Configuring SSLΒΆ

As part of the initial configuration script for the Plixer Scrutinizer appliance, a self-signed SSL certificate will be created and SSL support will be enabled by default.

These settings can be later modified as needed.

Installing a CA-signed SSL certificate

As long as the system is set to use the self-signed SSL certificate created during the initial configuration process, browsers will return an untrusted certificate warning, which users must override to access the web interface.

To correct this behavior, an SSL certificate that has been signed by an internal or commercial Certificate Authority (CA) will need to be installed:

  1. Forward the /etc/pki/tls/private/ca.csr file to the CA for signing and ask that they return it as base 64 encoded rather than DER encoded.

Important

The Plixer Scrutinizer AMI comes with its own self-signed certificate. This can be replaced with a new certificate by running the scrut_util command set ssl on as described above.

  1. After receiving the CA-signed SSL certificate, stop the Apache service using the following scrut_util command:

    SCRUTINIZER> services httpd stop

Note

For additional details on the Plixer Scrutinizer interactive CLI utility scrut_util, including usage instructions and command information, see the Interactive CLI section of this documentation.

  1. Rename the new certificate to ca.crt and replace the previous certificate file located in etc/pki/tls/certs.

  2. Start the Apache service again:

    SCRUTINIZER> services httpd start

To verify that the web interface is using the correct SSL certificate, use a browser to navigate to the login page using the FQDN specified in the CA-signed certificate. The browser should no longer return an untrusted certificate warning and the padlock icon in the address bar should be locked instead of open.

Enabling/disabling SSL

If needed, SSL support can later be disabled (and later re-enabled) using the interactive CLI utility scrut_util command:

SCRUTINIZER> set ssl [off | on]

Important

Running set ssl on at a later time will prompt the user to enter new certificate details and overwrite the previous certificate.