From 7d8bc33c704936d523893eb004012b1a068dad54 Mon Sep 17 00:00:00 2001 From: Donna-Marie Smith Date: Tue, 24 Sep 2024 14:33:54 +0100 Subject: [PATCH] Added Multi Domain Certificate support to 2024.9 --- .../prerequisites.md | 7 ++---- .../multiple-server-with-ha/prerequisites.md | 22 +++++++------------ .../advanced/rollover-certificates.md | 10 +++------ .../prerequisites.md | 10 ++++----- .../multiple-server-with-ha/prerequisites.md | 22 +++++++------------ .../install-web-application-server.md | 3 ++- .../single-server-without-ha/prerequisites.md | 3 ++- .../prerequisites.md | 7 ++++-- .../multiple-server-with-ha/prerequisites.md | 22 ++++++++++++------- .../advanced/rollover-certificates.md | 10 ++++++--- .../prerequisites.md | 10 +++++---- .../multiple-server-with-ha/prerequisites.md | 22 ++++++++++++------- .../install-web-application-server.md | 3 +-- .../single-server-without-ha/prerequisites.md | 3 +-- 14 files changed, 77 insertions(+), 77 deletions(-) diff --git a/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md b/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md index 86643f086..89063d75b 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md +++ b/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md @@ -31,11 +31,8 @@ In order to ensure that the correct certificate is used during the upgrade of {{
The Flow Debugger also requires an X.509 SSL certificate to be installed on the Web Application Server. This can use the same certificate as {{% ctx %}} Gateway, however it must have the following properties: -* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: - * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) - * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: - * The FQDN, NetBIOS Name and IP address of the web application server and all application servers must be added. +* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. diff --git a/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md b/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md index dec2805bf..c3c3fc918 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md +++ b/content/en/docs/2024.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md @@ -258,10 +258,10 @@ The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installatio #### Application Servers {{% alert title="Note" %}} -For production platforms it is recommended that X.509 SSL multi-domain or wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production platforms, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. +For production platforms it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production platforms, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. {{% / alert %}} -An X.509 SSL multi-domain or wildcard certificate should be used to: +An X.509 SSL wildcard certificate should be used to: * Secure communication between the load balancer and the nodes on the Application Servers. * Secure communication between the Application Services. @@ -271,12 +271,8 @@ An X.509 SSL multi-domain or wildcard certificate should be used to: The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: - * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) - * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: - * The FQDN, NetBIOS Name and IP address of all application servers must be added. - * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate will be used for the [web application server][]. +* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -285,13 +281,11 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the installation scripts will be run. This location will be required when running the installation script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). #### Web Application Server -{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. This can be the same certificate as used for the application servers or a different certificate. - -The certificate must have the following properties: +{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties: * Enhanced Key Usage: `Server Authentication` and `Client Authentication` * Subject Alternative Names (SAN): At minimum the FQDN of the Server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1 @@ -299,7 +293,8 @@ The certificate must have the following properties: If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. +Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. +Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. {{% /alert %}} More information about importing the certificate is given during installation. @@ -350,5 +345,4 @@ Innovation has a [gobetween][] load balancer included that isn't highly availabl [Recommended Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.RecommendedArchitecture" >}} [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}} [Upgrading Gateway]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.ConfigureCortexGatewayInstallationScriptNew" >}} -[web application server]: {{< ref "#web-application-server" >}} [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}} diff --git a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md index a3d4b12a9..18f6380c5 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md +++ b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md @@ -26,12 +26,8 @@ A new, valid X.509 certificate needs to be obtained to update the certificates. The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: - * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) - * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: - * The FQDN, NetBIOS Name and IP address of all application servers must be added. - * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate is used for the web application server. +* Subject parameter must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -40,7 +36,7 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the certificate update script will be run. This location will be required when running the update script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject parameter can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject parameter can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). ### Configure Update Certificates Script diff --git a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md index 27525eb10..7cd5d82c4 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md +++ b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md @@ -44,11 +44,8 @@ If the user tries to navigate to an address not in the SAN list, then they will
For the Flow Debugger, the certificate must have the following properties: -* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: - * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) - * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: - * The FQDN, NetBIOS Name and IP address of the web application server and all application servers must be added. +* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -56,7 +53,8 @@ For the Flow Debugger, the certificate must have the following properties: * Enhanced Key Usage must include `Server Authentication` and `Client Authentication`. {{% alert title="Important" color="warning" %}} -Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. +Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. +Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}.
