Follow

Activate SSL for the Angelfish Webserver

***Starting with Angelfish v2.14, SSL has been replaced by TLS due to multiple security vulnerabilities. However, we use the term "SSL" in Angelfish documentation as a general term for the method of protecting transmitted data.

Before You Begin


Activating SSL in Angelfish is a simple process. Here's what needs to happen:

1) In agf.conf, set the "use_ssl" variable to 1: (default value is 0)

2) Put the required certificate file(s) in /certs/ underneath the Angelfish installation directory.

3) Stop/start Angelfish via the Start Menu shortcuts (Windows) or the agfsctl utility (Linux)

 

Certificates: CA or Self-Signed?

Angelfish uses the PEM format for SSL certificates - PEM is the standard format for OpenSSL and many other SSL tools. If your organization requires trusted certificates from a Certificate Authority (CA), make sure the certificates you use are in .pem format.

Alternatively, you can create your own untrusted SSL certificate. A self-signed certificate will probably generate a "not secure" or "not trusted" message in your web browser, but this message can likely be ignored. That said, please verify your organization's SSL policy with your IT Security team before self-signing a certificate.

The instructions in this help article use OpenSSL to self-sign certificates. You can download OpenSSL here:
http://www.openssl.org/


Enable SSL on Windows


On Windows, Angelfish expects a file named server-cert.pem in the \certs\ directory that contains BOTH the key and the certificate.

If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than C:\Angelfish\, update the -out and -keyout flags with the correct location:

openssl.exe req -new -x509 -days 365 -nodes -out C:\Angelfish\certs\server-cert.pem -keyout C:\Angelfish\certs\server-cert.pem

This command will prompt you for information to be included in the certificate, e.g. Country Name, Organization Name, etc. You can answer the questions or press Enter to accept the default values.

Once the binary completes, the server-cert.pem file will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and stop/start Angelfish via the start menu shortcuts, you will be able to access the Angelfish UI via https on the same TCP port. For example:

Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000


Enable SSL on Linux


On Linux, Angelfish looks for 2 files in the \certs\ directory: server-key.pem and server-cert.pem.

If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than /usr/local/agfs/, update the -out and -keyout flags with the correct location:

openssl req -new -x509 -days 365 -nodes -out /usr/local/agfs/certs/server-cert.pem -keyout /usr/local/agfs/certs/server-key.pem

This command will prompt you for information to be included in the certificate, e.g. Country Name, Organization Name, etc. You can answer the questions or press Enter to accept the default values.

Once the binary completes, the .pem files will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and run agfsctl --restart, you will be able to access the Angelfish UI via https on the same TCP port. For example:

Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.