-
Notifications
You must be signed in to change notification settings - Fork 0
Configuring SSL for use
To be able to activate SSL (TLS) for http, a few steps are required with the 'out of the box' implementation.
If you have your own CA, and ability to issued trusted certificates, then only the SSL binding step is of note.
The basic steps required are:
- Select a quorum member machine (the 'CA' machine) on which to perform these operations (any machine will do)
- Open a command prompt, running as the Administrator
- Create a self signed CA certificate
- Issue a certificate for the 'CA' machine
- Bind the SSL certificate for the 'CA' machine to the secure quorum port
- Test
- For each machine other than the CA machine, issue a certificate, export it, transfer to the machine in question import
You must run the command prompt as the Administrator, or none of the following steps will work! Also, the path to the utility makecert must exist in your environment; for example, C:\Program Files (x86)\Windows Kits\8.1\bin\x86.
During this process, you will be asked for up to 3 passwords - use the same password each time and take care to remember it.
Execute:
makecert -n "CN=softwarequorumCA" -r -sv softwarequorumCA.pvk softwarequorumCA.cer
Now, type mmc , and add the certificates snap in for the local machine. Navigate to the Trusted Root Certification Authorities/Certificates node. Import the softwarequorumCA.cer certificate that has just been created.
Having now set up the CA, you can issue a certificate for the 'CA' machine. This is a certificate that will be used by the quorum software for SSL purposes - creating the CA certificate is an administrative 'nicety' at this stage :-)
It is important to use the correct common name (CN) when generating the certificate, as it must be the same as the machine name for which it will be used. Use the whomai command to determine the machine name.
Let's assume you want to create a quorum usable certificate now and the machine on which your executing is called Zephyr.
You would then execute:
makecert -sk softwarequorumCA -iv softwarequorumCA.pvk -n "CN=Zephyr" -ic softwarequorumCA.cer Zephyr.cer -sr localmachine -pe -ss My
Assuming no errors are generated, this has created a certificate associated with the host Zephyr and installed it into the local machine certificate store under the Personal folder. You can verify this in mmc.
As the http quorum implementation uses the C# HttpListener, you must bind the certificate to the port that will be used for secure http communications. This, by default, is 8999. See the configuration reference for further details.
In mmc, under the Personal folder, open the certificate generated in step 3. Locate the thumbprint property under details. Copy it, and remove all spaces and any unicode characters. Let's assume the thumbprint is dbeaf20763c9398f2b60722b10f5f86e595630dd.
Then, to bind the certificate to the secure port, for the quorum windows service:
Execute:
netsh http add sslcert ipport=0.0.0.0:8999 certhash=dbeaf20763c9398f2b60722b10f5f86e595630dd appid={6748d5fe-63df-4f6b-8c49-41b2aa7034b0}
Testing is straightforward:
- Install and Start the Windows service
- Go to the Control Centre, Configuration
- Select the Https radio button
- Change the port to 8999
- Save the configuration
- Click Home
- The machine configured thus far should show as operational within a few seconds
Build and base set up
Windows Service
Security considerations
Guides