It is possible to reuse the Flow Debugger certificate for {{% ctx %}} Gateway; If doing so, you must {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.MultipleServerWithHA.AssignCertificateFriendlyNameNew" title="Assign a Certificate Friendly Name" >}} after the debugger has been installed and set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.MultipleServerWithHA.ConfigureCortexGatewayInstallationScriptNew" title="Configure CORTEX Gateway Installation Script" >}} to ensure use of the correct certificate and to prevent it from being overwritten. {{% /alert %}} diff --git a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md index bced5c869..ae8f627e8 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md +++ b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md @@ -206,10 +206,10 @@ The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installatio #### Application Servers {{% alert title="Note" %}} -For production systems it is recommended that X.509 SSL multi-domain or wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. +For production systems it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. {{% / alert %}} -An X.509 SSL multi-domain or wildcard certificate should be used to: +An X.509 SSL wildcard certificate should be used to: * Secure communication between the load balancer and the nodes on the Application Servers. * Secure communication between the Application Services. @@ -219,12 +219,8 @@ An X.509 SSL multi-domain or wildcard certificate should be used to: The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: - * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) - * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: - * The FQDN, NetBIOS Name and IP address of all application servers must be added. - * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate will be used for the [web application server][]. +* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -233,13 +229,11 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the installation scripts will be run. This location will be required when running the installation script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). #### Web Application Server -{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. This can be the same certificate as used for the application servers or a different certificate. - -The certificate must have the following properties: +{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties: * Enhanced Key Usage: `Server Authentication` and `Client Authentication` * Subject Alternative Names (SAN): At minimum the FQDN of the Server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1 @@ -247,7 +241,8 @@ The certificate must have the following properties: If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. +Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. +Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. {{% /alert %}} More information about importing the certificate is given during installation. @@ -300,5 +295,4 @@ Innovation has a [gobetween][] load balancer included that isn't highly availabl [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}} [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}} [TriggersService]: {{< url path="Cortex.Guides.CortexInnovation.CoreApplication.Services.TriggersService.MainDoc" >}} -[web application server]: {{< ref "#web-application-server" >}} [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}} diff --git a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md index bb4ed6d5b..ce88ad527 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md +++ b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md @@ -67,7 +67,8 @@ For each folder, perform the following steps: If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Standard certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. +Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. +Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}.
It is possible to reuse the certificate used when {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureInstallationScript" title="installing the Application Server" >}}; If doing so, you should {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.AssignCertificateFriendlyName" title="Assign a Certificate Friendly Name" >}} and set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" title="Configure CORTEX Gateway Installation Script" >}} to ensure use of the correct certificate and to prevent it from being overwritten. {{% /alert %}} diff --git a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md index 8a53074c8..0ab63379f 100644 --- a/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md +++ b/content/en/docs/2024.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md @@ -193,7 +193,8 @@ This file should be placed in a known location on the server. This location will If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Standard certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. +Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. +Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}.
