Disabling HTTP and Running HTTPS Only

Secure Communication : Disabling HTTP and Running HTTPS Only

Disabling HTTP and Running HTTPS Only

This section should not be followed until you have made sure that your HTTPS communication is working properly.

You can configure Orchestra so that it exposes only HTTPS to connecting systems.

In order to do this, a few preconditions must be met:

Some hardware cannot use HTTPS at all, so if you have these types of hardware connected to the Central Queue Agent disabling HTTP is not an option:

• TP3115

• Intro8

• Cinematic

HTTP cannot strictly be disabled, since some components use it for internal communication.

However, it can be set to listen only to localhost (127.0.0.1) so no one outside of the Orchestra machine can use it.

To disable HTTP:

1. First configure HTTPS properly and ensure that it works.

2. Open the System Administration application and the Parameters page and change the system parameters Central HTTP and Central HTTP Protocol.

The setting should be the one of the Central HTTPS port, default is 8443.

The protocol setting should be https.

3. Stop Orchestra.

4. Edit the server configuration file to set address 127.0.0.1 for HTTP traffic.

Wildfly:

File: app\wildfly-11.0.0.Final\standalone\configuration\standalone-full.xml

Change this line:

<socket-binding name="http" port="${jboss.http.port:8080}"/>

To this:

<socket-binding name="http" interface="unsecure" port="${jboss.http.port:8080}"/>

Removing HTTPS warnings in browsers

If you use a self-signed certificate, you will get a HTTPS warning in the browser. To remove HTTPS warnings in your browser:

1. Go to your browser’s Settings page and locate the section where certificates are managed. Import the *.cer file that you exported in the flows above.

2. Place the certificate on Trusted Root Certification Authorities and make sure that it is located there.

3. Restart your browser for the settings to take place.