3. Secure Apache httpd

The SSL protocol provides for a secure channel of communication between the user’s browser and the Open OnDemand portal. It is recommended that you secure your Apache server by adding these configurations.

Requirements:

  • A server name that points to the Open OnDemand server (ondemand.my_center.edu). I.e., nslookup ondemand.my_center.edu resolves to your instance.

  • signed SSL certificates with possible intermediate certificates

Note

Let’s Encrypt is a great option to obtain a free SSL certificate. You can read more about it in their Getting Started documentation.

In this example we assume the following certificates are provided:

Public certificate

/etc/pki/tls/certs/ondemand.my_center.edu.crt

Private key

/etc/pki/tls/private/ondemand.my_center.edu.key

Intermediate certificate

/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt

1. Edit the Open OnDemand Portal ood_portal.yml file

/etc/ood/config/ood_portal.yml as such:

# /etc/ood/config/ood_portal.yml
---

# ...

servername: ondemand.my_center.edu
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/ondemand.my_center.edu.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/ondemand.my_center.edu.key"'
  - 'SSLCertificateChainFile "/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt"'

Note

For documentation on SSL directives please see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

2. Update CA (Dex Users only)

Dex users may encounter issues with SSL certificates like:

remote error: tls: unknown certificate authority

If this is the case, you need to ensure that their certificate authority (CA) is in the system trust store and that your CA certificates are up to date.

First, try updating your CA certificates. This could especially happen when you have a Let’s Encrypt and your machine does not know about that certificate authority.

sudo yum update ca-certificates

If you’re still having issues, copy your certificate authority (examples could be fullchain.pem) to your trust store. replace CA CERT location with the actual certificate authority you’re using and run these commands to copy it to the appropriate place.

sudo cp <CA CERT location> /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

3. Restart the Apache service for the changes take effect.

Restart the Apache service for the changes take effect.

Now when you browse to your OnDemand portal at:

http://ondemand.my_center.edu

it should redirect you to the HTTP over SSL protocol deployment:

https://ondemand.my_center.edu

where depending on your browser, should display a green lock of some kind to indicate that the site is secure.