Ankit Shukla Principal Systems Engineer Jul 22, 2019
1. Stop the httpd service using the below command on the server where your web services (httpd) is configured:
systemctl stop httpd (RHEL 7.x) /etc/init.d/httpd stop (RHEL 6.x)
2. Change the current directory to ‘/usr/edb/pem/resources’
[root@localhost resources]# cd /usr/edb/pem/resources
You should have the following self signed certificate and its key file:
[root@localhost resources]# ls -ltrh total 12K -rw-r--r--. 1 root root 3.7K May 17 11:19 pem-server-random.sql.in -rw-rw-r--. 1 root root 3.2K May 17 11:19 server-pem.key -rw-rw-r--. 1 root root 2.2K May 17 11:19 server-pem.crt
3. Take the backup of the certificate and the key before we replace them with trusted CA certificates.
4. After taking the backup, remove the certificate and the key file from location “/usr/edb/epm/resources”:
[root@localhost resources]# rm server-pem.* rm: remove regular file 'server-pem.crt'? y rm: remove regular file 'server-pem.key'? y
5. Place your trusted CA certificate, Intermediate certificate and the key in the same location as shown below. Please change the permissions to root and chmod 664:
[root@localhost resources]# ls -ltrh total 16K -rw-r--r--. 1 root root 3.7K May 17 11:19 pem-server-random.sql.in -rw-rw-r--. 1 root root 4.0K Jul 18 12:59 GandiStandardSSLCA2.pem -rw-rw-r--. 1 root root 3.2K Jul 18 12:59 test.enterprisedb.com.key -rw-rw-r--. 1 root root 2.5K Jul 18 12:59 test.enterprisedb.com.crt
6. You can see that I have “test.enterprisedb.com.crt” certificate and “test.enterprisedb.com.key” key file and “GandiStandardSSLCA2.pem” SSL cert chain file. I have made sure to setup the hostname and DNS to test.enterprisedb.com so that the flow could work correctly. To check the network connectivity you can use “ping” utility from another server to check if pinging the hostname resolves or not.
ping test.enterprisedb.com —— (This should be done from another server in the network)
7. After placing the certificate, key and chain file, you need to modify following lines from the file “/etc/httpd/conf.d/edb-ssl-pem.conf”:
# General setup for the virtual host DocumentRoot "/usr/edb/pem/web" ServerName test.enterprisedb.com:8443 SSLEngine on SSLCertificateFile "/usr/edb/pem/resources/test.enterprisedb.com.crt" SSLCertificateKeyFile "/usr/edb/pem/resources/test.enterprisedb.com.key" SSLCertificateChainFile "/usr/edb/pem/resources/GandiStandardSSLCA2.pem"
8. You also need to modify the “/etc/httpd/conf/httpd.conf” for below parameters:
9. Please start the httpd service using the below command:
systemctl start httpd (CentOS/RHEL 7) /etc/init.d/httpd24-httpd start (CentOS/RHEL 6)
10. If the httpd service starts successfully, then please verify by opening the web client. I used the following url to verify the certificates and it was not showing as “Not Secure” in the browser address bar. I have added the below screen shot as well:
NOTE: Please make sure that the test.enterprisedb.com or whatever is the hostname of the PEM server, the server from which you are opening the web client should resolve it at the network level otherwise the browser will not be able to open the web client.