This topic explains how to install SSL certificates on a Prism server or Prism Proxy-only machine using SSL Manager. A new version of SSL Manager was introduced in Prism 1.14.7; therefore, this topic has information about both versions.
Note: This topic is also available in PDF format: Prism SSL Manager 1.14.7 and Prism SSL Manager 1.14.6
This topic assumes that you already have the SSL certificates and they are issued by a valid Certificate Authority (CA). The files you receive from the CA include a .crt file. The .crt file has the public key associated with the private key file (.pem or .key) generated by the certificate signing request (CSR). Using SSL Manager, you will upload both the certificate file and the private key file in SSL Manager. After uploading the files and restarting services, Prism will run on port 443 using https instead of port 8080 using http.
Before starting, copy the certificate files received from the CA to a folder where they can be accessed by SSL Manager. You will need the certificate file and the private key file that was generated as part of the certificate signing request.
Important! If installing certificates on a Proxy-only machine (no server or DRS), shut down the Proxy first. If you don't shut down the proxy, the PrismProxy.ini file will not be updated.
Prism 1.14.6 and earlier
1. On the server machine where the certificates will be installed, launch Tech Toolkit from the desktop shortcut and log in. This task requires administrator-level permissions so use the right-click "Run As Administrator" option when launching the shortcut.
2. Select the server from the Current Connection drop-down.
3. Click the SSL Manager button.
4. Click Select Certificate. Browse to the location of the certificate (.crt) file.
5. Click Select Key File. Browse to the location of the file that contains the private key.
6. Click Update Prism Config.
7. Exit Tech Toolkit. Stop and start Apache. (Note: Do not use the "Restart option." Instead stop the service, and then start the service.)
8. Close the browser and relaunch the Proxy using the desktop shortcut. After uploading the files and restarting services, Prism will run on port 443 using https instead of port 8080 using http.
Note: Prism 1.14.7 introduces a web-based version of the Technician's Toolkit.
1. On the server where the certificates will be installed, point the web browser to hostname/TTK. The hostname should be the name or IP Address of the Prism server.
2. Log in using the Prism username and password of an admin-level user.
3. Select the desired server from the menu on the left.
4. The top of the screen has a set of tabs. Click the SSL tab.
5. In the displayed UI, enter the full path to the certificate (.crt) file and the full path to the private key (.pem or .key) file. Click the Update Prism Config button.
6. Stop and start Apache. (Note: Do not use the "Restart option." Instead stop the service, and then start the service.)
7. Close the browser and relaunch the Proxy using the desktop shortcut. After uploading the files and restarting services, Prism will run on port 443 using https instead of port 8080 using http.
Prism Component Check
SSL Manager will detect which Prism components are on the machine: Prism Server, RabbitMQ, and/or the Prism Proxy. This is especially important when the machine in question is a "Proxy only" machine. If Prism Server is on the machine, the SSL Manager will modify the prism.conf file to apply the certificates.
If RabbitMQ is installed, the SSL Manager will modify the rabbitmq.config file.
If the Proxy is installed, the SSL Manager will apply the certificate file names to the PrismProxy.ini file. (Important! The Proxy must be shut down first. If the Proxy is running, the certificate information will not be written to the PrismProxy.ini file)
Once the certificates are applied, the SSL Manager will alert the user to restart Apache or RabbitMQ as needed. If the proxy is being secured, that will also need a restart. The CA cert is only required for configuring RabbitMQ. There is a RabbitMQ checkbox; if checked, this enables the CA Cert file to be applied. If unchecked, this field is disabled. If RabbitMQ is not installed, the checkbox and CA Cert fields are disabled automatically.
Machines that have only the Proxy installed (no Prism Server, no DRS) require special consideration. You must shut down the Proxy first. If the Proxy is running, the PrismProxy.ini file will not be updated with the certificate information.
Reverting from SSL to Non-SSL
SSL Manager creates a backup of both the prism.conf and rabbitmq.config files before applying SSL changes. If there is a problem with the SSL configuration, click the Revert to Unsecured button to reapply the backed up configuration (prism_backup.conf).
Browser/Proxy/Store Server Considerations
The proxy is both a server (to the web client) and a client (to the Prism server). If the Prism server is secured with a certificate, the client that calls the server is secure, whether that client is the web browser or the proxy.
If the proxy lacks its own certificate, the connection between the web browser and proxy will be unsecure. But the connection between the proxy and the store server that has a certificate will still be secure. If the proxy is on the LAN behind a firewall, this is enough; the proxy doesn't need a certificate of its own.
If the web browser connects directly to the store server that has a certificate, the connection is secure.
SSL Checkboxes in Prism UI
There are a few areas of the Prism UI where HTTPS users must select a "Use SSL" checkbox.
Email Server Preferences
In Email Server preferences, there is a checkbox that should be selected if using SSL for Email. If using SSL, be sure to set the Simple Mail Transfer Protocol (SMTP) Port to 587.
Prism Proxy Server Selection
This screen is displayed when a user right-clicks the Proxy icon and selects "Select Server". This screen is also displayed if a problem occurs when launching the Proxy (e.g. the Proxy cannot connect to the server).