Configure Built-in TLS in Command Line
Configuring TLS in your current Hub installation
Using the command line, you can switch between the following secure mode configurations:
HTTP — default HTTP mode. TLS is disabled
HTTPS(keystore) — secure HTTPS mode. TLS is enabled. The private key/certificate data is stored in a keystore file.
HTTPS(privateKeyAndCert) — secure HTTPS mode. TLS is enabled. The private key, certificate, and certificate chain(optional) are stored in separate files in the PEM format.
configure
command defining all the properties required for the configuration of your choice. See below for detailed instructions and a complete list of the properties for each configuration. To switch to the HTTP mode:
-
Stop Hub:
<hub_home>/bin/hub.sh stop
-
Enter the following command:
<hub_home>/bin/hub.sh configure --listen-port=8080 --secure-mode=disable
-
Start Hub:
<hub_home>/bin/hub.sh start
To switch to the HTTPS (keystore) mode:
-
Create a temporary folder and place the file
keystore.jks
containing the server's private key and certificate in that folder. -
Stop Hub:
<hub_home>/bin/hub.sh stop
-
Run the following command:
<hub_home>/bin/hub.sh configure --listen-port=443 --secure-mode=tls --tls-server-cert-storage-type=keystore --tls-server-cert-folder=<folder with file keystore.jks> --tls-server-cert-keystore-password=<keystore password> --tls-server-cert-keystore-key-alias=<private key entry alias> --tls-server-cert-keystore-key-password=<private key entry password> -- tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
-
Start Hub:
<hub_home>/bin/hub.sh start
To switch to the HTTPS (privateKeyAndCert) mode:
-
Create a temporary folder (let's call it
<certificates_folder>
) to store the files with private key, certificate, and certificate chain (if any). -
Place the private key (in the PEM format) into file
<certificates_folder>/privateKey.pem
. -
Place the server certificate (in the PEM format) associated with the private key into the file
<certificates_folder>/certificate.crt
. -
If you have a certificate chain for signing the server's certificate (in the PEM format), place it into the file
<certificates_folder>/certificateChain.crt
. -
Stop Hub:
<hub_home>/bin/hub.sh stop
Run the following command:
If the private key is encrypted, also add the<hub_home>/bin/hub.sh configure --listen-port=443 --secure-mode=tls --tls-server-cert-storage-type=privateKeyAndCert --tls-server-cert-folder=<certificates_folder> --tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
tls-server-cert-keystore-key-password
property to provide the passphrase for the key.-
Start Hub:
<hub_home>/bin/hub.sh start
Redirecting HTTP traffic
If you are going to use a secure HTTPS mode, you can optionally set up a Redirect listen port — a non-secure port that will receive all HTTP requests and redirect them to the secure listen port. To do so, add the parameters tls-redirect-from-http=true
and tls-redirect-from-http-listen-port=<your redirect port number>
to the configure
command.
Configuration Parameters
HTTP
Property | Value | Description |
---|---|---|
secure-mode | disable | The default value of the property. TLS is disabled by default. |
listen-port | The port on which Hub listens to the HTTP traffic. |
HTTPS (common properties)
Property | Value | Description |
---|---|---|
secure-mode | tls | TLS is enabled |
tls-server-cert-storage-type | | Defines the format (storage type) of a server certificate. See descriptions of each storage type below. |
tls-redirect-from-http | | Set to true, to enable an additional port (defined by property |
tls-redirect-from-http-listen-port | Specify an additional port to accept unencrypted HTTP traffic and redirect it to a secure port defined by the property | |
tls-server-cert-folder | Specify the directory that contains server certificate files to be applied to Hub. The directory should contain the file |
HTTPS (keystore - additional settings)
Property | Value | Description |
---|---|---|
tls-server-cert-storage-type | keystore | Use this property if your private key/certificate data is stored in a generated keystore file. In this mode, the server's private key/certificate pair will be derived from the file |
tls-server-cert-keystore-password | Keystore integrity password | |
tls-server-cert-keystore-key-alias | Alias that is associated with the private key/certificate entry in the keystore. | |
tls-server-cert-keystore-key-password | Password that protects your server's private key entry in the keystore. |
HTTPS (privateKeyAndCert - additional settings)
Property | Value | Description |
---|---|---|
tls-server-cert-storage-type | privateKeyAndCert | In this mode the server's private key/certificate pair is taken from the files |
tls-server-cert-private-key-passphrase | string | If you use an encrypted private key, then use this property to provide the passphrase that was used for encryption. Supported for both PKCS#8 and PKCS#1 formats. |