The Brainspace application is installed with self-signed SSL certificates on all interfaces ("front side" user interface, as well as intra-server communications) to encrypt all communications. Some Brainspace customers choose to replace the default Brainspace self-signed SSL certificate with a commercial SSL certificate to have more control over the domain name and encryption level and to meet organization-specific security policy requirements.
Brainspace SSL Certificate Requirements
Important
SSL Certificate validation requires that the certificate's CN (common name) and/or one of its SANs (Subject Alternate Names) match a resolvable host name that also matches what is specified in the Services tab in the Brainspace Admin console.
For example, consider a three-server deployment of Brainspace with the following hosts and environment:
Role | Host Name | IPv4 Address | IPv6 Address |
|---|---|---|---|
Application | brains-app | 10.1.1.10 | fe80::250:56ff:feb8:cdfc |
On-Demand Analytics | brains-oda | 10.1.1.11 | fe80::250:56ff:feb8:ccfd |
Analytics | brains-ana | 10.1.1.12 | fe80::250:56ff:feb8:ced2 |
DNS Domain: | example.com |
|---|---|
Application URL: | https://brains.example.com/ |
If you were ordering an SSL certificate that will be used on all three hosts, you will need to include all of the following in your certificate request:
Request Field | Value |
|---|---|
CommonName | brains.example.com |
subjectAltName | DNS: brains-app |
subjectAltName | DNS: brains-app.example.com |
subjectAltName | IP: 10.0.0.10 |
subjectAltName | IP: fe80::250:56ff:feb8:cdfc |
subjectAltName | DNS: brains-oda |
subjectAltName | DNS: brains-oda.example.com |
subjectAltName | IP: 10.0.0.11 |
subjectAltName | IP: fe80::250:56ff:feb8:ccfd |
subjectAltName | DNS: brains-ana |
subjectAltName | DNS: brains-ana.example.com |
subjectAltName | IP: 10.0.0.12 |
subjectAltName | IP: fe80::250:56ff:feb8:ced2 |
subjectAltName | DNS: localhost |
subjectAltName | DNS: localhost.localdomain |
subjectAltName | IP: 127.0.0.1 |
subjectAltName | IP: ::1 |
Brainspace Version SSL Configuration Changes
The location for the SSL certificates, certificate format, and the HAProxy service name has changed. Please use the following table to identify the appropriate variables for your Brainspace instance.
Version | HAProxy Service Name | HAProxy Certificate File |
|---|---|---|
6.0 - 6.0.x | haproxy | /etc/haproxy/brainspace_ss.pem |
6.1 - 6.1.x | haproxy | /etc/haproxy/brainspace_ss.pem |
6.2+ | brainspace-haproxy | /etc/brainspace/ssl/brainspace_ss.pem |
Note
During upgrades, the /etc/brainspace/ssl directory is archived into a brainspace_ss-backup.10-16-2019_2116.tar file. This file can be un-archived with tar -xvf brainspace_ss-backup.10-16-2019_2116.tar, and the contents will have your brainspace_ss.pem file that can be moved back in place in /etc/brainspace/ssl. Once done, the brainspace-haproxy service will need to be restarted with service brainspace-haproxy stop && service brainspace-haproxy start.
Replacing the Brainspace User Interface (HAProxy) SSL Certificate on the Application Server
The default Brainspace user interface (UI) SSL certificate is configured in HAProxy on the Application server.
Important
Run all the following commands as the Root user.
To replace the Brainspace UI (HAProxy) SSL certificate on the Application server:
Convert the pfx file to crt:
openssl pkcs12 -in <your_new_pfx_file>.pfx -clcerts -nokeys -out <your_cert_file>.crtConvert the pfx to an 'encrypted' pem file:
openssl pkcs12 -in <your_new_pfx_file>.pfx -out <your_encrypted_pem>_encrypted.pem -nodesConvert the private key to an RSA private key:
openssl rsa -in <your_encrypted_pem>_encrypted.pem -out <your_new_rsa_pem_file>.pemWrite the new pem and crt files into the pem file haproxy will use:
cat <your_new_rsa_pem_file>.pem <your_cert_file>.crt > /etc/brainspace/ssl/brainspace_ss.pemRestart haproxy:
systemctl restart brainspace-haproxy
If you have issues loading the UI, contact Brainspace Support.