SSL Configuration

SpinFire Manage 7 and ArangoDB SSL Configuration

Important Note on this Guide

This guide shows one way to get an SSL certificate ready for ArangoDB, by exporting a certificate on a Windows server and converting to PEM format. Of course you can use any mechanism you like to generate a certificate in PEM format for use with ArangoDB

SSL provides privacy, critical security and data integrity for both your websites and your users' personal information. The principal use of SSL is to keep sensitive information sent across networks and the internet encrypted so that only the intended recipient can understand it. In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information.

Requirements

Wildcard SSL certificate in .pem format
DNS entry for ArangoDB server using domain in SSL certificate (i.e. http://arangodb.mydomain.com )

ArangoDB on Linux: SSL Certificate to .pem Format via "openssl"

Export the wildcard SSL certificate from a Windows server in .pfk format.
Copy the newly exported .pfk file to the ArangoDB Linux server.
Convert the .pfk file to .pem file format using OpenSSL on the ArangoDB server.

Command as root user

CODE

		openssl pkcs12 -in /home/sslcert/yourdomain.com.pfx -put /etc/arangodb/yourdomain.pem -nodes

Ubuntu Example:

The newly created certificate in .pem format should now exist in the /etc/arangodb directory.

ArangoDB 3.x on Windows Server: SSL Certificate to .pem Format via "openssl"

Export the wildcard SSL certificate from a Windows server in .pfk format.
Copy the newly exported .pfk file to the ArangoDB Windows server.
Download and Install OpenSSL for Windows
Convert the .pfk file to .pem file format using OpenSSL on the ArangoDB server.

Download and Install OpenSSL for Windows: SSL for Windows http://gnuwin32.sourceforge.net/packages/openssl.htm

Command as administrator

CODE

		openssl pkcs12 -in C:\SW\cert\yourdomain.com.pfx -out C:\Program Files\ArangoDB3 @ROOTDIR@\etc\arangodb3\yourdomain.com.pem -nodes

Windows Example:

The newly created certificate in .pem format should now exist in the /etc/arangodb3 directory.

ArangoDB 3.x Configuration

ArangoDB 3.x Configuration

Edit arangod.conf file [ssl] section with SSL configuration details and [server] section with endpoint details
Add firewall exceptions for port 443, 8529 and https protocol

Configure arangodb to use new ssl certificate and https endpoint

ArangoDB 3.x on Linux:arangod.conf

[ssl] keyfile = /etc/arangodb/yourdomain.com.pem protocol = 5

ArangoDB 3.x on Windows: arangod.conf

[ssl] keyfile = @ROOTDIR@/etc/arangodb/yourdomain.com.pem protocol = 5

Open arangod.conf and add the ssl keyfile and protocol information under the “[ssl]” section of the file.

If the "[ssl]" entry does not exist it should be added.

Modify endpoint configuration to use SSL endpoint with DNS name.

ArangoDB 2.8.11 Configuration

- Edit arangod.conf file [server] section with SSL configuration details and endpoint details
- Add firewall exceptions for port 443, 8529 and https protocol

Configure arangodb to use new ssl certificate and https endpoint

[server] keyfile = /etc/arangodb/yourdomain.com.pem ssl-protocol = 5

Open arangod.conf and add the ssl keyfile and protocol information under the “[server]” section of the file. (applies to arangodb 2.8 and earlier only)

Modify endpoint configuration to use SSL endpoint with DNS name.

Server Firewall Exceptions

Server Configuration: Add Firewall exceptions - Ubuntu using UFW (Uncomplicated Firewall)

Allow https or port 443:

or

Allow port 8529:

Stop ArangoDB service:

Reload Firewall to include configuration changes:

Start ArangoDB service:

Server Configuration: Add Firewall exceptions - CentOS

Please consult firewall documentation for firewall zone implications - http://www.firewalld.org/documentation/zone/predefined-zones.html

Allow https or port 443:

Allow port 8529:

Reload Firewall:

Server Configuration: Add Firewall exceptions – Debian 8.x using UFW (Uncomplicated Firewall)

Allow https or port 443:

Allow port 8529:

Reload Firewall:

Test configuration by visiting the ArangoDB web interfacing using the new DNS name and https protocol (i.e. https://arangodb.mydomain.com/ ). Connection should be secure and no issues encountered when loading.

Centro 7 WebApp, PipelineHost and PipelineManager SSL Configuration

SpinFire Manage SSL Connection to ArangoDB Configuration

Edit SpinFire ManageSettings.config file for SpinFire Manage Web, PipelineHost and PipelineManager.
Modify "ArangoIP" value to use DNS name for the ArangoDB server.

