Setting up SSL for OpenLM Server v5 - KB501 - OpenLM Software License Management
Israel +972 4 6308447         USA +1 866 806 2068              JAPAN +81 3 45208991 担当:萩原

Setting up SSL for OpenLM Server v5 – KB501

The following document describes the setup and configuration of SSL for OpenLM Server version 5 and its related components. This document assumes that a certificate with a digital signature from a certificate authority (CA) is already present on the target machine.

Contents:

1. Setting up SSL for OpenLM Server

Option A – SSL with a certificate from the Windows store

Option B – SSL with a specific certificate file

2. Connect components to a SSL enabled OpenLM Server

OpenLM Broker

OpenLM Agent

OpenLM Applications Manager

OpenLM Router

OpenLM Reports Scheduler

3. Enable SSL for EasyAdmin user connections

4. Upgrading from SSL-configured Server v4.x to v5

 

1. Setting up SSL for OpenLM Server

1. Open C:\Program Files (x86)\OpenLM\OpenLM Server\bin\appsettings.json in a text editor with administrator privileges.

At the end of the file, locate and edit the following:

  • “Url” variables – specify https
  • “Kestrel” node – see a) or b) below depending on whether you want to use a certificate store or a specific path to a certificate.
  • (optional) If needed, you can add extra ports to act as an alias to the main one (see 7016 and 7012). The name between the quotes (e.g. “Broker”) is purely descriptive and can hold any value.

Option A – SSL with a certificate from the Windows store

Add the “certificates” node:

"Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "https://*:5015"
      },
      "Broker": {
        "Url": "https://*:7016"
      },
      "Agent": {
        "Url": "https://*:7012"
      }
    },
    "Certificates": {
      "Default": {
        "Subject": "SILV-PC",
        "Store": "Root",
        "Location": "LocalMachine",
        "AllowInvalid": "true"
      }
    }
  }
  • Subject – to whom the certificate has been issued. This can be found by going to Windows Run → certmgr.msc → select the certificate store where your certificate resides → double-click on it → click the Details tab → locate the Subject (see image below)
  • Store – indicates the certificate store. The “Personal” store is referred to as “My” and the “Trusted Root Certification Authorities” as “Root”. For the names of other certificate stores, consult this article.
  • Location – can be either LocalMachine or CurrentUser.
  • AllowInvalid – set to true to permit the use of invalid certificates (for example, self-signed certificates).

Locating the Subject of a certificate

 

Option B – SSL with a specific certificate file

Add the “certificates” node:

"Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "https://*:5015"
      },
      "Broker": {
        "Url": "https://*:7016"
      },
      "Agent": {
        "Url": "https://*:7012"
      }
    },
    "Certificates": {
      "Default": {
        "Path": "C:\\Users\\borisi\\Desktop\\Cert\\OpenLM_Test.pfx",
        "Password": "ZXzx12!@"
      }
    }
  }
  • Path – the path to the certificate file. Make sure the Windows paths use double backslashes instead of forward slashes.
  • Password – the password for the private key of the certificate.

Note: make sure the curly braces { } are properly closed at all times.

2. Save the file.

3. Open the C:\Program Files (x86)\OpenLM\OpenLM Server\WebApps\EasyAdmin2\params.js file in a text editor with administrator privileges.

4. Edit the variables (SoapProxyPath, WebProxyPath, WebProxySaasPath, OpenLMServer, EasyadminRoot) so that their URLs indicate https. The hostname must be the exact FQDN name as it’s written on the SSL certificate (e.g. hostname.com, etc.).

5. Save the file.

6. Restart the “OpenLM Server” service.

 

2. Connect components to a SSL enabled OpenLM Server

Important: it is mandatory that self-signed certificates used for Server also be installed and present in the Trusted Certificate Store of the machine with the component connecting to OpenLM Server (e.g. Agent, Broker, Router etc.). On Linux, for the Java-based components (Broker, Applications Manager, Router and Reports Scheduler), a self-signed certificate must be added to the local JDK keystore. This can be done using the Java-supplied keytool utility.

Once SSL is enabled for Server, it is necessary to update the hostname/IP of all components that connect to it to use the https protocol. As with the Server configuration, make sure that the exact FQDN is used when specifying the host.

 

OpenLM Broker

1. Start the OpenLM Broker Configuration Tool (Windows Start → OpenLM → OpenLM Broker Configuration Tool)

2. Select the Server in the right panel for which you have set up a SSL connection.

3. Make sure that the “OpenLM Server” field is the fully qualified domain name as written on the SSL certificate. Check the port number and make sure that the “SSL” box is checked.

