Tag: 946

Categories
Knowledge Support Highlighted Support Categories exacqVision Webservice Products

Using SSL with exacqVision Web Service (Linux)

Version 8.4 and Higher

Follow the instructions in Article 1002 to configure HTTPS support in the Web Service.

<br>

Version 8.2 and Lower

SSL, a security system combining authentication and encryption, is used to protect communication between a web server and client. Enabling SSL on a web server allow all clients connecting to that server two key protections:

  1. The client is able to identify the server. There is no way for a fake server to misrepresent itself to a client.
  2. The communication between the client and server is encrypted, preventing a third-party from seeing what data is sent. This ensures the safety of private communication such as usernames and passwords, video data, and more.

NOTES:

  1. This article assumes that exacqVision Web Service version 3.10 or later has been installed with default settings. If you are running version 3.0 to 3.8, see the attached legacy PDF.
  2. A self-signed certificate allows you to use a web browser, but it does not work with mobile devices. Only trusted third-party certificates work with mobile devices.

To use SSL with exacqVision Web Server in Linux, complete the following steps:

  1. Stop exacqVision Web Server by typing sudo /usr/local/exacq/webservice/service.sh stop in a Terminal window.
  2. Open the Web Server Apache Configuration file by typing sudo gedit /etc/evapache/httpd.conf in a Terminal window.
    Find the following lines:

    #Include /etc/evapache/extra/httpd-ssl.conf
    #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    #LoadModule ssl_module modules/mod_ssl.so
  3. Delete the pound signs (#) at the beginning of each line.
  4. Save and close the file.
  5. It is recommended, but not required, that you disable the access log for SSL, as this file can grow very large. To do this, open the Apache SSL Configuration file by typing sudo gedit /etc/evapache/extra/httpd-ssl.conf in a Terminal window.
    Find the line with the following text:

    TransferLog “${SRVROOT}/logs/access.log”
    Change it to:#TransferLog “${SRVROOT}/logs/access.log”When finished, save and close the file.
  6. Open the Web Service configuration file by typing sudo gedit /etc/webservice.conf
    Add the following lines to the end of the document:

    [Broker]
    ssl_private_key = /etc/evapache/server.key
    ssl_certificate = /etc/evapache/server.crt

    When finished, save and close the file.
  7. If you were issued certificates, rename them to server.crt and server.key and save them to the /etc/evapache directory and then skip to Step 10. Otherwise, continue with the following steps.
  8. Run cd /etc/evapache in a Terminal window.
  9. To create a self-signed certificate, type sudo openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/evapache/server.crt -keyout /etc/evapache/server.key and answer the questions.

    NOTE:     COMMON NAME should be the IP address or FQDN that you use for access to your exacqVision Web Service.
  10. Re-start exacqVision Web Server by typing sudo /usr/local/exacq/webservice/service.sh restart.

    NOTE: To connect to exacqVision Web Server using SSL, you must use HTTPS instead of HTTP.

Troubleshooting

If exacqVision Web Service does not start after configuring it for SSL, complete the following steps:

  1. Open the Apache error logs, found by default at /user/local/exacq/webservice/evapache/logs/error_log.
  2. Look for an entry similar to the following:

    [Wed Mar 04 09:08:54.512004 2015] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from CERTIFCATE_FILE_NAME.crt and KEYFILE_NAME.key do not match AH00016: Configuration Failed
  3. If you see this entry, complete the following steps:

    a.) Run the following commands, replacing the values in all caps with your values:

    openssl.exe x509 -noout -modulus -in PATH_TO_CRT | openssl md5
    openssl.exe rsa -noout -modulus -in PATH_TO_KEY | openssl md5
    openssl.exe req -noout -modulus -in PATH_TO_CSR | openssl md5

    For example:

    openssl.exe x509 -noout -modulus -in ..\conf\certificate.crt | openssl md5
    openssl.exe rsa -noout -modulus -in ..\conf\privateKey.key | openssl md5
    openssl.exe req -noout -modulus -in ..\conf\csr.csr | openssl md5

    b.) Compare the result values from all of the calls. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.


NOTE: Web Sockets communication will not work using SSL encryption for Web Service versions 7.2.0 – 7.2.6.

Workaround

Disable web sockets in the client configuration page of the browser Client.

Resolution

Update to exacqVision Web Service version 8.4 or later.

<br>