Follow

Activate SSL for the Angelfish Webserver

***Starting with Angelfish v2.14, SSL has been replaced by TLS due to multiple security vulnerabilities. However, we use the term "SSL" in Angelfish documentation as a general term for the method of encrypting transmitted data.

Before You Begin


Activating SSL in Angelfish is a simple process. Here's what needs to happen:

1) In agf.conf, set the "use_ssl" variable to 1: (default value is 0)

2) Put the required certificate file(s) in /certs/ underneath the Angelfish installation directory.

3) Stop/start Angelfish via the Start Menu shortcuts (Windows) or the agfsctl utility (Linux)

 

Certificates: CA or Self-Signed?

 

Angelfish uses the PEM format for SSL certificates - PEM is the standard format for OpenSSL and many other SSL tools. If your organization requires trusted certificates from a Certificate Authority (CA), make sure the certificates you use are in .pem format.

If you apply a self-signed certificate to Angelfish, your web browser will probably show a "not secure" or "not trusted" message.  That said, the message can be ignored. Please verify your organization's SSL policy with your IT Security team before self-signing a certificate.

The instructions in this help article use OpenSSL to self-sign certificates.


Enable SSL on Windows


On Windows, Angelfish expects a single file named server-cert.pem that contains BOTH the key and the certificate.  This file needs to be placed in the \certs\ directory (underneath the Angelfish installation directory) 

Also on Windows, Angelfish includes a stand-alone OpenSSL binary as part of its installation. You can use this binary to set up your own self-signed key and certificate, or create a key and a Certificate Signing Request (CSR) in order to obtain a signed certificate from a Certificate Authority (CA).

The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\.

The below commands assume Angelfish is installed to C:\Angelfish\.  If Angelfish is installed elsewhere, please update the commands with the correct path.

To self-sign a certificate, run the following commands from a command line:

1) Specify the location of the OpenSSL config file:

set OPENSSL_CONF=c:\angelfish\inc\ssl\config\openssl.cnf

2) Create a PEM file that contains a key and certificate:

openssl.exe req -new -x509 -days 1000 -nodes -out C:\Angelfish\certs\server-cert.pem -keyout C:\Angelfish\certs\server-cert.pem

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

The above command will prompt you for information to be included in the certificate, e.g. Country Name, Organization Name, etc. You can answer the questions or press Enter to accept the default values.

Once the binary completes, the server-cert.pem file will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and stop/start Angelfish via the start menu shortcuts, you will be able to access the Angelfish UI via https on the same TCP port. For example:

Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000


Enable SSL on Linux


On Linux, Angelfish looks for 2 files in the \certs\ directory: server-key.pem and server-cert.pem.

The below commands assume Angelfish is installed to /usr/local/agfs/.  If Angelfish is installed elsewhere, please update the commands with the correct path.

Unlike Windows, the Linux version of Angelfish does not include the openssl binary.  If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than /usr/local/agfs/, update the -out and -keyout flags with the correct location:

openssl req -new -x509 -days 1000 -nodes -out /usr/local/agfs/certs/server-cert.pem -keyout /usr/local/agfs/certs/server-key.pem

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

This command will prompt you for information to be included in the certificate, e.g. Country Name, Organization Name, etc. You can answer the questions or press Enter to accept the default values.

Once the binary completes, the .pem files will be created in the specified location. Once you edit agf.conf (set use_ssl=1) and run agfsctl --restart, you will be able to access the Angelfish UI via https on the same TCP port. For example:

Old URL: http://angelfish.corp.local:9000
New URL: https://angelfish.corp.local:9000

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.