4. Click “Check Connectivity to OpenLM Server”. If you have configured SSL successfully you should see a success dialog.

5. Click “Apply” to save the new settings then click “Restart Broker”.

 

OpenLM Agent

1. Right-click on the Agent tray icon and click on “OpenLM Agent Configuration”

OpenLM Agent tray menu

2. In the OpenLM Server field enter the fully qualified domain name as issued on the SSL certificate. Check the “Use SSL” box and make sure that the Port field matches the main port set in OpenLM Server’s appsettings.json (i.e. 5015).

3. Click “Check connectivity to OpenLM Server” to make sure that a connection is established.

4. Click on “Apply” to save the settings and close the Agent configuration window.

 

OpenLM Applications Manager

The following steps describe how to configure the OpenLM Applications Manager component to connect to a SSL-enabled OpenLM Server. To configure the OpenLM Applications Manager itself to serve SSL connections (e.g. to Agents), please consult this article instead.

1. Locate the Applications Manager folder and open the openlm-app-manager.properties file in a text editor (typically located at C:\Program Files\OpenLM\OpenLM App Manager)

2. Change the following variables:

openlm.server.protocol = https

openlm.server.host = <full domain name as reflected on the SSL certificate>

openlm.server.port = <change if you’ve modified the default OpenLM Server communications port>

3. Save changes to file.

4. Open Windows Services and restart the “OpenLM App Manager” service.

 

OpenLM Router

For Windows

1. Run “OpenLM Software Router.exe” located in your OpenLM Software Router\bin folder (typically C:\Program Files\OpenLM\OpenLM Software Router\bin)

2. The Router Properties tool will open. Click on the “Startup” tab.

3. Edit the Arguments field to reflect the address of the OpenLM Server as indicated on the SSL certificate, e.g:

-log https://windows2019dev2.openlm.com:5015/OpenLM.Server.Services/RouterAPI

4. Click “Apply” then “OK” to close the tool.

5. Open Windows Services and restart the “OpenLM Software Router” service.

 

For Linux/Unix

1. Edit the router.sh script located in the folder where you installed OpenLM Router.

2. Change the address after the -log parameter to reflect the address of the OpenLM Server as indicated on the SSL certificate:

#!/usr/bin/env bash

java -Dlog4j.configuration=file:log4j.properties -Djava.net.preferIPv4Stack=true -jar openlm-router-2.0.20.jar -log https://windows2019dev2.openlm.com:5015/OpenLM.Server.Services/RouterAPI

3. Restart the OpenLM Router service.

 

OpenLM Reports Scheduler

1. Locate the OpenLM Report Scheduler folder and open the report_scheduler.properties file in a text editor (typically located at C:\Program Files (x86)\OpenLM\OpenLM Report Scheduler)

2. Change the following variables:

openlm.protocol=https

openlm.host=<fully qualified domain name as reflected on the SSL certificate>

openlm.soap.port=<change if you’ve changed the default 5015>

3. Save the changes.

4. Open Windows Services and restart the “OpenLM Report Scheduler” service.

 

3. Enable SSL for EasyAdmin user connections

If using EasyAdmin with IIS, you can also enable SSL communication for the EasyAdmin <-> user connection. Note that securing EasyAdmin with SSL does not depend on section 1. It can be enabled regardless if SSL is enabled on the OpenLM Server port (5015) or not. The steps are provided here simply for convenience.

1. Open the IIS Manager.

2. Navigate to Sites → Default Web Site.

3. On the right panel, click on Bindings and add a default 443 https port, specifying your SSL certificate:

4. Close the window and restart the website.

5. Verify that you can open the EasyAdmin user interface through https: https://<OpenLM Server hostname>/EasyAdmin2/index.html

 

4. Upgrading from SSL-configured Server v4.x to v5

If you have previously configured SSL for OpenLM’s v4.x ports to be served via IIS, you will have to remove the IIS bindings first as they will conflict with the ports specified in appsettings.json and the Server process will fail to start. A manual change to use SSL will also be required.

1. Go to IIS Manager → Sites → Default Web Site (or the one you have configured to host EasyAdmin)

2. On the right panel, click on Bindings and remove any previously SSL configured ports (7012, 7016, 7014, etc.) except those used to serve EasyAdmin:

3. Restart the Default Web Site.

4. Proceed with the SSL configuration procedure in section 1 of this document.

in OpenLM Server configs

Related Articles