Skip to main content

Enabling User Portal Management Interfaces

  1. Allow incoming connections to the HTTPS port 443 to allow connections to the User Portal management interfaces.

    You may also optionally allow incoming connections to the HTTP port 80. HTTP connections will be automatically redirected to HTTPS.

  2. If you are running SELinux on the machine (enabled by default on Red Hat, CentOS, and Rocky Linux), you will need to allow Nginx to connect to the User Portal services and to write logs. This can be done by importing the policy module provided with the User Portal binaries.

    On Rocky Linux 8.4 - 8.x install the necessary SELinux tools:

    # dnf --enablerepo=powertools install libsemanage-devel

    On all platforms install the policy module:

    # semodule -i /opt/sshmgr-user-portal/selinux/nginx.pp

    The human-readable version of the policy module is available at:

    /opt/sshmgr-user-portal/selinux/nginx.te

  3. Configure Nginx to serve the User Portal management interfaces:

    # /opt/sshmgr-user-portal/bin/setup-nginx

    The script configures Nginx to serve the User Portal management interfaces via HTTPS. The script also sets up self-signed server certificates.

    note

    For production environments, we strongly suggest that you use trusted certificates for authenticating the User Portal management interfaces.

  4. By default, the Key Manager site-configuration specifies the following locations for the certificate files:

    • Server-private-key file: /etc/pki/tls/private/ukmserver.key

    • Server-certificate file: /etc/pki/tls/certs/ukmserver.crt

    i. The server-private-key file must contain the server private key.

    ii. The server-certificate file must contain the server certificate. Also, the certificate chain of the server-certificate CA must be concatenated to this file. Note that the resulting server-certificate file must begin with the server certificate (certificates from the certificate chain can be in any order).

    iii. If you are using certificates issued by intermediate CAs, ensure that the Nginx web browser supports longer certificate chains. To do this, specify the ssl_verify_depth setting in the Nginx-configuration file /etc/nginx/sites-available/user-portal.

    From the Nginx-configuration file, find the code block that looks like this:

    server {
        listen       443 ssl default_server;
        server_name  _;
        # Server certificate
        ssl_certificate      /etc/pki/tls/certs/ukmserver.crt;
        # Server private key
        ssl_certificate_key  /etc/pki/tls/private/ukmserver.key;

        ...
    }

    Specify ssl_verify_depth with a value equal to or greater than the length of the certificate chains, for example:

    server {
        listen       443 ssl default_server;
        server_name  _;
        # Server certificate
        ssl_certificate      /etc/pki/tls/certs/ukmserver.crt;
        # Server private key
        ssl_certificate_key  /etc/pki/tls/private/ukmserver.key;

        ssl_verify_depth 5;
        ...
    }

    iv. Restart the Nginx service to reload certificates and apply any configuration changes:

    # service nginx restart

    If you need additional information about configuring HTTPS servers with Nginx, please refer to the Nginx product documentation.

    v. Optional: You can display information about server certificates using the openssl s_client command (replace keymanager.example.com with the address of the Key Manager server):

    # openssl s_client -showcerts -connect keymanager.example.com:443