Transport Layer Security (TLS) technology secures communication by encrypting data and providing authentication. Without TLS encryption, packets of information travel over networks in full view.
Every TLS certificate is created for a particular server in a specific domain by a Certificate Authority (CA). When an application user or data collector accesses an OMi server, TLS authenticates the server, and can also be configured to authenticate the client. Additionally, OMi establishes an encryption method and a unique key for the communication session.
OMi fully supports the TLS protocol version 1.0 or later. The TLS channel is configured on the OMi servers/clients as required.
For detailed information about how to set up TLS for database connections, see the OMi Database Guide.
Learn more
Overview of TLS and OMi
TLS provides OMi with the following:
- Server authentication. Provides authentication of the OMi server used for communication.
- Client authentication (optional). Provides authentication of the client communicating with the OMi server. The client could be an application user or a data collector.
- Encrypted channel. Encrypts the communication between the client and the server using a variety of ciphers.
- Data integrity. Helps ensure that the information sent by one side over TLS is the same information received by the other side.
TLS Termination
Secure communication via HTTPS can terminate either at the load balancer/ reverse proxy or on the OMi gateway server.
If it terminates on the OMi gateway server, the web server on the gateway server is configured to support/require TLS. Otherwise, if TLS terminates on the load balancer/reverse proxy, then only the load balancer/reverse proxy needs to be configured for secure communication.
If there is a load balancer/reverse proxy in front of a OMi gateway server, it is recommended to have TLS terminate on the load balancer/reverse proxy. For BBC channels, see the BBC recommendations and configuration instructions in Configure BBC port 383 connection on reverse proxy.
The following table addresses TLS termination in the High Availability environment:
| TLS Termination On | TLS on Load Balancer | TLS on Gateway |
Advantages/ Disadvantages |
|---|---|---|---|
| Load Balancer/Reverse Proxy | Yes | No |
This is a recommended configuration. It allows:
On each load balancer/reverse proxy, use server certificates issued to the name of the external access point (FQDN) that users/data collectors are using to access OMi. If multiple load balancers/reverse proxies share the load, each one must have these certificates imported. |
| Load Balancer/Reverse Proxy and Gateway (TLS all the way) | Yes | Yes |
This is a less ideal configuration, especially where load balancers are concerned. It requires:
In this configuration, in addition to installing certificates on the load balancer, also install server certificates on the gateway server, using a server certificate issued to the FQDN name of the gateway server. In a high availability environment with multiple gateway servers: Traffic from the same data collector will be load-balanced between different gateway servers using a round-robin mechanism. If you have a different certificate on each gateway server issued to a different name, in the worst case scenario, switching between gateway servers will require a TLS renegotiation process to run each time there is a switch between gateways server. This is very expensive in terms of CPU use and network traffic, on both the server and client sides. For this reason, TLS termination is typically done on the load balancer. |
| Gateway | No | Yes |
A secure channel for connections to the OMi server (via load balancer or direct) is mandatory in many OMi environments. OMi enables you to generate and install web servers' certificates using the configuration wizard, thereby reducing the TLS configuration and maintenance efforts to a minimum. Once the web servers are configured for TLS, you can configure the load balancer to forward requests to the gateway servers and have TLS termination on the gateways. This means:
|
Certificate Management
OMi provides the following command-line interfaces to help you manage certificates:
-
opr-cert-mgmt. The certificate management tool enables you to list, export, import, remove, and synchronize certificates in OMi. For details, see opr-cert-mgmt Command-Line Interface.
-
opr-internal-tls-config. The internal TLS troubleshooting tool allows you to disable secure internal communication, as well as to regenerate keys and certificates. For details, see opr-internal-tls-config Command-Line Interface.
-
opr-tls-config. The TLS troubleshooting tool enables you to temporarily disable or reset the TLS configuration. For details, see opr-tls-config Command-Line Interface.
Certificate Expiration
OMi monitors the expiration time of the certificates used by the web server. The OMi Server Self-Monitoring management pack contains a measurement threshold policy template that monitors the validity of the certificates and generates an event 90, 60, and 30 days before the certificate expires.
To renew the OMi-generated certificates, restart the OMi gateway server within 30 days before the certificates expire. OMi automatically issues new certificates and imports them to the OMi certificate inventory.
If you are using certificates from the CA used by your company, you must issue new certificates and upload them to OMi using the configuration wizard.
For more information, see Management Pack for OMi Server Self-Monitoring.