Global Site
Displaying present location in the site.
July 14th, 2022
Machine translation is used partially for this article. See the Japanese version for the original article.
Introduction
In EXPRESSCLUSTER X 4.0 and later, you can select HTTPS connection as communication method of Cluster WebUI which is the management GUI.
Prior to the initial version of EXPRESSCLUSTER X 4.1 (Internal Ver. 12.10) could use OpenSSL 1.0.2, but since the update EXPRESSCLUSTER X 4.1 (Internal Ver. 12.12) can use OpenSSL 1.1.1.
This time, we will introduce the setting when using OpenSSL 1.1.1 in the Windows environment.
For details on how to set it in the Linux environment, please refer to 
here.
Contents
1. Installing OpenSSL
Install OpenSSL on all servers constituting an HA cluster.
Cluster WebUI uses OpenSSL to communicate over HTTPS.
We can use OpenSSL provided by the distribution in the Linux environment, but we need to download and install OpenSSL separately in the Windows environment.
This time, we will download and use "Win64 OpenSSL v1.1.1p Light" from the following site.
"Microsoft Visual C++ 2017 Redistributable (64-bit)" is required to install Win64 OpenSSL, so if you are asked to install it, please follow the procedure provided to install it.
When running the Win64 OpenSSL installer, leave the default setting of "C:\Program Files\OpenSSL-Win64" as the installation destination.
Also, set the copying OpenSSL DLLs to the OpenSSL binaries (/bin) directory.
2. Creating a Private Key and a Server Certificate
Create a private key and a server certificate to be used for HTTPS communication.
This time, the server certificate is created as a self-signed certificate.
2.1 Create a Folder to Store the Private Key and the Server Certificate
Create a folder to store the private key and the server certificate.
This time, we will create "C:\ssl". Run the command line below.
> mkdir C:\ssl
2.2 Create a Private Key
Use OpenSSL command to create a private key.
This time, we will create a "server.key".
> "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" genrsa -out C:\ssl\server.key 2048
2.3 Create a Certificate Signing Request
Use OpenSSL command to create a certificate signing request.
This time, create the file name as "server.csr".
When run the command bellow, we will enter information such as "Country Name" interactively, so please set it according to your environment.
> "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -key C:\ssl\server.key -utf8 -out C:\ssl\server.csr
2.4 Create a Server Certificate
Use OpenSSL command to create a server certificate.
This time, create the file name as "server.crt". Also, create a certificate validity period of 3650 days.
> "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -req -in C:\ssl\server.csr -signkey C:\ssl\server.key -out C:\ssl\server.crt -days 3650 -extensions server
2.5 Distribute the Private Key and the Server Certificate to Servers Constituting an HA Cluster
Distribute the private key and the server certificate that we created to all servers constituting an HA cluster. At this time, store the private key and the server certificate so that they are the same path on all servers.
This time, the private key and the server certificate are stored under "C:\ssl".
- Private key: C:\ssl\server.key
- Server Certificate: C:\ssl\server.crt
3. EXPRESSCLUSTER Settings
Set information of the private key and the server certificate that we created to the EXPRESSCLUSTER.
In order to add it to the Cluster WebUI configuration, build the HA cluster once and then change the setting.
Select "Cluster Properties" in the Config mode of Cluster WebUI.
Select the "WebManager" tab of "Cluster Properties" and select "HTTPS" as the Communication Method.
Select the "Encryption" tab of "Cluster Properties" and set the path such as a certificate file.
- Certificate File: C:\ssl\server.crt
- Private Key File: C:\ssl\server.key
- SSL Library: C:\Program Files\OpenSSL-Win64\libssl-1_1-x64.dll
- Crypto Library: C:\Program Files\OpenSSL-Win64\libcrypto-1_1-x64.dll
After the setting is completed, apply the configuration file to the HA cluster.
The communication protocol to Cluster WebUI will be changed from HTTP to HTTPS in this setting change, so "Restart WebManager service" will be executed.
4. Checking the Operation
After "Restart WebManager service" is completed, we will need to connect with HTTPS because we cannot connect with HTTP. Therefore, the web browser screen that connected to change the setting of EXPRESSCLUSTER, will not be updated.
Please reconnect the URL as "https://IP address of the server:29003".
If we can display the Cluster WebUI, the setting change is completed.
- * We will display a warning about the certificate because this setting uses a self-signed certificate.
Conclusion
This time, we introduced how to set up HTTPS using OpenSSL 1.1.1, which has become available in EXPRESSCLUSTER X 4.1 (Internal Ver. 12.12) and later. If you want to encrypt the connection to Cluster WebUI, enable the HTTPS setting.
Thank you for reading the entire this article.
If you consider introducing the configuration described in this article, you can perform a validation with the trial module of EXPRESSCLUSTER. Please do not hesitate to contact us if you have any questions.