Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
SensiNact/gateway-felix-configuration
Contents
Configure Sensinact with HTTPS
This procedure explains how to configure HTTPS on a Sensinact gateway using Lets Encrypt.
Creating certificate with Lets Encrypt
Pre-Requirements:
- Make sure that the port 80 is available, thus if you have a service running on this port, shut it down during this procedure.
- ROOT: you must be root(or a sudoers). You ll need it in order to install required packages
Requirements:
- SSH: the machine that will host the http service must be accessible by SSH
- OpenSSL: you should have the package openssl available, if not execute sudo apt-get install openssl
- Apache: install apache http server sudo apt-get install apache2. Apache is used to validate via certbot that you have the control over the server
- JRE: have the command keytool accessible, this tool comes with JRE, thus $JAVA_HOME/bin/keytool
- SSL port available: Host must have the 443 or 8443 ports accessible for external network (check your routing tables)
- CERTBOT: Refer to Certbot website on how to install Certbot on your particular operating system and install it
Procedure:
- Run the command sudo certbot certonly, you will have to point the folder used by apache, normally /var/www/html/; this procedure will generate a set of certificates in /etc/letsencrypt/live/sensinact.ddns.net/ the last directory will be your domain name, replace the refered value by the domain name you informed during the command execution.
- Generate a pkcs12 certificate from the Lets Encrypt keychain with the command openssl pkcs12 -export -in /etc/letsencrypt/live/sensinact.ddns.net/fullchain.pem -inkey /etc/letsencrypt/live/sensinact.ddns.net/privkey.pem -out cert_and_key.pkcs12 -name sensinact.ddns.net -CAfile /etc/letsencrypt/live/sensinact.ddns.net/chain.pem -caname root; you will need to enter a password, put as password the word 'password', it will be used only on the next step anyways;
- Generate a JKS datastore with keytool command line; execute keytool -importkeystore -srckeystore cert_and_key.pkcs12 -srcstoretype PKCS12 -srcstorepass password -destkeystore datastore.jks -deststorepass sensiNact_team -destkeypass sensiNact_team -srcalias sensinact.ddns.net. Notice that "-srcstorepass password" the value password comes from the previous step, thus if you device to change this value on the previous step you should change here as well
Configuring the felix
Make sure that the follow configuration is available on your config.properties file from felix, this file is located at $SNA_ROOT/conf/config.properties.
org.osgi.service.http.port.secure=443 org.apache.felix.http.enable=false org.apache.felix.https.enable=true org.apache.felix.https.keystore=/you_datastore/keystore.jks #this is the file that was generated at step number 3 org.apache.felix.https.keystore.password=key_store_password org.apache.felix.https.keystore.key.password=key_password
Testing
Once all those steps above were executed successfully, you can now access your server using HTTP over SSL. Point your browser to https://your.domain.com/sensinact/providers/ for example; your browse should indicate that the communication is safe and you should see all providers that are available in sensinact
Troubleshooting
- You can use the same keystore for both, bundle validation and for SSL certification, but it is unadvised to do so. Thus if you are having issues with your certificate, try to use individual keystore.
- You can check how safe is your configuration by using ssltest