Secure Connection

By default, the communication between a product and an OPSWAT Central Management server is not encrypted. If HTTPS is enabled, the server can enforce secure connections between clients and the server on SSL channels. This section describes how to enable SSL for OPSWAT Central Management.

Requirements

In order to enable HTTPS on OPSWAT Central Management server, a trusted certificate issued by a certificate authority provider or a self-signed certificate must be provided.

Please refer to the section below for information on how to install a self-signed server certificate if a trusted certificate is not provided.

Enabling HTTPS for OPSWAT Central Management

Via the management console

To enable HTTPS on OPSWAT Central Management server via the management console :

  1. Navigate to Settings > Server Configuration > SECURITY.

  2. If you have not configured a certificate that you would like to use for secure connections on OPSWAT Central Management, you should follow the below steps to do that; otherwise you can go to step #3.

    1. Click ADD NEW CERTIFICATE.

    2. Fill in the required fields. Please beware that the specified files MUST be present on the OPSWAT Central Management server and should not be deleted afterwards; otherwise, OPSWAT Central Management will not start.

      1. Certificate Name: The display name of the certificate in the OPSWAT Central Management console.
      2. Certificate File: The file path of the certificate file.
      3. Private Key File: The file path of the private key file associated with the certificate. The private key must be PKCS8.
      4. Password File (optional): The file containing passphrases used to decrypt an encrypted private key file.

    3. Click ADD.

  1. Check Enable HTTPS.
  2. Select a certificate (added in step 2) that the server should use for secure connections.
  3. Select the TLS versions that the server should allow for inbound requests.
  4. Click SAVE.
  5. OPSWAT Central Management will automatically restart and take a few minutes to load the new Secure Connection settings.

Via the nginx's configuration file

To enable HTTPS on OPSWAT Central Management server via the nginx's configuration file :

  1. Locate the serverSettings.conf file in the OPSWAT Central Management installation folder

    1. On Windows: C:\Program Files\OPSWAT\Central\nginx\conf\serverSettings.conf, by default.
    2. On Linux: /opt/ocm/nginx/conf/serverSettings.conf

  2. Open the serverSettings.conf file for modification.

  3. First, add ssl to the two listen lines.

    • listen 9000 ssl;
    • listen [::]:9000 ssl;

  4. Then, uncomment the code block starting from ssl_certificate to error_page by removing # at the beginning of each line.

  5. Finally, update the correct file paths for the certificate files

    1. <PATH_TO_CERT_FILE> with the file path of the certificate file, for example "C:\OCM_Keys\your.crt> C:\OCM_Keys\your.crt"
    2. <PATH_TO_KEY_FILE> with the file path of the certificate key file, for example: "C:\OCM_Keys\your.key"
    3. (Optional) ssl_ciphers determines the cipher suites used by nginx. The default configuration uses a macro that prefer cipher suites that supports forward secrecy.
  1. Restart the OPSWAT Central Management server by clicking the Restart menu on the OPSWAT Central Management tray icon.
  2. After the service is restarted, open the OPSWAT Central Management console, for example https://localhost:9000, to check whether the console can be loaded successfully
  3. Click SAVE to save changes.

Disabling HTTPS configuration

Via the management console

To disable HTTPS on OPSWAT Central Management server via the management console :

  1. Navigate to Settings > Server Configuration > SECURITY.
  2. Uncheck Enable HTTPS.
  3. Click SAVE.
  4. OPSWAT Central Management will automatically restart and take a few minutes to load the new Secure Connection settings.

Via the nginx's configuration file

To disable HTTPS on OPSWAT Central Management server via the nginx's ssl.conf configuration file :

  1. Locate the serverSettings.conf file in the OPSWAT Central Management installation folder

    1. On Windows: C:\Program Files\OPSWAT\Central\nginx\conf\serverSettings.conf, by default
    2. On Linux: /opt/ocm/nginx/conf/serverSettings.conf

  2. Open the serverSettings.conf file for modification.

  3. Remove ssl from the two listen lines.

    • listen 9000;
    • listen [::]:9000;

  4. Restart the OPSWAT Central Management server by clicking the Restart menu on the OPSWAT Central Management tray icon.

  5. After the service is restarted, open the OPSWAT Central Management console, for example http://localhost:9000, to check whether the console can be loaded successfully.

    • Please note that HTTP Strict Transport Security enabled, you may still be redirect to https://localhost:9000, which now no longer exists.

  6. Update the $link[page,343117,auto$] to match the new settings if needed.

  7. Click SAVE to save changes.

Enable HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) enforces the use of HTTPS protocol for all incoming connections. To enable HSTS for OPSWAT Central Management, please follow the below steps:

  1. Locate the ssl.conf file in the OPSWAT Central Management installation folder

    1. On Windows: C:\Program Files\OPSWAT\Central\nginx\conf\ssl.conf, by default.
    2. On Linux: /opt/ocm/nginx/conf, by default.

  2. Locate the configuration line add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    1. If that line exists but starts with a comment sign (#), remove the comment sign.
    2. If that line does not exist, add it to the bottom of the configuration file.

  3. Restart the OPSWAT Central Management server by clicking the Restart menu on the OPSWAT Central Management tray icon.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Port Configuration
On This Page