If you use Angelfish Software v2.4+, please use the new Help Center:
https://help.angelfishstats.com/helpdesk/?aa=200
***Starting with Angelfish v2.14, SSL has been replaced by TLS due to multiple security vulnerabilities. However, we use the term "SSL" in Angelfish documentation as a general term for the method of encrypting transmitted data.
Before You Begin
Activating SSL in Angelfish is a simple process. Here's what needs to happen:
1) In agf.conf, set the "use_ssl" variable to 1: (default value is 0)
2) Put the required certificate file(s) in /certs/ underneath the Angelfish installation directory.
3) Stop/start Angelfish via the Start Menu shortcuts (Windows) or the agfsctl utility (Linux)
Certificates: CA or Self-Signed?
Angelfish uses the PEM format for SSL certificates - PEM is the standard format for OpenSSL and many other SSL tools. If your organization requires trusted certificates from a Certificate Authority (CA), make sure the certificates you use are in .pem format.
If you apply a self-signed certificate to Angelfish, your web browser will probably show a "not secure" or "not trusted" message. That said, the message can be ignored. Please verify your organization's SSL policy with your IT Security team before self-signing a certificate.
The instructions in this help article use OpenSSL to self-sign certificates.
Enable SSL on Windows
On Windows, Angelfish expects a single file named server-cert.pem that contains BOTH the key and the certificate. This file needs to be placed in the \certs\ directory (underneath the Angelfish installation directory)
Also on Windows, Angelfish includes a stand-alone OpenSSL binary as part of its installation. You can use this binary to set up your own self-signed key and certificate, or create a key and a Certificate Signing Request (CSR) in order to obtain a signed certificate from a Certificate Authority (CA).
The below commands assume Angelfish is installed to C:\Angelfish\. If Angelfish is installed elsewhere, please update the commands with the correct path.
The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\.
To self-sign a certificate, run the following commands from a command line:
1) Specify the location of the OpenSSL config file:
set OPENSSL_CONF=c:\angelfish\inc\ssl\config\openssl.cnf
2) Create a PEM file that contains a key and certificate:
openssl.exe req -new -x509 -days 1000 -nodes -out C:\Angelfish\certs\server-cert.pem -keyout C:\Angelfish\certs\server-cert.pem
The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\ - you should either run the command from the directory, or declare the path to openssl.exe in the command.
Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.
After entering the command, you will be prompted to enter CSR details. The only value you *need* to enter something for is:
Common Name
The FQDN (fully-qualified domain name) you want to secure with the certificate. You can enter the full hostname (e.g. www.example.com) or an IP address.
You can fill out the rest of the fields if you like (Country, State, Organization Name, etc.) or just press enter for the default value.
You are not required to enter a password or passphrase, if prompted. This optional field is for applying additional security to your key pair.
Once the binary completes, the server-cert.pem file will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and stop/start Angelfish via the start menu shortcuts, you will be able to access the Angelfish UI via https on the same TCP port. For example:
Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000
Enable SSL on Linux
On Linux, Angelfish looks for 2 files in the \certs\ directory: server-key.pem and server-cert.pem.
The below commands assume Angelfish is installed to /usr/local/agfs/. If Angelfish is installed elsewhere, please update the commands with the correct path.
Unlike Windows, the Linux version of Angelfish does not include the openssl binary. If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than /usr/local/agfs/, update the -out and -keyout flags with the correct location:
openssl req -new -x509 -days 1000 -nodes -out /usr/local/agfs/certs/server-cert.pem -keyout /usr/local/agfs/certs/server-key.pem
Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.
This command will prompt you for information to be included in the certificate, e.g. Country Name, Organization Name, etc. You can answer the questions or press Enter to accept the default values.
Once the binary completes, the .pem files will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and run agfsctl --restart, you will be able to access the Angelfish UI via https on the same TCP port. For example:
Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000
0 Comments