3. Secure Apache httpd¶
The SSL protocol provides for a secure channel of communication between the user’s browser and the Open OnDemand portal. It is recommended that you secure your Apache server by adding these configurations.
Open OnDemand expects secure (https) traffic by default. If you do not add SSL to your Apache server you will have to follow FIXME-LINK-NEEDED to enable some (if not most) functionality.
This is not recommended as someone on your network could see your traffic in plain text, including passwords.
A server name that points to the Open OnDemand server (
ondemand.my_center.edu). I.e., nslookup ondemand.my_center.edu resolves to your instance.
signed SSL certificates with possible intermediate certificates
In this example we assume the following certificates are provided:
- Public certificate
- Private key
- Intermediate certificate
1. Edit the Open OnDemand Portal ood_portal.yml file¶
/etc/ood/config/ood_portal.ymlas such:# /etc/ood/config/ood_portal.yml --- # ... servername: ondemand.my_center.edu ssl: - 'SSLCertificateFile "/etc/pki/tls/certs/ondemand.my_center.edu.crt"' - 'SSLCertificateKeyFile "/etc/pki/tls/private/ondemand.my_center.edu.key"' - 'SSLCertificateChainFile "/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt"'
For documentation on SSL directives please see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
2. Update CA (Dex Users only)¶
Dex users may encounter issues with SSL certificates like:
remote error: tls: unknown certificate authority
If this is the case, you need to ensure that their certificate authority (CA) is in the system trust store and that your CA certificates are up to date.
First, try updating your CA certificates. This could especially happen when you have a Let’s Encrypt and your machine does not know about that certificate authority.
sudo yum update ca-certificates
sudo apt update ca-certificates
If you’re still having issues, copy your certificate authority (examples could be
to your trust store. replace
CA CERT location with the actual certificate
authority you’re using and run these commands to copy it to the appropriate place.
sudo cp <CA CERT location> /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust
sudo cp <CA CERT location> /usr/local/share/ca-certificates/ sudo update-ca-certificates
3. Restart the Apache service for the changes take effect.¶
Restart the Apache service for the changes take effect.
Now when you browse to your OnDemand portal at:
it should redirect you to the HTTP over SSL protocol deployment:
where depending on your browser, should display a green lock of some kind to indicate that the site is secure.