10. Add SSL Support¶

(Optional, but recommended)

The SSL protocol provides for a secure channel of communication between the user’s browser and the Open OnDemand portal.

Requirements:

a server name that points to the Open OnDemand server (webdev05.hpc.osc.edu)
signed SSL certificates with possible intermediate certificates

Note

You may use Let’s Encrypt to obtain a free SSL certificate. You can read more about it in their Getting Started documentation.

In this example the certificates are located at:

# Public certificate
/etc/pki/tls/certs/webdev05.hpc.osc.edu.crt

# Private key
/etc/pki/tls/private/webdev05.hpc.osc.edu.key

# Intermediate certificate
/etc/pki/tls/certs/webdev05.hpc.osc.edu-interm.crt

Install the necessary Apache module to use SSL:
```
sudo yum install httpd24-mod_ssl.x86_64
```
Update the Apache config with the server name and paths to the SSL certificates. This requires modifying the configuration file for the ood-portal-generator.
```
cd ~/ood/src/ood-portal-generator
```

Configuration is handled by editing the config.yml as such:

---

servername: webdev05.hpc.osc.edu
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/webdev05.hpc.osc.edu.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/webdev05.hpc.osc.edu.key"'
  - 'SSLCertificateChainFile "/etc/pki/tls/certs/webdev05.hpc.osc.edu-interm.crt"'

Note

For documentation on SSL directives please see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Re-build the Apache config:
```
scl enable rh-ruby22 -- rake
```

Copy it over to the default location:

sudo scl enable rh-ruby22 -- rake install

Restart the Apache server:
```
sudo service httpd24-httpd restart
```
Warning

If using RHEL 7 you will need to replace the above command with:
```
sudo systemctl restart httpd24-httpd
```

When you visit the portal in your browser now it should redirect any http traffic to the proper https protocol.

http://webdev05.hpc.osc.edu => https://webdev05.hpc.osc.edu