Introduction
This article describes how to add or update current SSL certificates on STS server.
Description
The following procedure explains how to add a SSL certificate in the server, how to change it when it expires or after FQDN changes. This allow to avoid any SSL alert on browser when accessing SES Console web interface. We will first deploy the certificate on the gateway service before generalizing to the frontend and ses-console services, and finally the TRSL service (optional, only if concerned).
Procedure
0) Pre-requisites
- Provide the 2 following files:
- x509 PEM encoded Base64 ASCII certificate (including certificate chain if required)
- unencrypted RSA Base64 key ASCII file and WITHOUT passphrase
The 2 files should contain the strings "-----BEGIN..." and "-----END...".
Note that if your certificate relies chain of trust, you have to concatenate in a single file:
1) server certificate (encoded as described above)
2) intermediate certificate (encoded as described above)
3) root certificate (encoded as described above)
Additional notes:
- Validate provided certificates using article "How to check and validate SSL certificate files?", more specifically "Check that your .key file matches your .crt file" paragraph.
- Check if certificates are also used by SSO (SAML)
- If this is a certificate update
Perform a backup of previous certificates from below directories if you choose to overwrite existing certificates:
/opt/systran/apps-node/translation-gateway/certificates/
/opt/systran/apps-node/enterprise-server/certificates/
/opt/systran/apps-node/enterprise-server/web/certificates/
/opt/systran/apps-node/translation-resource-store/certificates/
If you want to use different certificate names, then the configuration needs to be updated, as shown in this article.
1) Gateway SSL certificate
Copy the certificate & private key files into:
/opt/systran/apps-node/translation-gateway/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/translation-gateway/certificates/*
SES Gateway settings changes
You can edit (if already existing) or create /opt/systran/apps-node/translation-gateway/config/`hostname`.yaml.
Or you can also edit the original /opt/systran/apps-node/translation-gateway/config/default.yaml file.
Make sure the identations (spaces) are correct.
Gateway:
InputInterfaces:
translate-api:
port: 8903
https:
port: 8904
activate: true
privateKey: certificates/[your certificate].key
certificate: certificates/[your certificate].crt
Gateway service restart
Once the changes are made on SES gateway, restart the service on the server
systemctl restart systran-ses-gateway
Checks
Verify port 8904 is UP&RUNNING :
netstat -na | grep 8904
Verify port is open and certificate is correct :
curl -v https://localhost:8904/status
If check on gateway has been validated, then please proceed on console.
2) SES Console settings changes
Open 2 connections to web interface. The 2nd one is for security purposes, in case connectivity is lost with first connection.
Go to Administration > Settings > HTTPS Settings then change the path for HTTPS certificate & private key fields as shown below:
Click on "Save".
Copy the certificate & private key files into:
/opt/systran/apps-node/enterprise-server/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/enterprise-server/certificates/*
Note: The directory "certificates/" needs to remain in the 2 fields above, before the filename.
3) Frontend settings changes
Copy the certificate & private key files into:
/opt/systran/apps-node/enterprise-server/web/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/enterprise-server/web/certificates/*
Restart of console & frontend services
Once the changes are made, restart the services on the server:
systemctl restart systran-ses-frontend
systran-ses-console
Checks
Relog on SES Console web interface to verify login is successful.
Click on the lock and verify latest dates are now shown for certificate.
4) Optional: Model Studio TRSL
In case Model Studio needs to be deployed on SPNS server, the following needs to be performed for the local TRS.
Copy the certificate & private key files into:
/opt/systran/apps-node/translation-resource-store/certificates
If systran user is not the files owner, change it using following command
chown systran:systran /opt/systran/apps-node/translation-resource-store/certificates/*
SES TRSL settings changes
Edit the TRSL config file /opt/systran/apps-node/translation-resource-store/config/default.yaml as below:
https:
activate: true
privateKey: certificates/[your certificate].key
certificate: certificates/[your certificate].crt
TRS service restart
Restart the services on the server
systemctl restart systran-trs-console
Checks
Verify port 3445 is UP&RUNNING :
netstat -na | grep 3445