-
Type: Sub-task
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
Labels:
This should be a separate page, linked in the main install flow. Please make sure that it is clear that this is optional.
### Existing certificate already signed by trusted 3rd-party (wildcard or exact domain): Proceed to “Preparing Your Certificate” section below. ### New certificate and Signing Request for trusted 3rd-party $ openssl req -new -out mms-ssl.csr -newkey rsa:2048 -keyout mms-ssl.key [Specify a private key password] [Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl] [Refer to your trusted 3rd-party’s procedure for any content they may require in the ‘extra’ attributes.] * Submit your new CSR to the trusted 3rd-party so they may return a signed certificate. Note that this procedure varies by provider. Some trusted 3rd-parties will generate the private key, CSR, and signed certificate for you. Proceed to “Preparing Your Certificate” section below. ### Self-Signed Certificate $ openssl req -x509 -days 3650 -newkey rsa:2048 -keyout mms-ssl.key -out mms-ssl.crt [Specify a private key password] [Complete all certificate fields. Note: the Common Name *must* be the same hostname as your mms.centralUrl] #### Preparing Your Certificate * If the signed certificate is not in PEM format, you may convert it as follows: $ openssl x509 -in mms-ssl.cer -inform DER -outform PEM -out mms-ssl.crt * If your 3rd-party uses a certificate chain, concatenate the certificates together to create a unified certificate: $ cat mms-ssl.crt [intermediate-3rdparty-ca-cert.crt] 3rdparty-root-ca-cert.crt > mms-ssl-unified.crt #### Creating Your Java Keystore * Combine your private key and signed certificate (or certificate chain) into a PKCS12-formatted keystore: $ openssl pkcs12 -inkey mms-ssl.key -in mms-ssl-unified.crt -export -out mms-ssl.pkcs12 [Provide your private key password] [Specify a new password for the exported PKCS12 keystore] * Convert the PKCS12 keystore into a Java Keystore: $ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks E.g., $ [mms-install-dir]/jdk/bin/keytool -importkeystore -srckeystore mms-ssl.pkcs12 -srcstoretype PKCS12 -destkeystore mms-keystore.jks [Specify new password for the Java keystore. Can be same as PKCS12 keystore password since after this step mms-ssl.pkcs12 can be deleted.] [Provide PKCS12 keystore password] #### Configuring MMS for Java keystore $ sudo cp -a mms-keystore.jks /etc/mongodb-mms/ $ sudo chown mongodb-mms:root /etc/mongodb-mms/mms-keystore.jks $ sudo chmod 600 /etc/mongodb-mms/mms-keystore.jks $ [mms-install-dir]/bin/credentialstool --username keystore --password Enter Password: [keystore-password] Generating credentials pair... Your encrypted credentials pair: Username: abcdef1234567890-76d41ae0a98c Password: abcdef1234567890-2cc28e525d1f543464 * Edit your mms.conf to specify the path to your keystore and the encrypted keystore password: $ sudo vi [mms-install-dir]/conf/mms.conf JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslEnabled=true" JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStorePath=/etc/mongodb-mms/mms-keystore.jks" JAVA_MMS_SSL_OPTS="${JAVA_MMS_SSL_OPTS} -Dxgen.webServerSslKeyStoreEncryptedPassword=abcdef1234567890-2cc28e525d1f543464" * Edit your conf-mms.properties file to specify the https protocol and SSL port 8443 on mms.centralUrl: mms.centralUrl=https://mms.acmewidgets.com:8443 * Start up the MMS server and visit your mms.centralUrl $ sudo /etc/init.d/mongodb-mms start * Browse to https://mms.acmewidgets.com:8443