While it is possible to generate and install a self-signed certificate on Variphy Insight, you can also install a wildcard certificate (a public key certificate which can be used with multiple subdomains of a domain) if you have created one within your organization. This is a simpler process than generating the self-signed cert. In order to install the certificate, we will need to upload it to the Variphy server with an FTP client and edit a configuration file within Insight so that it uses the Wildcard cert.
NOTE: It is recommended to take a snapshot of your VM prior to making any kind of certificate changes.
A wildcard certificate typically is in a PKCS12 format, in the form of a .PFX or .P12 file, e.g. yourcert.pfx. It will also have a Keystore password, which will be required in order to install the cert in Insight.
To Install the certificate:
1) Stop the Variphy Insight service. You may use the command sudo service variphy stop. The default username and password for the Variphy OVA will be variphyadmin / V@riphy!! (this may have been changed in your organization).
2) Using an FTP client like Filezilla or WinSCP, copy your cert file to the following location in the Variphy Insight installation path: /app/tomcat
e.g. /opt/variphy/apps/Insight/app/tomcat/yourcert.pfx
3) in the /insight/config folder, edit the https_customizations.xml file with and editor like vi or nano (alternately, you can copy the file to your desktop and edit it with a notepad or notepad++ app, just be sure to keep the original file extension when saving or copying it back)
The default file will typically look like this:
<Connector
protocol=”org.apache.coyote.http11.Http11NioProtocol”
maxThreads=”200″
minSpareThreads=”10″
enableLookups=”false”
disableUploadTimeout=”true”
asyncTimeout=”900000″
connectionTimeout=”20000″
acceptCount=”100″
SSLEnabled=”true”
scheme=”https”
secure=”true”
clientAuth=”false”
sslProtocol=”TLS”
keystoreFile=”.keystore”
port=”8443″/>
4) We will be editing the name of the keystoreFile value, as well as adding 2 additional values to this file to enable the new cert.
NOTE: please note the case given in these examples, as the values are case-sensitive.
Change the KeystoreFile value so that it reflects the name of your new cert file.
e.g. keystoreFile=”.keystore” will become keystoreFile=”yourcert.pfx”
5) Add an additional line to the https_customizations file denoting the keystore type.
e.g. keystoreType=”PKCS12″
6) Finally, Add an additional line specifying the keystore password
e.g. keystorePass=”changeit” (put actual password in quotes)
7) save changes and exit. (SHIFT+ :, followed by x! in vi commands)
The file should now look like this:
8) Next, in order to turn off non-secure access to Insight, we will disable the non-secure http access by commenting out the contents of the http_customizations.xml file, also located in \insight\config folder
Comment out the contents of the file by adding the characters to the end.
This will disable http access to the Insight application, only allowing access through the https://variphyserver:8443 address and port. Save and exit the file with SHIFT + : + x! (SHIFT key followed by a colon, then a lowercase x with an exclamation mark).
9) Start the Variphy Insight service again (sudo service variphy start). You should now only be able to access insight via the https:8443 address and should see your wildcard certificate active in the browser .
NOTE: When you upgrade the variphy software, it will back up the current directories, including the certificate, to a set of backup folders, replacing your cert with a generic self-signed one. You can recover your cert with the following steps:
1)Stop the Variphy Insight service (on linux: sudo service variphy stop)
2) Browse to the Variphy Insight install folder, you will see a set of backup folders with the date of your most recent backup. They will be in the format of config_yyyy_mm_dd and app_yyyy_mm_dd.
3)Copy the https_customization.xml file from /Insight/config_yyyy_mm_dd to /Insight/config, replacing the newer one.
4)Copy your cert file from /Insight/app_yyyy_mm_dd/tomcat/yourcert.pfx to the folder/Insight/app/tomcat/
5)Start the Variphy Insight Service (sudo variphy service start) and log back into the web interface (it may take a moment to load after the service restart). You should now be able to log in and authenticate against your wildcard cert.
If you have any questions about this process, or would like some help with installing or repairing your wildcard certificate, please contact support@variphy.com for further assistance.