OpenAthens LA support will end on 31 March 2020

Search

Skip to end of metadata
Go to start of metadata

If you are comfortable with certificate warnings whilst you install and test, you can skip this section until you are ready to go live with your end users.

It is recommended that you use a certificate from a recognised certificate authority so that your users do not get warnings in their browsers when they log in and this page will assume that you have one available.

Prerequisites

  • A certificate in the name of your runtime, e.g. idp.yourdomain.com or *.yourdomain.com
    • You will need it split as .crt and .key files.
    • Do not use a password with the certificate
  • If using the proxy, a wildcard certificate for it, e.g: *.proxy.yourdomain.com

Where to put your certificates

Both the IdP and proxy certificates sit in the same folders which are:

CRT files sit in the /etc/pki/tls/certs folder

KEY files sit in the /etc/pki/tls/private folder

If you had initially transferred the certificate files to the /tmp folder on the runtime, you would move them as follows:

sudo mv /tmp/*.yourdomain.com.crt /etc/pki/tls/certs/
sudo mv /tmp/*.yourdomain.com.key /etc/pki/tls/private/

Check the ownership, permissions and security context

Check by listing the directory with a 'Z' switch. This is what you want to see for the permissions, ownership and context.

>cd /etc/pki/tls/certs
>ls -Z
-rw-------. root root system_u:object_r:cert_t:s0 idp.yourhostname.com.crt
...

To change the permissions if they do not appear as -rw-------

 sudo chmod 600 *.yourdomain.com.crt

To change the ownership if they do not appear as root root

sudo chown root:root *.yourdomain.com.crt

To change the security context if it does not appear as system_u:object_r:cert_t:s0:

sudo chcon -u system_u -r object_r -t cert_t *.yourdomain.com.crt

Repeat as necessary for the  /etc/pki/tls/private folder. The settings should be the same (expand to see):

>cd /etc/pki/tls/tls/private
>ls -Z
-rw-------. root root system_u:object_r:cert_t:s0 idp.yourhostname.com.key
...

sudo chmod 600 *.yourdomain.com.key
sudo chown root:root *.yourdomain.com.key
sudo chcon -u system_u -r object_r -t cert_t *.yourdomain.com.key

Update the 'vhost' configuration file(s)

You have to make a small change to the openathensla-runtime.conf.local configuration file to tell it about your new IdP certificates.

sudo nano /etc/httpd/conf.d/openathensla-runtime.conf.local

The first section of this file will detail the file locations of your IdP certificates - edit to match your names:

#SSL stuff
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/idp.yourdomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/idp.yourdomain.com.key
#If your certificate is signed by an intermediate
#CA uncomment the following and place any intermediate
#certificates in the specified file.
#SSLCACertificateFile /etc/pki/tls/certs/chain.crt
...

If you have a certificate signed by an intermediary and need help installing it to the correct place, contact our service desk.

If you are using the proxy, you also need to modify the openathensla-proxy.ssl.local file to know about your certificates (expand to see):

>sudo nano /etc/httpd/conf.d/openathensla-proxy.ssl.local

#SSL stuff
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/proxy.yourdomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/proxy.yourdomain.com.key
#If your certificate is signed by an intermediate
#CA uncomment the following and place any intermediate
#certificates in the specified file.
#SSLCACertificateFile /etc/pki/tls/certs/chain.crt

Finally: restart apache:

sudo service httpd restart

If the Apache restart asks for a certificate password, you must remove the password from the certificate before you continue or the system will require a manual Apache restart every time the administration console publishes a change to the runtime(s).

Next steps: