SSL configuration
What is SSL/TLS?
An SSL/TLS certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. A good summary of what an SSL/TLS certificate is can be found here:
https://www.digicert.com/what-is-an-ssl-certificate
Why do we need SSL/TLS in TrendMiner?
One of the main benefits of SSL/TLS is encryption. Whenever your users enter information in TrendMiner, that data passes through multiple touchpoints before it reaches its final destination. Without SSL/TLS, this data gets sent as plain text and malicious actors can eavesdrop or alter this data. SSL/TLS offers point-to-point protection to ensure that the data is secure during transport.
Another key benefit is authentication. A working SSL/TLS connection ensures that data is being sent to and received from the correct server, rather than a malicious “man in the middle”.
The third core benefit of SSL/TLS is data integrity. SSL/TLS connections ensure that there’s no loss or alteration of data during transport by including a message authentication code, or MAC. This ensures that the data that gets sent is received without any changes or malicious alterations.
Whether TrendMiner is running on premise or in a SaaS environment, from 2021.R3.1 onwards, SSL configuration is mandatory. More and more browsers will be enforcing SSL by default to reach websites or applications via browsers.
Terminology
Term | Explanation |
|---|---|
SSL | SSL (Secure Sockets Layer) is a security technology that is commonly used to secure server to browser transactions. |
TLS | Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. |
CSR | A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate. |
Private key | The private key is a separate file that's used in the encryption/decryption of data sent between your server and the connecting clients. |
CA | An SSL Certificate Authority (CA) is an entity that is trusted to sign, issue, distribute and revoke digital certificates. |
Certificate chain | Certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server's certificate and terminate with the root certificate. If your server's certificate is to be trusted, its signature has to be traceable back to its root CA. |
Intermediate certificate | An intermediate certificate is a subordinate certificate issued by the trusted root certificate authority and provided to certificate providers to give them the authority to issue end-entity (SSL) server certificates. |
PEM | Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. |
How to enable SSL in TrendMiner?
To enable HTTPS, three things are required:
Private key
Certificate
Certificate chain
Typically, your IT department will be able to provide these. A (temporary) solution to create a certificate is offered in the next section, but make sure to align with your IT department first.
The web server software (Apache) only supports PEM certificates. To convert certificates to the PEM format, an online convertor can be used, or on Linux systems OpenSSL can be used to convert certificates in a different format to PEM:
Convert x509 to PEM
openssl x509 -in certificate.cer -outform PEM -out certificate.pem
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem
Convert PKCS7/P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
Once these prerequisites are fulfilled, browse to the ConfigHub -> Security -> SSL menu to upload them. After uploading, HTTPS can be enabled via the "Options" menu on the top right.
Note
Enabling HTTPS will temporarily render ConfigHub unusable until the service restart has completed. A manual refresh of ConfigHub is necessary. Press F5 to try to load the interface again. Retry until this succeeds.
Note
Certificate chain: If the certificate is issued directly by the root CA, upload the root CA, otherwise upload the intermediate CA which signed the certificate.
Create a certificate with ZeroSSL
Note
Make sure to align with your IT department before creating SSL certificates yourself.
There are a lot of online services that offer an easy creation of validated SSL certificates. Some of them are free to use but only offer a limited number of certificates or a limited validity time. One of these services is ZeroSSL. The free tier of this service is offering 3 certificates valid for 3 months. You can also choose for a paid plan; more information can be found on https://zerossl.com/.
The creation of certificates with ZeroSSL is easy. If you want to use ZeroSSL a step-by-step guide is available on their website: https://help.zerossl.com/hc/en-us/articles/360060119373-Creating-an-SSL-Certificate