====== HTTPS settings ======

===== Use HTTPS Only =====

  * Activate HTTPS only checkbox to automatically redirect HTTP requests to HTTPS
  * WARNING: In such configuration, remote agents will not be able to connect if you don't add the server certificate into their truststore (unless using a certificate coming from a trusted authority)

===== Change HTTPS port =====

  * Redpeaks HTTPS port number is set to **8443** by default

  * **If you are running on Linux**:
    * Set the new HTTPS port in ''HTTPS redirection port'' field
    * Using port **443** is not always possible: ports below 1024 require elevated privileges
    * Example routing rule: ''iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443''
    * **Restart the Redpeaks service** from the Maintenance menu

  * **If you are running on Windows**:
    * Set the new HTTPS port in ''HTTPS redirection port'' field.
    * Run: ''[REDPEAKS_HOME]\\bin\\pro_monitorw.exe''
    * Open the Java tab
    * Change the -Dhttp.port.ssl value to the new port number
    * **Restart the promonitor service**

{{..:..:..:userguide:administration:pasted:https1.png}}

===== Certificates =====

==== Disclaimer ====
  * The default certificate embedded with the server **will not work in Multi-instance mode**: agents will refuse the connection because the certificate is not bound to the server IP address
  * You **must** generate a self-signed certificate bound to the correct IP or hostname
  * All generated certificates are stored in: ''[REDPEAKS_HOME]/certificates/.keystore''

==== Generating a certificate ====
  * The default certificate uses ''localhost'' as Common Name (CN)
  * To connect to the server using HTTPS and a hostname, you must install or generate a proper certificate

**Generating a Self-signed certificate**
  * Click ''Generate a self-signed certificate''
  * Enter the hostname or IP
  * Save the certificate

** Generating a Certificate manually **
  * [[..:adminconfig:createcertificat|Follow the procedure here]]

**Certificates from a trusted authority**
  * Follow the procedure below

==== Downloading and installing a self-signed certificate ====

  * To establish a secure connection with a system using a **self-signed certificate**, you must **trust** the certificate
  * Once trusted, you must connect using the **Common Name (CN)** of the certificate
  * This applies to:
    * REST API connector
    * Secure LDAP
    * Secure plugin
    * Secure primary server (agents)
    * Secure SAPControl or portal

**Import certificate from remote sites**:
  * Click ''Download and install a self-signed certificate''
  * Enter the URL as hostname:port (443 by default)
  * Enter the certificate's CN (visible in browser certificate details)

==== Installing a certificate manually ====

  * Copy the certificate file (.cer) into ''[REDPEAKS_HOME]/certificates/''
  * Import it:
<code>keytool -import -trustcacerts -keystore [REDPEAKS_HOME]/certificates/.keystore -storepass agentilKeyStore \
 -noprompt -alias yourAliasName -file [REDPEAKS_HOME]/certificates/certificate.cer</code>

==== Import keystore into the Redpeaks keystore ====

  * Import an external PKCS12 keystore:
<code>keytool -importkeystore -srckeystore yourKeyStore.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
 -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore</code>

NOTE:
  * Redpeaks keystore (server keys) and truststore (trusted certificates) are stored in the same file ''[REDPEAKS_HOME]/certificates/.keystore''

===== Building a Full PKCS12 Certificate Bundle (P12) =====

In some cases, you have:
  * a private key file (server.key)
  * a server certificate (server.crt or server.cer)
  * one or more CA / intermediate certificates (root.cer, intermediate.cer)

The recommended way to provide a complete chain to Redpeaks is to build a PKCS12 (.p12) file containing
  * private key
  * server certificate
  * intermediate and root certificates (full chain)

==== Ensure certificates are in PEM format ====

  * Open your ''.cer'' files
    * If you see ''-----BEGIN CERTIFICATE-----'', they are already in PEM format
    * If the file is binary, convert from DER to PEM
<code>openssl x509 -inform DER -in intermediate.cer -out intermediate.crt
openssl x509 -inform DER -in root.cer -out root.crt</code>

==== Build the chain file ====

  * Concatenate intermediate and root certificates (in this order)
<code>cat intermediate.crt root.crt > chain.pem</code>

==== Create PKCS12 with full chain ====

  * Create a PKCS12 file containing:
    * the private key
    * the server certificate
    * the full chain

Example:
<code>openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12</code>

You will be asked for an export password: use "agentilKeyStore" if you want to import it directly with default Redpeaks keystore password

==== Import P12 into Redpeaks keystore ====

  * Import the newly created fullcert.p12 into Redpeaks keystore:
<code>keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 \
 -srcstorepass agentilKeyStore -destkeystore [PRO_MONITOR_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore</code>

  * After this, the alias used ("pro_monitor" in the example) should contain:
    * Entry type: PrivateKeyEntry
    * Certificate chain length: 2 or 3 (server + intermediate (+ root))

===== Troubleshooting =====

  * See [[..:..:..:troubleshooting:certificates|Troubleshooting certificate issues]]