The following document describes installing an SSL certificate in AirWave versions 7.2.0, 7.2.1, 7.2.2, 7.2.3.
Installing a valid SSL (Secure Sockets Layer) certificate on AMP is a 3-step process:
I. Create a CSR (Certificate Signing Request) file
II. Send the CSR to a third-party Certificate Authority (CA)
III. Install the certificate you receive from the CA on your AirWave server
I. CREATE A CERTIFICATE SIGNING REQUEST (CSR)
---------------------------------------
1. Find the file openssl.cnf on your server. On most systems it's located in one of these two directories:
/usr/share/ssl/
/etc/pki/tls/
2. Edit openssl.cnf using nano, vi or the text editor of your choice.
# nano /etc/pki/tls/openssl.cnf
-OR-
# nano /usr/share/ssl/openssl.cnf
3. Go to the section named [ req_distinguished_name ]:
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
0.organizationName = Aruba Networks, Inc.
organizationalUnitName = AirWave Wireless
commonName = my_amp.airwave.com
emailAddress = some_user@airwave.com
4. Replace the information for Aruba/AirWave with your company's information.
5. Under the [ req_attributes ] section update the challengePassword.
[ req_attributes ]
challengePassword = A challenge password
6. Save the file.
NOTE: In the example below we create a directory named ssl-certs under /var/airwave/custom to store the new certificate request and private key. We recommend storing them here because the /var/airwave/custom directory and all of its subdirectories are included in the nightly backup file in case you need to restore your certificate at some point. This is also the directory where you should save the certificate you get back from the CA (see Step III below).
7. Create ssl-certs directory under /var/airwave/custom:
# mkdir /var/airwave/custom/ssl-certs
8. Run openssl to create a new private key and CSR in the ssl-certs directory:
# openssl req -new -nodes -keyout /var/airwave/custom/ssl-certs/newcert_private.key -out /var/airwave/custom/ssl-certs/newcert.csr
II. REQUEST A CERTIFICATE FROM A VALID CERTIFICATE AUTHORITY
------------------------------------------------------------
Any certificate authority (such as Verisign, Thawte, InstantSSL) can fulfill your request. When you're prompted for a CSR provide the contents of the newcert.csr file you generated in step 8 above.
If you receive a bunch of certificates from them, you probably want the one that's described as a base64-encoded x509 certificate.
III. YOU'VE RECEIVED YOUR CERTIFICATE, HOW DO YOU INSTALL IT?
-------------------------------------------------------------
This example assumes that you've named your certificate newcert.crt. You can name it anything you want.
1. Save the certificate as /var/airwave/custom/ssl-certs/newcert.crt
2. Concatenate your certificate and private key into one file, to be used by lighttpd. Add a new line to the end of the certificate to ensure that the two files don't get jumbled together during the concatenation.
# echo -e "
" >> /var/airwave/custom/ssl-certs/newcert.crt
# cat /var/airwave/custom/ssl-certs/newcert.crt /var/airwave/custom/ssl-certs/newcert_private.key > /var/airwave/custom/ssl-certs/lighttpd.crt
3. Modify the symbolic (soft) links in the default directories to point to your new certificate and private key files:
# ln -sf /var/airwave/custom/ssl-certs/newcert.crt /etc/httpd/conf/ssl.crt/server.crt
# ln -sf /var/airwave/custom/ssl-certs/newcert_private.key /etc/httpd/conf/ssl.key/server.key
# ln -sf /var/airwave/custom/ssl-certs/lighttpd.crt /etc/httpd/conf/ssl.pem
4. Restart the Apache and lighttpd web servers:
# ra
# service lighttpd restart
4. Wait a few moments for Apache to come back up, then login to your server's web UI to confirm that you can access the AMP using your new certificate.
TROUBLESHOOTING
-------------------------------------------------------------
Check the SSL configuration file to make sure the paths to your certificate and private key files are correct. The default file locations should be specified. These paths will point to the symbolic links you set up in step III.2 above that in turn point to the new certificate and private key files in the /var/airwave/custom/ssl-certs/ directory.
NOTE: The ssl.conf file is overwritten during upgrades, so if you were to specify the path directly to the certificate and key files themselves, you would have to edit the ssl.conf file each time you upgraded the server.
# nano /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key