Pipeline Host Configuration: SpinFire ManageSettings.config

Edit C:\Program Files\Actify\SpinFire Manage\PipelineHostService\SpinFire ManageSettings.config
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
Restart SpinFire ManagePipelineHost service to reload the configuration file.

Pipeline Manager Configuration: SpinFire ManageSettings.config

Edit C:\Program Files\Actify\SpinFire Manage\PipelineManagerService\SpinFire ManageSettings.config
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
Restart SpinFire ManagePipelineManager service to reload the configuration file

SpinFire Manage WebApp Configuration: SpinFire ManageSettings.config & Web.config

Edit SpinFire ManageSettings.config.
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
**SpinFire Manage 7.4 and earlier: Edit web.config - Change httpRunTime targetFramework value from “4.5” to “4.6.1”. Not required for SpinFire Manage 7.5.

Centro IIS Configuration

SpinFire Manage IIS Configuration

SpinFire Manage IIS & SSL Binding

Binding SSL to the SpinFire Manage IIS site does not require an SSL connection to the ArangoDB from the SpinFire Manage Web App, Pipeline Host or Pipeline Manager Services as outlined in the above steps.

- Create an SSL binding in IIS
- Add HTTPS Protocol to SpinFire Manage Site and Web Application in IIS

SpinFire Manage IIS Configuration: SSL Binding

Select the SpinFire Manage site in the tree view and click Bindings... in the Actions pane.
Click Add... to add your new SSL binding to the site and select port and certificate. S
elect https in the Type drop-down list.
Select your certificate from the SSL Certificate drop-down list.
Click OK.

SpinFire Manage IIS Configuration: Enable HTTPS on site and Web Application in IIS

Select the SpinFire Manage site of parent site in the tree view.
Click Advanced Settings... in the Actions pane.
Add "https" to the "Enabled Protocols" setting separated by a comma.
Click OK.
If SpinFire Manage is installed under a parent site, confirm https is enable on the web app by selection the SpinFire Manage Web App in the tree view.
Click Advanced Settings... in the Actions pane.
Add "https" to the "Enabled Protocols" setting separated by a comma.
Click OK.
Restart IIS to apply configuration changes.

Additional SSL Configuration Information:

Additional information on configuring IIS and SSL can be found in official Microsoft Documentation here https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis and also from your SSL Certificate Issuer.

SpinFire Manage 7 and ArangoDB SSL Configuration

Important Note on this Guide

This guide shows one way to get an SSL certificate ready for ArangoDB, by exporting a certificate on a Windows server and converting to PEM format. Of course you can use any mechanism you like to generate a certificate in PEM format for use with ArangoDB

SSL provides privacy, critical security and data integrity for both your websites and your users' personal information. The principal use of SSL is to keep sensitive information sent across networks and the internet encrypted so that only the intended recipient can understand it. In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information.

Requirements

Wildcard SSL certificate in .pem format
DNS entry for ArangoDB server using domain in SSL certificate (i.e. http://arangodb.mydomain.com )

ArangoDB on Linux: SSL Certificate to .pem Format via "openssl"

Export the wildcard SSL certificate from a Windows server in .pfk format.
Copy the newly exported .pfk file to the ArangoDB Linux server.
Convert the .pfk file to .pem file format using OpenSSL on the ArangoDB server.

Command as root user

CODE

		openssl pkcs12 -in /home/sslcert/yourdomain.com.pfx -put /etc/arangodb/yourdomain.pem -nodes

Ubuntu Example:

The newly created certificate in .pem format should now exist in the /etc/arangodb directory.

ArangoDB 3.x on Windows Server: SSL Certificate to .pem Format via "openssl"

Export the wildcard SSL certificate from a Windows server in .pfk format.
Copy the newly exported .pfk file to the ArangoDB Windows server.
Download and Install OpenSSL for Windows
Convert the .pfk file to .pem file format using OpenSSL on the ArangoDB server.

Download and Install OpenSSL for Windows: SSL for Windows http://gnuwin32.sourceforge.net/packages/openssl.htm

Command as administrator

CODE

		openssl pkcs12 -in C:\SW\cert\yourdomain.com.pfx -out C:\Program Files\ArangoDB3 @ROOTDIR@\etc\arangodb3\yourdomain.com.pem -nodes

Windows Example:

The newly created certificate in .pem format should now exist in the /etc/arangodb3 directory.