It is possible to reuse the certificate used when {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureInstallationScript" title="installing the Application Server" >}}; If doing so, you should set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" title="Configure CORTEX Gateway Installation Script" >}} step to prevent overwriting. {{% /alert %}} diff --git a/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md b/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md index 89063d75b..86643f086 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md +++ b/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server/prerequisites.md @@ -31,8 +31,11 @@ In order to ensure that the correct certificate is used during the upgrade of {{
The Flow Debugger also requires an X.509 SSL certificate to be installed on the Web Application Server. This can use the same certificate as {{% ctx %}} Gateway, however it must have the following properties: -* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. +* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: + * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) + * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: + * The FQDN, NetBIOS Name and IP address of the web application server and all application servers must be added. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. diff --git a/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md b/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md index c3c3fc918..dec2805bf 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md +++ b/content/en/docs/2024.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md @@ -258,10 +258,10 @@ The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installatio #### Application Servers {{% alert title="Note" %}} -For production platforms it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production platforms, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. +For production platforms it is recommended that X.509 SSL multi-domain or wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production platforms, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. {{% / alert %}} -An X.509 SSL wildcard certificate should be used to: +An X.509 SSL multi-domain or wildcard certificate should be used to: * Secure communication between the load balancer and the nodes on the Application Servers. * Secure communication between the Application Services. @@ -271,8 +271,12 @@ An X.509 SSL wildcard certificate should be used to: The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. +* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: + * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) + * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: + * The FQDN, NetBIOS Name and IP address of all application servers must be added. + * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate will be used for the [web application server][]. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -281,11 +285,13 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the installation scripts will be run. This location will be required when running the installation script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). #### Web Application Server -{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties: +{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. This can be the same certificate as used for the application servers or a different certificate. + +The certificate must have the following properties: * Enhanced Key Usage: `Server Authentication` and `Client Authentication` * Subject Alternative Names (SAN): At minimum the FQDN of the Server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1 @@ -293,8 +299,7 @@ If required, a separate X.509 SSL certificate can be obtained to be used by the If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. -Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. +Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. {{% /alert %}} More information about importing the certificate is given during installation. @@ -345,4 +350,5 @@ Innovation has a [gobetween][] load balancer included that isn't highly availabl [Recommended Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.RecommendedArchitecture" >}} [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}} [Upgrading Gateway]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.ConfigureCortexGatewayInstallationScriptNew" >}} +[web application server]: {{< ref "#web-application-server" >}} [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}} diff --git a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md index 18f6380c5..a3d4b12a9 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md +++ b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/advanced/rollover-certificates.md @@ -26,8 +26,12 @@ A new, valid X.509 certificate needs to be obtained to update the certificates. The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject parameter must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. +* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: + * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) + * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: + * The FQDN, NetBIOS Name and IP address of all application servers must be added. + * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate is used for the web application server. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -36,7 +40,7 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the certificate update script will be run. This location will be required when running the update script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject parameter can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject parameter can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). ### Configure Update Certificates Script diff --git a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md index 7cd5d82c4..27525eb10 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md +++ b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server/prerequisites.md @@ -44,8 +44,11 @@ If the user tries to navigate to an address not in the SAN list, then they will
For the Flow Debugger, the certificate must have the following properties: -* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. +* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: + * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) + * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: + * The FQDN, NetBIOS Name and IP address of the web application server and all application servers must be added. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -53,8 +56,7 @@ For the Flow Debugger, the certificate must have the following properties: * Enhanced Key Usage must include `Server Authentication` and `Client Authentication`. {{% alert title="Important" color="warning" %}} -Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. -Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. +Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances.
