5. Setting up HTTPS

5.1. Preface

Cases shared by Intella Connect can be accessed in various ways in the browser (the addresses listed below are artificial):

• via an internal IP, e.g. http://192.168.1.104:8084
• via an external IP, e.g. http://91.100.40.80:8084
• via a domain name, e.g. http://this-is-my-domain.com:8084
• via a machine’s network name, e.g. http://my-PC:8084

The HTTPS (SSL) communication layer needs to know under which URL Intella Connect’s pages will be served. Knowing that and having a proper certificate validated by a third party vendor (called a Certification Authority) will allow Connect to make use of a secure channel for serving these pages.

---

5.2. Prerequisites for HTTPS configuration

There are a number of things that need to be done before you can use HTTPS in Intella Connect. Please make sure that all of these requirements are met.

5.2.1. Signed SSL certificate

These steps depend on whether you already have a working SSL certificate, so please follow the steps most suitable for your situation.

I’m already in possession of an SSL (PKCS12) certificate issued for my company/domain

1. Read the locating the utility program for working with keystores section of this document to learn how to make use of the keytool utility.
2. Import the existing PKCS12 file called xxx.p12 into a new keystore: > keytool -importkeystore -srckeystore xxx.p12 -srcstoretype PKCS12 -destkeystore my-site.com.keystore
3. At this point you will have a new keystore database containing your private and public keys.
4. The next step depends on whether or not the .p12 file contains required certificates:

• If the .p12 file contains all the needed certificates, please proceed with the modifying SSL settings in Intella Connect Dashboard section.
• If the .p12 file did not contain all the necessary certificates from your CA, please download them and proceed with the adding certificates to the Keystore section of this document.

I do not have a SSL certificate or I want to use a new one

1. Decide upon the Case URL scheme that you would like to use for case sharing in Connect. Your options are:

• A domain (recommended) – domain names are easier to remember and do not change that often. If your domain is already taken, you can easily choose something unique, yet easy to remember, like: www.my-connect-cases.com
• A public IP address.

2. Sign up with one of the Certification Authorities and open an account that will allow you to sign domain (or IP) certificates.
3. Remember the address for which the certificate was issued.

5.2.2. Configuring the domain

If you decided to use a domain for case sharing, then you need to configure it now. Please log in to the machine (server) where you will be running Connect and check its public IP (when in doubt, please use Google).

After that you need to log in to the management panel for your domain provider and set the DNS records so that the domain points to the current public IP of your Connect PC.

Note: for purposes of this tutorial we will be using an artificial address/domain pair: 1.2.3.4, www.my-site.com

5.2.3. Configuring the router (optional)

It might happen that the server machine is behind NAT, managed by a router. In that case you will need to set up port forwarding for at least two TCP ports: one for the Intella Connect Dashboard page and one for each shared case, as each case will get its own dedicated TCP port on the Connect PC.

5.2.4. Verifying initial setup

For the sake of this guide I will be using the following ports:

• Admin app: http://1.2.3.4:9999
• Sample case: http://1.2.3.4:8084

Start Intella Connect. Then open up a browser and navigate to the Intella Connect Dashboard address listed above. At this point you should be able to see the Intella Connect Dashboard page. After you share a case on the port mentioned above, the case should be available on the above location as well.

---

5.3. Setting up SSL certificates in Connect

On the Intella Connect Dashboard page, after clicking on the Settings menu item, one can see the following configuration panel:

Figure: SSL settings in Connect

The most important thing to notice here are the properties of the so-called Keystore. A keystore is nothing more than a secure database that holds all the certificates needed by a server (in our case - Connect). In order to proceed, we will need to create the keystore manually.

5.3.1. Locating the utility program for working with keystores

Intella Connect bundles a special utility program for working with keystores. This tool is a part of the bundled Java distribution and is called keytool.exe. It can be found in:

C:\Program Files\Vound\Intella Connect 1.7.3\jre\bin\keytool.exe

5.3.2. Creating a new keystore

First, let’s prepare a directory to work with. For the sake of this manual, I have created the folder C:\Users\Lukas\Desktop\ssl where I will be temporarily storing all the necessary files.

