Configure TLS from the Command Line
The instructions on this page show you how to configure built-in TLS for an existing installation using command-line arguments.
Using the command line, you can switch between the following connection modes:
Mode | Description |
---|---|
HTTP | The default HTTP mode. TLS is disabled. HTTP mode is only suitable for test installations or when connections to Hub are routed through an SSL-terminating reverse proxy server. |
HTTPS | A secure HTTPS mode. TLS is enabled. The configuration parameters let you secure your server connections using the following file formats: |
To switch modes, stop Hub and run the configure
command. The values that you specify for each of the parameters in the command define your configuration of choice. See below for detailed instructions and a complete list of properties for each configuration.
Switching to HTTP Mode
When you run Hub with plain HTTP mode, the connections between web browsers and your server are not secured over SSL/TLS. For security purposes, strongly advise against using plain HTTP.
Hub is also unable to maintain a stable authentication state in connected services when attempting to exchange tokens over an unsecured connection. Any attempt to run Hub in a production environment using plain HTTP connections will result in an extremely frustrating experience for your users. For more information, see Cross-site Cookies.
The one case where it's safe to switch from HTTPS mode to HTTP is when you modify your server environment to use an SSL-terminating reverse proxy. In this case, you switch Hub to run in HTTP mode. Instead of using built-in TLS, you configure the reverse proxy to secure your server traffic.
To switch to HTTP mode:
Enter the following command:
<hub_home>/bin/hub.sh configure \ --listen-port=8080 \ --base-url=<new base URL> \ --secure-mode=disableIf the server base URL changes as a result of switching to HTTP mode, use the
--base-url=<new base URL>
parameter to set this value.For more information about the parameters that are used in this command, see Configuration Parameters.
Switching to HTTPS Mode
The configure
command lets you switch from HTTP to HTTPS mode. To enable secure HTTPS mode, you need to provide Hub with a private key and certificate. You can supply the private key and certificate as:
A keystore that contains private key/certificate data in JKS or PKCS #12 format.
A private key, certificate, and (optional) certificate chain as separate files in PEM format.
Before you start, copy your secure files to a location that is available to your Hub server.
The configure
command supports different properties that are specific to these file types. Follow the procedure that is applicable for the type of files that are available to you.
You can also follow these procedures if you have already configured HTTPS and simply want to apply a new certificate and private key to your Hub server.
To switch to HTTPS mode using an SSL keystore file:
Run the following command:
<hub_home>/bin/hub.sh configure \ --listen-port=443 \ --base-url=<new base URL> \ --secure-mode=tls \ --tls-server-cert-keystore-file=<path-to-keystore> \ --tls-server-cert-keystore-password=<keystore password> \ --tls-server-cert-keystore-key-alias=<private key entry alias> \ [--tls-server-cert-keystore-key-password=<private key entry password>] \ --tls-redirect-from-http=<[true|false]> \ [--tls-redirect-from-http-listen-port=8080]If the server base URL changes as a result of switching to HTTPS mode, use the
--base-url=<new base URL>
parameter to set this value.If you are switching from HTTP to HTTPS mode, you can designate a redirect listen port. This non-secure port receives all HTTP requests and redirects them to the secure listen port. To do so, use
tls-redirect-from-http=true
and specify a value for thetls-redirect-from-http-listen-port=<your redirect port number>
property.
For more information about the parameters that are used in this command, see Configuration Parameters.
To switch to the HTTPS mode using a private key and certificate:
Run the following command:
<hub_home>bin/hub.sh configure \ --listen-port=443 \ --base-url=<new base URL> \ --secure-mode=tls \ --tls-server-cert-key-file=<path-to-private-key-file> \ --tls-server-cert-file=<path-to-certificate-file> \ [--tls-server-cert-chain-file=<path-to-certificate-chain-file>] \ --tls-redirect-from-http=<[true|false]> \ [--tls-redirect-from-http-listen-port=8080]If the server base URL changes as a result of switching to HTTPS mode, use the
--base-url=<new base URL>
parameter to set this value.If the private key is encrypted, add the
tls-server-cert-private-key-passphrase
property to provide the passphrase for the key.If you want to define relative paths to the certificate files, use
tls-server-cert-key-file
,tls-server-cert-file
, andtls-server-cert-chain-file
. Set the value for the additionaltls-server-cert-folder
property with the absolute path to the directory. Relative paths are resolved against the specified absolute path.If you are switching from HTTP to HTTPS mode, you can designate a redirect listen port. This non-secure port receives all HTTP requests and redirects them to the secure listen port. To do so, use
tls-redirect-from-http=true
and specify a value for thetls-redirect-from-http-listen-port=<your redirect port number>
property.
For more information about the parameters that are used in this command, see Configuration Parameters.
Update a TLS Server Certificate
In situations where the TLS certificate that secures your Hub server is about to expire or has past its expiry date, you can update it directly from the command line.
Given that the current TLS certificate has already been configured, you only need to specify the certificate files in the command. All other parameters can be safely ignored.
To update a certificate using a private key and certificate in PEM format:
Run the following command:
<hub_home>/bin/hub.sh configure --tls-server-cert-key-file=<path-to-private-key-file> --tls-server-cert-file=<path-to-certificate-file> [--tls-server-cert-chain-file=<path-to-certificate-chain-file>]If the private key is encrypted, use the
tls-server-cert-private-key-passphrase
property to specify the passphrase for the key.
To update a certificate that is stored in JKS or PKCS #12 format:
Run the following command:
<hub_home>/bin/hub.sh configure --tls-server-cert-keystore-file=<path-to-keystore> --tls-server-cert-keystore-password=<keystore password> --tls-server-cert-keystore-key-alias=<private key entry alias> [--tls-server-cert-keystore-key-password=<private key entry password>]
Configuration Parameters
The following table provides a list of parameters that you can use to configure built-in TLS.
Property | Value | Description |
---|---|---|
secure-mode |
| The connection mode that is applied to the Hub server. This property supports the following values:
|
listen-port | The port on which Hub listens to HTTP traffic. | |
base-url | The URL that end users request to access your Hub installation. For example,
| |
tls-redirect-from-http |
| Set to true, to enable an additional port (defined by property The default value is |
tls-redirect-from-http-listen-port | Specify an additional port to accept unencrypted HTTP traffic and redirect it to a secure port defined by the property | |
tls-server-cert-folder | An (optional) absolute path to resolve relative paths defined by other command line parameters, when present. Relative paths to server certificate files that are specified in other properties are resolved against this directory. The properties that can reference relative paths are:
| |
tls-server-cert-keystore-file | The location of a keystore file in either JKS or PKCS #12 format. | |
tls-server-cert-keystore-password | Keystore integrity password | |
tls-server-cert-keystore-key-alias | The alias of the entry in the keystore that contains the server certificate and the private key. If your keystore uses the PKCS #12 format, follow these guidelines:
| |
tls-server-cert-keystore-key-password | Password that protects your server's private key entry in the keystore. | |
tls-server-cert-key-file | The location of a private key (PKCS #1 or PKCS #8) file, stored in PEM format. | |
tls-server-cert-file | The location of a certificate file, stored in PEM format. | |
tls-server-cert-chain-file | The (optional) location of a file that contains the certificate chain, stored in PEM format. | |
tls-server-cert-private-key-passphrase | string | If you use an encrypted private key, then use this property to provide the passphrase that was used for encryption. Supported for both PKCS #1 and PKCS #8 formats. |