Why isn't https the default?
We are sometimes asked if handing out the clients via plain http instead of https isn't a security problem. We don't think so - this is why:
- Regardless of http or https anybody can download the clients or properties files.
- Using https will prevent somebody modifying the client or the properties file during the transfer - but since both clients and properties files are signed - tampered files will be detected anyway.
Using https instead of the default http will cause two potential problems:
- If you are using or are considering using the SSL-client, steps to avoid a port conflict must be taken. See here about avoiding this.
- It is increasingly useful to add a second port 443 (ie https) as an alternative to the default port 22 for the AppGate server-client communication. This is because some public Wifi hotspots block everything except ports 80 and 443. Using https to distribute the clients will deny you this possibility.
For these reasons we do not recommend our customers to use https instead of http to distribute the clients.
The procedure to change http to https is as follows:
- Generate a server key pair
- Create a server certificate and certificate signing request.
- Have a Certificate Authority (CA) sign this.
- Installed the signed certificate on the AppGate server
- Reconfigure the AppGate server to use the certificate and to listen to the https port
The code extracts below will generate a CSR accepted by Thawte, you may have to use slightly different options for other CAs, consult their documentation if needed. All the commands in the code excerpts are to be run on the AppGate server as root in /var/opt/appgate/local. You may need to create this directory.
Generate a server key pair. Do the following to generate your server key pair (Important! Use no passphrase -- ie no -des3):
openssl genrsa 512/1024 > appgateserver.my.domain.key
Next it's necessary to generate the CSR file itself.
While generating the CSR you will be asked lots of questions. Enter appropriate answers. The CN or "YOUR name" should be appgateserver.my.domain. (Of course appgateserver.my.domain should be replaced with the appropriate info.)
Your CA should be able to provide you with more details about this process. Use same info as for Apache-SSL. Thawte provides info for this here.)
openssl req -new -key appgateserver.my.domain.key > appgateserver.my.domain.csr
The file "appgateserver.my.domain.csr" is your CSR.
- Submit the CSR to your CA, together with all other required documentation, info and payment.
- You should recieve your certifcate from the CA. Make sure that it is in the correct format. (Apache-OpenSSL compatible format should work. It is X509 format, base64 encoded.
- Transfer the key file (appgateserver.my.domain.key) and the certificate (lets call it "appgateserver.my.domain.crt" to the AppGate server (place them in /var/opt/appgate/local).
- Concatenate the two files.
cat appgateserver.my.domain.crt appgateserver.my.domain.key > /var/opt/appgate/certs/appgateserver.my.domain.all
- Tell ag_httpd to use this file:
ag_cfggetset -s ag_httpd.certfile /var/opt/appgate/certs/appgateserver.my.domain.all
- Restart ag_httpd by running
You are now done! The AppGate webserver should begin listening on port 443 (SSL port) as well as port 80.
By default though, port 80 will be used by the clients. To remedy that, change the links to use "https" instead of "http". Ie: https://appgateserver.my.domain/