservice with the uploaded certificate", but start with the One Touch scenario instead of Self Service.
Verify SSL certificate
- Open a web browser
- Browse to PhenixID server
- Verify https certificate