Note: if you have your own certificate, you do not need to generate the private/public key pair in this step (note the -genkey flag) and you can safely proceed to the adding certificates to the Keystore section.

To create a keystore, please do the following:

1. Open a command line tool by pressing *Windows + R* and typing *cmd* followed by *Enter*.
2. Use the *cd* command to go to the folder containing the keystore application.
3. Enter the following command (put everything on a single line, change folders if needed): keytool -genkey -keyalg RSA -keysize 2048 -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
4. You will be asked to enter some values. Please use your best judgment to fill in the necessary fields. Listed below are the ones that are important for Connect:

• Keystore password: use a strong password, we will be using it later in the Settings panel.
• First and last name (also referred as CN – Common Name): please provide the address for which the certificate was issued to (remember: that was either a public IP or domain).
• Key password: this password is different from the keystore password. Use an equally strong password.

5. After this step you should have a new keystore ready with an unsigned certificate. The keystore is located in the folder used for temporary files, in this example C:\Users\Lukas\Desktop\ssl\my-site.com.keystore.

5.3.3. Requesting certificate signature

Note: this and the following steps apply only if you did not have your own certificate already and you have just created one in the step before.

Since now you are in possession of an unsigned certificate, you need to ask a Certification Authority (CA) to sign it. CAs accept only requests for certificate signature, so you need to create one using the keytool.

On the command line, please enter the following command:

keytool -certreq -keyalg RSA -file C:\Users\Lukas\Desktop\ssl\my-site.com.csr -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore

You will be asked for the master password for the keystore, which you have defined in the first step. This should produce a file called my-site.com.csr

5.3.4. Signing the certificate

You now have to supply this signature request to the Certification Authority. This process is specific to the authority signing the certificate. After the CA is done with processing your request, you should receive a set of signed (verified) certificates, which can now be added back to the keystore.

5.3.5. Adding certificates to the Keystore

You now have to add each certificate that you have received from your CA back to the keystore. Most likely you have received three files: the CA’s certificate, an intermediate certificate and the one which applies to your domain (IP). Please use keytool.exe again to add them using the commands below. Please keep in mind, that for this tutorial our CA has supplied us with three files (AddTrustExternalCARoot.crt, PositiveSSLCA2.crt and www_my-site_com.crt) which are stored in the “signed” subdirectory:

keytool -import -trustcacerts -alias AddTrustExternalCARoot -file C:\Users\Lukas\Desktop\ssl\signed\AddTrustExternalCARoot.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore

keytool -import -trustcacerts -alias PositiveSSLCA2 -file C:\Users\Lukas\Desktop\ssl\signed\PositiveSSLCA2.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore

keytool -import -trustcacerts -alias mykey -file C:\Users\Lukas\Desktop\ssl\signed\www_my-site_com.crt -keystore C:\Users\Lukas\Desktop\ssl\my-site.com.keystore

---

5.4. Modifying SSL settings in Intella Connect Dashboard

At this point you can come back to the Intella Connect Dashboard page and finish setting up SSL. The three mandatory fields that are listed there should be set as following:

1. Keystore password – the master password for the Keystore database.
2. Key password – the password for our signed certificate.
3. Keystore location – location of the Keystore, in this tutorial it was: C:\Users\Lukas\Desktop\ssl\my-site.com.keystore
4. Save the changes.

After that you need to restart Intella Connect to finish the process.

An appropriate warning about this should be displayed after you save the changes.

5.4.1. Verifying HTTPS

In the end you should be able to navigate to https://www.my-site.com:9999 (note the “https” in the URL) and see the Lock icon in the web browser’s address bar, which shows that you are using a secure connection.

When you share a case, it should now be available under the following URL: https://www.my-site.com:8084

5.5. Disabling HTTPS

If SSL needs to be disabled, it can be done by clicking on the Disable button. This will however not remove SSL immediatelly. Intella Connect will only change the status of SSL to be disabled. The actual removal of the SSL channel will be performed when Intella Connect is re-started. This is to prevent any active users that use SSL from receiving errors related to the disabling of the SSL layer.