ArangoDB 3.x Configuration

ArangoDB 3.x Configuration

Edit arangod.conf file [ssl] section with SSL configuration details and [server] section with endpoint details
Add firewall exceptions for port 443, 8529 and https protocol

Configure arangodb to use new ssl certificate and https endpoint

ArangoDB 3.x on Linux:arangod.conf

[ssl] keyfile = /etc/arangodb/yourdomain.com.pem protocol = 5

ArangoDB 3.x on Windows: arangod.conf

[ssl] keyfile = @ROOTDIR@/etc/arangodb/yourdomain.com.pem protocol = 5

Open arangod.conf and add the ssl keyfile and protocol information under the “[ssl]” section of the file.

If the "[ssl]" entry does not exist it should be added.

Modify endpoint configuration to use SSL endpoint with DNS name.

ArangoDB 2.8.11 Configuration

- Edit arangod.conf file [server] section with SSL configuration details and endpoint details
- Add firewall exceptions for port 443, 8529 and https protocol

Configure arangodb to use new ssl certificate and https endpoint

[server] keyfile = /etc/arangodb/yourdomain.com.pem ssl-protocol = 5

Open arangod.conf and add the ssl keyfile and protocol information under the “[server]” section of the file. (applies to arangodb 2.8 and earlier only)

Modify endpoint configuration to use SSL endpoint with DNS name.

Server Firewall Exceptions

Server Configuration: Add Firewall exceptions - Ubuntu using UFW (Uncomplicated Firewall)

Allow https or port 443:

or

Allow port 8529:

Stop ArangoDB service:

Reload Firewall to include configuration changes:

Start ArangoDB service:

Server Configuration: Add Firewall exceptions - CentOS

Please consult firewall documentation for firewall zone implications - http://www.firewalld.org/documentation/zone/predefined-zones.html

Allow https or port 443:

Allow port 8529:

Reload Firewall:

Server Configuration: Add Firewall exceptions – Debian 8.x using UFW (Uncomplicated Firewall)

Allow https or port 443:

Allow port 8529:

Reload Firewall:

Test configuration by visiting the ArangoDB web interfacing using the new DNS name and https protocol (i.e. https://arangodb.mydomain.com/ ). Connection should be secure and no issues encountered when loading.

Centro 7 WebApp, PipelineHost and PipelineManager SSL Configuration

SpinFire Manage SSL Connection to ArangoDB Configuration

Edit SpinFire ManageSettings.config file for SpinFire Manage Web, PipelineHost and PipelineManager.
Modify "ArangoIP" value to use DNS name for the ArangoDB server.

Pipeline Host Configuration: SpinFire ManageSettings.config

Edit C:\Program Files\Actify\SpinFire Manage\PipelineHostService\SpinFire ManageSettings.config
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
Restart SpinFire ManagePipelineHost service to reload the configuration file.

Pipeline Manager Configuration: SpinFire ManageSettings.config

Edit C:\Program Files\Actify\SpinFire Manage\PipelineManagerService\SpinFire ManageSettings.config
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
Restart SpinFire ManagePipelineManager service to reload the configuration file

SpinFire Manage WebApp Configuration: SpinFire ManageSettings.config & Web.config

Edit SpinFire ManageSettings.config.
Set ArrangoUseSSL value to “true” and ArangoIP to ArangoDB DNS hostname.
**SpinFire Manage 7.4 and earlier: Edit web.config - Change httpRunTime targetFramework value from “4.5” to “4.6.1”. Not required for SpinFire Manage 7.5.

Centro IIS Configuration

SpinFire Manage IIS Configuration

SpinFire Manage IIS & SSL Binding

Binding SSL to the SpinFire Manage IIS site does not require an SSL connection to the ArangoDB from the SpinFire Manage Web App, Pipeline Host or Pipeline Manager Services as outlined in the above steps.

- Create an SSL binding in IIS
- Add HTTPS Protocol to SpinFire Manage Site and Web Application in IIS

SpinFire Manage IIS Configuration: SSL Binding

Select the SpinFire Manage site in the tree view and click Bindings... in the Actions pane.
Click Add... to add your new SSL binding to the site and select port and certificate. S
elect https in the Type drop-down list.
Select your certificate from the SSL Certificate drop-down list.
Click OK.

SpinFire Manage IIS Configuration: Enable HTTPS on site and Web Application in IIS

Select the SpinFire Manage site of parent site in the tree view.
Click Advanced Settings... in the Actions pane.
Add "https" to the "Enabled Protocols" setting separated by a comma.
Click OK.
If SpinFire Manage is installed under a parent site, confirm https is enable on the web app by selection the SpinFire Manage Web App in the tree view.
Click Advanced Settings... in the Actions pane.
Add "https" to the "Enabled Protocols" setting separated by a comma.
Click OK.
Restart IIS to apply configuration changes.

Additional SSL Configuration Information:

Additional information on configuring IIS and SSL can be found in official Microsoft Documentation here https://docs.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis and also from your SSL Certificate Issuer.