Updated: August 31, 2020 9:16am

SSL Manager

This topic explains how to install SSL certificates on a Prism server or Prism Proxy-only machine using SSL Manager. This topic assumes that you already have the SSL certificates and they are issued by valid Certificate Authority (CA). The files you receive from the CA include a .crt file. The .crt file has the public key associated with the private key file (.pem or .key) generated by the CSR. Using SSL Manager, you will upload both the certificate (.crt) file and the private key (.pem or .key) file in SSL Manager. After uploading the files and restarting services, Prism will run on port 443 using https instead of port 8080 using http.
SSL Chain of Authority
When a browser initiates a session with a server, the server sends the browser its SSL certificate, which includes the server's public key. The browser is able to validate the public key and know that it is talking to the real Prism server because the CA (e.g. Comodo or GoDaddy) that issued the certificate already has a root certificate in the browser's Trusted Root Store. There is a chain of authority that exists between the CA and SSL certificates issued by the CA such that browsers inherently trust certificates issued by CAs, including the certificate issued to your company. If your company issued its own certificates, or if the issuing CA is not in the Trusted Root Store of browsers, then you will have to import the CA's cert into the browser at each workstation.

Install SSL Certificates using SSL Manager
Important! If installing certificates on a Proxy-only machine (no server or DRS), shut down the Proxy first. If you don't shut down the proxy, the PrismProxy.ini file will not be updated.
1.    Make sure the certificate files are available on the local machine or network.
2.    Point your web browser to /TTK.
3.    Log in using the Prism username and password of an admin-level user.
4.    Select the server from the menu on the left.
TTK Server list
5.    The top of the screen has a set of tabs. Click the SSL tab.
TTK Menu
6.    In the displayed UI, enter the full path to the certificate (.crt) file and the full path to the private key (.pem or .key) file. Click the Update Prism Config button.
SSL dialog
7.    Stop and start Apache. (Note: Do not use the "Restart option." Instead stop the service, and then start the service.)

8.   Close the browser and relaunch the Proxy using the desktop shortcut.

Prism Component Check
SSL Manager will detect which Prism components are on the machine: Prism Server, RabbitMQ, and/or the Prism Proxy. This is especially important when the machine in question is a "Proxy only" machine.

  • If Prism Server is on the machine, the SSL Manager will modify the prism.conf file to apply the certificates.
  • If RabbitMQ is installed, the SSL Manager will modify the rabbitmq.config file.
  • If the Proxy is installed, the SSL Manager will apply the certificate file names to the PrismProxy.ini file.

Once the certificates are applied, the SSL Manager will alert the user to restart Apache or RabbitMQ as needed. If installing a certificate on a Proxy-only machine, you must restart the Proxy.

Reverting from SSL to Non-SSL
SSL Manager creates a backup of both the prism.conf and rabbitmq.config files before applying SSL changes. If there is a problem with the SSL configuration, click the Revert to Unsecured button to reapply the backed up configuration (prism_backup.conf).
 
SSL Checkboxes in Prism UI
There are a few areas of the Prism UI where HTTPS users must select a "Use SSL" checkbox.
Email Server Preferences
email server preferences with ssl checkbox

Prism Proxy Server Selection
This screen is displayed when a user right-clicks the Proxy icon and selects "Select Server". This screen is also displayed if a problem occurs when launching the Proxy.

Select server dialog
 
SSL Flag on Controller (Image Server Considerations)
Controller records have an SSL Flag that comes into play when using a central server to serve merchandise and customer images in Prism. If the controller's SSL flag is selected, then web clients, print engines and Doc Designer can download images from the image server. If the SSL flag is not selected in the Controller record, then images can't be downloaded from the central server. The screenshot below shows the SSL Flag on a controller record viewed using PLSQL Developer. The screenshot below shows the SSL Flag for the CONTROLLER table as viewed using PLSQL Developer.
SSL Flag

Guidelines for SSL Certificates
Here are some guidelines, based on the role and placement of the machine, to help you decide if an SSL certificate is needed for a machine.

Area Description/Notes
Public-facing web servers Required
Store Server behind Firewall Required if the store server has a WAN connection (e.g. to the HQ server).
Lanes Not required if the individual lanes are on a LAN protected by a firewall and other security best practices.
PrismProxy Depends. See the "Browser/Proxy/Store Server Considerations" note that follows.
Backoffice workstations  Not required if the back-office workstation is on a LAN protected by a firewall and other security best practices.
Image Server

Required. When using the Image Server preference (Node Preferences > Themes & Layouts) , the controller needs an SSL certificate to download pictures from the appropriate server.

Note: Some popular point-of-sale cameras require https.

Browser/Proxy/Store Server Considerations
The proxy functions both as a server (to the web client) and as a client (to the Prism server).

  • If the Prism server is secured with a certificate, the client that communicates with the server is secure, whether that client is the web browser or the proxy.  
  • If the proxy is not secured with a certificate, the connection between the web browser and proxy will be unsecure. But the connection between the proxy and the store server that has a certificate will still be secure.
  • If a user opens a web browser and connects directly to a store server that has a certificate, the connection is secure.

Example: User opens web browser and connects directly to the Prism server (no proxy)
browser, proxy, server considerations_1
Enable SSL on iOS Devices
When installing the Prism Launcher for iOS devices, users can select if the server uses SSL. Click Enable SSL if you have a certificate to install.
SSL prompt in IOS launcher

 Sample Enterprise setup:
 Sample enterprise network setup