Planning considerations > Run the UI over HTTPS

Run the UI over HTTPS

The default way for browsers to connect to the application server's user interface is via HTTP. Typically, the URL a browser uses to connect is http://<host>:6080/ui, where <host> is the name or IP address of the computer running the server. Optionally, you can have browsers connect instead via HTTPS (HTTP over SSL). You can also allow connections via HTTP and HTTPS at the same time. The following sections explain how to configure this.

Configure HTTPS

Use this procedure to configure the server so that browsers can log on to the user interface via HTTPS.

  1. Click System management on the toolbar in the user interface to open the System management page.
  2. Click Configure UI connection to open the Configure UI connection page.
  3. If you are opening the page for the first time, the connections via HTTP option is already configured by default. You can leave the page as-is or add a configuration for connecting via HTTPS. You cannot disable connections via HTTP until you have configured HTTPS. Once HTTPS has been configured, you can return to this page and select to have browsers connect via HTTP or HTTPS or both.
  4. On the General tab, select UI connections made via HTTPS.
  5. Although port 6443 is suggested, you can change the number as your situation requires.
  6. Optionally, select the checkbox for overriding cipher suites. The following describes this feature.
  7. Override SSL and TLS cipher suites
  8. Select this checkbox to specify, using the Add and Remove buttons, the specific cipher suites supported for the embedded server. If not selected, all cipher suites are supported by default. The default is less secure than specifying only certain cipher suites.
  9. The default order in the Available column is the preferred order of use. Once ciphers are moved to the Selected column, you can arrange the order. Activator uses the ciphers in the order listed.
  10. A cipher suite is a collection of security algorithms used to make connections via Secure Sockets Layer (SSL) or Transport Layer Security (TLS). For example, an SSL or TLS protocol requires signing messages using a message digest algorithm. However, the choice of algorithm is determined by the particular cipher suite being used for the connection. Typically, you can select an MD5 or SHA digest algorithm.
  11. Of the many algorithms for encrypting data and computing the message authentication code, there are varying levels of security. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption. Others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security. The longer the key, the more secure the data.
  12. The checkbox for overriding cipher suites lets you select the level of security that suits your needs and enables communicating with others who might have different security requirements. For example, when an SSL connection is established, the client and server exchange information about the cipher suites they have in common. Then they communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, secure communication is not possible.
  13. In versions of Activator earlier than 5.9, cipher suites configuration was handled by a file named sslciphersuites.xml. As data in that file is saved in the database, the custom cipher suites configuration is retained upon upgrading and is displayed in the Selected list under the checkbox in the user interface. The sslciphersuites.xml file is no longer used.
  14. Click Save.
  15. Select the Personal certificates tab and click Add a certificate to open the certificate wizard.
  16. You can add a self-signed or a CA certificate. The certificate has a public-private key pair. The certificate is used to secure connections between browsers and the server.
  17. If you choose to add a self-signed certificate, you can accept all default values in the certificate wizard.
  18. The steps for adding a server certificate are the same as adding a certificate for a community profile. See Add a certificate for more information.
  19. After adding the certificate, the General tab displays again.
  20. Select the Personal certificates tab again. The certificate you added in step 7 is listed. You can click the certificate's name to display details.
  21. If there is more than one certificate, select the certificate you want as the default and click Save.
  22. On the General tab, check again that the UI connections made via HTTPS is selected.
  23. If you are configuring HTTPS and have selected Require client authentication, select the Trusted roots certificate tab and add a trusted root certificate.
  24. With this option, the server requires the user's browser to send a certificate back to the HTTPS server. The HTTPS server must trust the certificate returned by the browser client. If a browser user has a CA-issued certificate for authentication, you only must trust the root CA certificates. If a browser user has a self-signed certificate, the user must export the certificate and public key to a file and give you the file. You then must import the certificate file.
  25. To complete the configuration, you must do one of the following:
  26. Inform users of the URL needed to connect from a browser to the user interface. If you use the suggested port, 6443, the URL is https://<host>:6443/ui where <host> is the fully qualified domain name or IP address of the computer running the server.

Switch between HTTP and HTTPS

Once connections via HTTPS have been configured, you can return to the UI configuration page and select to allow browser connections via HTTP or HTTPS or both.

If you change the configuration, click Save. You also must do one of the following:

Related topics