5.2 Enabling HTTPS Connections to Your Cloud Bridge Agent

In some instances, a company’s security policy for on-premises applications requires that all HTTP connections be protected by the HTTPS protocol. This section describes how to generate a self-signed HTTPS certificate and import it into a Java keystore, and how to enable the Cloud Bridge Agent (CBA) to use that keystore to secure HTTP connections to the CBA user interface and APIs. The use of a self-signed certificate should be a temporary solution, and OpenText recommends that you take steps to replace the initial, self-generated certificate with a purchased certificate from a reputable certificate authority as soon as possible.

5.2.1 Prerequisites

Before you enable HTTPS for the Cloud Bridge Agent, verify that you have taken the following steps:

  1. You have received and executed the installation script for the Cloud Bridge Agent.

  2. The Cloud Bridge Agent is up and running on the Docker or Podman host server.

  3. You have the appropriate rights to the host server file system to add and edit some files.

  4. You know the location of the Cloud Bridge Agent installation on the host server.

  5. The host server has Java 11 keytool installed. You can check your Java version using the java -version command.

5.2.2 Enabling HTTPS

The process of enabling HTTPS includes the following steps:

  1. Generate the new certificate and keystore.

  2. Enable HTTPS connections.

  3. Verify HTTPS connectivity.

Generate the New Certificate and Keystore

When you install the Cloud Bridge Agent, the agent/conf/ directory is created below the installation location <CBA_install_dir>.

From the installation location:

  1. Use the cd command to navigate to the <CBA_install_dir>/agent/conf directory.

  2. Using keytool:

    1. Generate the new certificate and Java keystore.

      keytool -genkey  -keyalg RSA -alias localhost -keystore bridge.keystore -storepass changeme -validity 360 -keysize 2048

    2. Enter the appropriate information when prompted.

      When completed, a new file named bridge.keystore is created in the directory.

  3. (Optional) If you are requesting a Certificate Authority (CA) signed (paid) certificate:

    1. Using keytool, generate a key pair and use it to create a certificate signing request (CSR):

      keytool -certreq -alias localhost -keystore bridge.keystore -storepass changeme -file mycert.csr

      The CSR contains the fully qualified DNS name of the server, the key pair, and other such information to help identify the web server.

    2. Send the CSR to a well-known CA such as DigiCert.The CA uses the CSR to generate a server certificate for the web server. The server certificate contains the key pair and the web server’s information included in the CSR. The CA signs the certificate with its private key. The CA sends the signed web server certificate back to you.

    3. When you get the real certificate from the CA, import it into the bridge.keystore using keytool.When a browser accesses the web server, the web server sends a certificate signed by the private key of the CA to the browser. The browser has a copy of the CA’s public key in its TrustStore and uses the public key to decrypt the signature of the CA. The browser now trusts any communication coming from this web server.

For more information about certificates, see Understanding the Components of Secure Communication.

Enable HTTPS Connections

To allow HTTPS connections to the CBA user interface and REST endpoints, you must edit the <CBA_install_dir>/agent/conf/bridge-agent.yml file. You must also update the container definition in the create.sh script file to allow connections to the HTTPS ports.

  1. Edit the bridge-agent.yml file:

    1. We recommend that you copy the bridge-agent.yml file to something like bridge-agent.yml.bak in case you need to restore the file.

    2. For both the applicationConnectors: and adminConnectors: sections in the file, remove the comment indicators (#) for the – type:, port, and keystore entries.

    3. Save the changes.

  2. Edit the create.sh file:

    1. Use the cd command to return to the <CBA_install_dir>/agent/ directory.

    2. Edit the create.sh script file:

      1. Duplicate the entry for port mapping -p "8080:8080" -p "8081:8081" \

      2. Copy this line into the file. Change the ports in this new line from "8080:8080" to "8443:8443" and "8081:8081" to "8444:8444".

        These will be the HTTPS connection ports.

  3. Stop the Cloud Bridge Agent, recreate the container with the new ports mapped, then start the Cloud Bridge Agent.

    1. From the <CBA_install_dir>/agent directory, stop the Agent:

      sh stop.sh

    2. Remove the bridge-agent container:

      sh remove.sh

    3. Recreate the container:

      sh create.sh

    4. (Conditional) If the sh create.sh command did not start the container, start the container:

      sh start.sh

Verify HTTPS Connectivity

You should now be able to connect to the Cloud Bridge Agent user interface using the following URL:

  • https://<hostname>:8443/