It is possible to reuse the Flow Debugger certificate for {{% ctx %}} Gateway; If doing so, you must {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.MultipleServerWithHA.AssignCertificateFriendlyNameNew" title="Assign a Certificate Friendly Name" >}} after the debugger has been installed and set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.MultipleServerWithHA.ConfigureCortexGatewayInstallationScriptNew" title="Configure CORTEX Gateway Installation Script" >}} to ensure use of the correct certificate and to prevent it from being overwritten. {{% /alert %}} diff --git a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md index ae8f627e8..bced5c869 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md +++ b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/prerequisites.md @@ -206,10 +206,10 @@ The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installatio #### Application Servers {{% alert title="Note" %}} -For production systems it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. +For production systems it is recommended that X.509 SSL multi-domain or wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service. {{% / alert %}} -An X.509 SSL wildcard certificate should be used to: +An X.509 SSL multi-domain or wildcard certificate should be used to: * Secure communication between the load balancer and the nodes on the Application Servers. * Secure communication between the Application Services. @@ -219,8 +219,12 @@ An X.509 SSL wildcard certificate should be used to: The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](), and must meet the following requirements: -* Subject field must be in a wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). -* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. +* Subject field must be in one of the following formats depending on whether a multi-domain or wildcard certificate is used: + * Multi-domain certificate - If using the [gobetween][] load balancer this should be specified as the FQDN of the load balancer server (e.g. `CN=load-balancer.domain.com`). If using a different load balancer this must be specified as the FQDN of one of the application servers (e.g. `CN=application-server.domain.com`) + * Wildcard certificate - wildcard format, pertaining to the domain of the Application Servers (e.g. `CN=*.domain.com`). +* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service. Additionally if using a multi-domain certificate: + * The FQDN, NetBIOS Name and IP address of all application servers must be added. + * Optionally, the FQDN, NetBIOS Name and IP address of the web application server must be added if the same certificate will be used for the [web application server][]. * Certificate file must be in a .PFX file format, with a known password. * Certificate file must contain the full chain of certificates. * Certificate file must include the private key. @@ -229,11 +233,13 @@ The certificate can be obtained from a Certificate Authority, such as [Let’s E This file should be placed in a known location on the Application Server where the installation scripts will be run. This location will be required when running the installation script. -If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`). +If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=load-balancer.domain.com`). #### Web Application Server -{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties: +{{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. This can be the same certificate as used for the application servers or a different certificate. + +The certificate must have the following properties: * Enhanced Key Usage: `Server Authentication` and `Client Authentication` * Subject Alternative Names (SAN): At minimum the FQDN of the Server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1 @@ -241,8 +247,7 @@ If required, a separate X.509 SSL certificate can be obtained to be used by the If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. -Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. +Multi-domain certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances. {{% /alert %}} More information about importing the certificate is given during installation. @@ -295,4 +300,5 @@ Innovation has a [gobetween][] load balancer included that isn't highly availabl [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}} [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}} [TriggersService]: {{< url path="Cortex.Guides.CortexInnovation.CoreApplication.Services.TriggersService.MainDoc" >}} +[web application server]: {{< ref "#web-application-server" >}} [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}} diff --git a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md index ce88ad527..bb4ed6d5b 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md +++ b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md @@ -67,8 +67,7 @@ For each folder, perform the following steps: If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. -Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. +Standard certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances.
It is possible to reuse the certificate used when {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureInstallationScript" title="installing the Application Server" >}}; If doing so, you should {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.AssignCertificateFriendlyName" title="Assign a Certificate Friendly Name" >}} and set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" title="Configure CORTEX Gateway Installation Script" >}} to ensure use of the correct certificate and to prevent it from being overwritten. {{% /alert %}} diff --git a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md index 0ab63379f..8a53074c8 100644 --- a/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md +++ b/content/en/docs/2024.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/prerequisites.md @@ -193,8 +193,7 @@ This file should be placed in a known location on the server. This location will If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error. {{% alert title="Important" color="warning" %}} -Certificates, wildcard certificates, auto-generated self-signed certificates and manually created self-signed certificates can be used. However, self-signed certificates are not recommended for production instances. -Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}. +Standard certificates, wildcard certificates, auto-generated self-signed certificates and {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="manually created self-signed certificates" >}} can be used. However, self-signed certificates are not recommended for production instances.
It is possible to reuse the certificate used when {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureInstallationScript" title="installing the Application Server" >}}; If doing so, you should set the `ImportCertificate` parameter to `$false` in {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" title="Configure CORTEX Gateway Installation Script" >}} step to prevent overwriting. {{% /alert %}}