OmicSoft Server v12 - TLS Configuration
This page has been migrated, find the latest information here
Configure certificates
Prerequisites
- DNS name
- DNS must point to the OmicSoft Server machine (ex.: omicsoftserver.example.com)
- DNS must be reachable from all machines where OmicSoft Studio/Land Explorer/Oshell and (if applicable) Analytic servers will be installed
- DNS name must point to a static/fixed IP
- DNS must have a valid TLS >= 1.2 signed server certificate (including the associated private key)
Make sure that the server is reachable using the DNS name, both from outside the server network, but also from the server machine itself:
ping omicsoftserver.example.com Pinging omicsoftserver.example.com [X.XXX.XX.XX] with 32 bytes of data: Reply from X.XXX.XX.XX: bytes=32 time=230ms TTL=37 ... Ping statistics for 3.128.81.13: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 230ms, Maximum = 231ms, Average = 230ms
- TLS certificate
- The certificate must be signed by a public certificate authority (no self-signed certificates can be used).
- The certificate should be in .pfx (PKCS #12) format, containing the entire certificate chain and the private key.
- You also need the intermediate CA certificates in separate files, so you can import them in the Mono store.
Note: On Windows, if using the MMC / Manage Computer Certificates add-in to generate a custom certificate request (CRS), the ‘classic’ cryptographic service provider like ‘Microsoft Enhanced Cryptographic Provider v1.0’ (CryptoAPI provider) must be used instead of a newer Cryptography Next Generation (CNG / CAPI2) provider, like ‘Microsoft Software Key Storage Provider’. In MMC / Manage Computer Certificate add-in, when generating the custom certificate request (CRS), the Template should be: '(No template) Legacy key' (instead of '(No template) CNG Key').
Certificates setup
Set up the TLS certificate for server
If you don't have all the required files, please review the Certificates Setup page.
Install the intermediate CA certificate(s)
Intermediate CA can be in the following formats: .PEM, .CRT, .CER.
Import the intermediate CA certificates:
- to the current user's intermediate CA store
$ certmgr -add -c -v CA IntermediateCA1.cer
- to the machine's intermediate CA store
$ sudo /opt/mono-6.12.0/bin/certmgr -add -c -v -m CA IntermediateCA1.cer
Verify certificates installation with:
$ certmgr -list -c CA $ sudo /opt/mono-6.12.0/bin/certmgr -list -c -m CA
Install the server certificate(s)
Import the server certificate in the machine-level ( -m param. ), personal ('My') store, from the PFX file (that must have also the private key included). The private key password might be needed for this step:
$ sudo /opt/mono-6.12.0/bin/certmgr -add -c -v -p privatekeypassword -m My cert.pfx
Verify if the certificate was properly imported with:
$ sudo /opt/mono-6.12.0/bin/certmgr -list -c -m My
Update Omicsoft server configuration file
Get the server certificate thumbprint that must be set in ArrayServer.cfg using the PFX file:
$ openssl pkcs12 -in cert.pfx -nodes -passin pass:privatekeypassword | openssl x509 -noout -fingerprint | cut -f2 -d'='
Set/Update the thumbprint in ArrayServer.cfg
CertificateThumbprint=B1:9A:...:6D:71
Start OmicSoft Server
$ cd /opt/arrayserver/ $ mono ./OmicSoftServer.exe >> ./run.log & $ & disown -h
