Configuring HTTPS in Address Manager - BlueCat Integrity - 26.1.0

Before enabling Single Sign-On, you need to secure Address Manager with an SSL certificate. Obtain this certificate from the IdP then upload it to Address Manager.

1. Select the Settings tab in the sidebar.
2. Under System security, select Web access.
3. Set the following parameters:
   Note: When replication is configured between Address Manager servers, web access settings for primary and standby servers are represented on separate tabs.

   • HTTP enabled—select the checkbox to enable HTTP. Deselect the checkbox to disable HTTP.
   • HTTPS enabled—select the checkbox to enable HTTPS.
   • HTTP to HTTPS redirection enabled—select the checkbox to enable HTTP to HTTPS redirection. The HTTP enabled checkbox must be selected to select this option.
     Important: You can't disable HTTPS if HTTP is configured to redirect to HTTPS.
     Note: HTTP to HTTPS redirection

     Selecting HTTP to HTTPS redirection enabled will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTP and HTTPS enabled to use HTTP to HTTPS redirection.

     • If the Address Manager domain name is configured to resolve to an IPv6 address, HTTP to HTTPS redirection enabled will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
   • X509 authenticator—select an X.509 authenticator previously added to Address Manager. For more information, refer to X.509 authentication.
4. Under Server certificate settings, select Set custom certificates.
5. Complete the following:
   • Upload private key—use the upload box to select or drag and drop the private key file (<common_name>.key) associated with the server certificate on your local machine or workstation.
     Attention:

     • The private key must comply with PKCS #8 standards.
     • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):

       openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

       If the beginning of the output contains Modulus=, the key is valid.

   • Password—enter an alphanumeric password to secure your private key.
   • Upload domain signed certificate—use the upload box to select or drag and drop the signed server certificate (<common_name>.crt) on your local machine or workstation.
     Attention: The certificate must be in PEM format and must only contain one certificate. It can't contain multiple certificates or keys. You can validate the certificate using openssl and the following command:

     openssl x509 -noout -modulus -in <certificate file>

     If the beginning of the output contains Modulus=, the key is valid.

   • Upload intermediate bundle certificate—use the upload box to select or drag and drop the associated CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation. The CA certificate bundle must include the root and any intermediary CA certificates required to authenticate the CA signature of the server certificate.
     Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:

     openssl x509 -noout -modulus -in <bundle file>

     If the beginning of the output contains Modulus=, the key is valid.

6. In the Change control section, add comments if required.
7. Select Update web access settings. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.