Skip to content

506. Secure Foretify Manager

506.1 Configure the Foretify Manager Server

By default, the server communicates using HTTP protocol with unencrypted requests and responses. To encrypt communications, you can configure the server to use HTTPS protocol.

With this configuration, users trying to connect via the old HTTP port will see an error. To remedy this, you have the option of rerouting HTTP connections to HTTPS.

To secure the Foretify Manager service:

  1. Package the certificate and private key.

  2. Configure the server.

  3. Configure additional services & clients (e.g. Dispatcher, RMT Proxy Service, Python SDK)

506.1.1 Package the certificate and private key

Before configuring the server, you must obtain an appropriate SSL certificate and private key. See OpenSSL, for example, to learn how to do this.

The Foretify Manager server requires the certificate and key files to be packaged in a PKCS12 file (a keystore file). You must either place the keystore file in the working directory where the server is invoked or specify its path in the configuration file.

To package the certificate and key:

Execute the openssl script:

Shell command: execute openssl to create a package
$ openssl pkcs12 -export -in <certificate_filename> -inkey <private_key_filename> \
-name <alias> -out <keystore_filename>
Option Description
-in Name of the certificate file you have obtained.
-inkey Name of the private key file you have obtained.
-name Name for the certificate-key pair. (The key-store can store more than one pair.)
-out Name of the keystore file to be created.
Shell command: execute openssl (example)
$ openssl pkcs12 -export -in my_certificate.crt -inkey my_private.key \
-name tomcat -out keystore.p12

During the execution of the command above, a password is required twice for verification. This password is not the one used when the private key was generated. It is required when the p12 keystore is used. You must specify this password in the server configuration file.

For more information on this command, see openssl-pkcs12.

506.1.2 Create the configuration file

  1. Create a file called application.properties.

  2. Place it in the working directory where the server is launched.

The configuration file contains the following lines. The last line is optional.

application.properties file syntax
server.port=<port>
server.ssl.enabled=true | false
server.ssl.key-store=<path-to-file>
server.ssl.key-store-password=<password>
server.ssl.keyAlias=<alias>
server.port.http=<port>
Option name Description
server.port Port number to be used for HTTPS communications. If this server uses 8080 for HTTP communications and you want to reroute those communications to HTTPS, you must set server.port to a different port (not 8080). Setting it to 8443 is a common practice, but you can specify any port.
server.ssl.enabled When true, HTTPS communications are enabled. If false and server.port is set to 8080, HTTP communication is enabled.
server.ssl.key-store By default, the keystore file containing the certificate-key pair is placed in the working directory where the server is launched. If the file is elsewhere, you must specify its location with a path relative to the working directory.
server.ssl.key-store-password Password used when the keystore file was created.
server.ssl.keyAlias Alias used for the certificate-key pair.
server.port.http HTTP connections to this port (usually 8080) are automatically redirected to the HTTPS port specified with server.port.
application.properties file example
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=../keystores/keystore.p12
server.ssl.key-store-password=alleyCat3
server.ssl.keyAlias=tomcat
server.port.http=8080

506.2 Configure additional services & clients

After configuring the Foretify Manager server to use HTTPS, it is no longer available in its default URL. Its new URL needs to be configured in services such as the Dispatcher & RMT Proxy that communicate with the server.

Also, if a self-signed certificate was used to secure the server, it also needs to be provided to the services & clients that communicate with Foretify Manager, such as the Python SDK.

506.2.1 Connect Foretify Manager's Python SDK to a secured server

If a self-signed certificate was used to secure the server, it needs to be available to the Python code before executing client code, by setting the following environment variable in a terminal window:

Shell command: set env var for certificate
$ export REQUESTS_CA_BUNDLE=</path/to/certificate.crt>

Or, you can import it into your Python code:

Python code: set env var for certificate
import os
os.environ["REQUESTS_CA_BUNDLE"] = </path/to/certificate.crt>

Then, additional parameters need to be passed to the login API, since the default 8080 port and HTTP protocol are not in use. For example:

Python code: pass https parameter
client.login("fmanager_hostname", "my_user", "my_password", 8443, "https")

After login, all the other API calls remain the same.

506.2.2 Configure Dispatcher to connect with a secured Foretify Manager

The Dispatcher and the K8s worker pods configurations need to be updated in order to connect securely to Foretify Manager.

If a self-signed certificate was used, it should be placed in the shared directory on the Dispatcher server.

Two configuration files need to be updated:

  • Foretify Manager's application.properties
  • Dispatcher's dispatcher.env

In Foretify Manager's application.properties, add or update the following parameters:

application.properties file syntax
dispatcher.fmanagerHost=<hostname>
dispatcher.fmanagerPort=<port_number>
dispatcher.fmanagerProtocol=<http/s>
dispatcher.sharedFolder=</path/to/shared/directory>
dispatcher.fmanagerCABundle=</path/to/certificate.crt>
Option name Description
dispatcher.fmanagerHost Foretify Manager's hostname or IP, as accessible from Dispatcher & the K8s pods.
dispatcher.fmanagerPort Foretify Manager's port number.
dispatcher.fmanagerProtocol Foretify Manager's protocol ("http" or "https").
dispatcher.sharedFolder Path to a shared directory on Dispatcher server's file system.
dispatcher.fmanagerCABundle Path to Foretify Manager's public self-signed certificate, placed under the shared directory.
application.properties file example
dispatcher.fmanagerHost=172.71.32.184
dispatcher.fmanagerPort=8443
dispatcher.fmanagerProtocol=https
dispatcher.sharedFolder=/opt/foretellix/dispatcher/shared
dispatcher.fmanagerCABundle=/opt/foretellix/dispatcher/shared/crt/ca_cert.crt

In Dispatcher's dispatcher.env, add or update the following parameters:

dispatcher.env file syntax
FMANAGER_URL=<url>
FMANAGER_CA_BUNDLE=</path/to/certificate.crt>
Option name Description
FMANAGER_URL Foretify Manager's URL, as accessible from Dispatcher & the K8s pods.
FMANAGER_CA_BUNDLE Path to Foretify Manager's public self-signed certificate, placed under the shared directory.

title="dispatcher.env file example" FMANAGER_URL=https://172.71.32.184:8443 FMANAGER_CA_BUNDLE=/opt/foretellix/dispatcher/shared/crt/ca_cert.crt title=""

506.2.3 Configure RMT Proxy to connect with a secured Foretify Manager

If a self-signed certificate was used to secure the server, it needs to be configured in RMT Proxy's application.properties.

  1. Create a keystore file from the certificate:

    bash title="Shell command: create a keystore file" $ keytool -import -file <CERTIFICATE_FILENAME> -alias fmanager_cert -keystore <KEYSTORE_FILENAME>

    The program prompts for a password, which you need to configured in Fmanager later.

    It also prompts for trust verification. Type "yes".

  2. Edit application.properties to include the keystore filename and password:

    title="application.properties file syntax" fmanager.sslTrustStore=<KEYSTORE_PATH_AND_FILENAME> fmanager.sslTrustStorePassword=<KEYSTORE_PASSWORD>