Domain/SSL
The Settings > Domain/SSL pane is used to configure the domain name, SSL, and Edge Remote endpoint in Litmus Edge Manager. This pane includes the following sections:
- Domain
- SSL settings
- Edge Remote
Refer to the image and descriptions below to review the process of adding an SSL certificate to Litmus Edge Manager (LEM) or Litmus Edge (LE).
- Step 1: You will need to request an SSL certificate from your IT team.
- Step 2: Your IT team will make a request for the SSL certificate from a certificate authority (CA) (for example, DigiCert).
- Step 3: The CA will return the following to your IT team.
- The root CA certificate file
- Any required intermediate certificates
- The SSL certificate file
- Step 4: The IT team will send you the following.
- The root certificate file
- Any required intermediate certificates
- The SSL certificate file
- The private key file
- Step 5: You will apply the following in either Litmus Edge Manager (see SSL Settings section below) or Litmus Edge (see Add a Device Certificate).
- The CA chain file (root CA file and all intermediate certificates)
- The SSL certificate
- The private key file
You can use the domain name to obtain access to Litmus Edge Manager without knowing the IP address. This helps when configuring settings:
- Base domain name: The basic domain name is used by clients accessing the Litmus Edge Manager Admin Console, Litmus Edge Manager Application, and Keycloak application.
Ensure a DNS server exists to handle requests by clients using the domain name.
[1] Edit Base Domain Name: Changing the domain name can cause connection issues such as disconnecting all previously connected edge devices. It is recommended that you make DNS changes prior to configuring the rest of your settings. The domain name also causes an update to the certificates. It may be necessary to accept new certificates after reloading the current browser tab. See Browser Access Restrictions for more information.
- If the domain name is valid, a green check mark displays.
- If the domain name is invalid, a red exclamation mark displays.
[2] Copy base domain name
[3] View Domain Log: Enabling auto-scroll is helpful when running an import process.
[4] Save base domain name
There are three options when selecting an SSL setting:
- Instance Default Certificate: Allows you to use the default self-signed SSL certificate that is automatically created during deployment when you first boot up for HTTPS, and MQTT SSL.
- Let's Encrypt Webroot mode: The certificate is based on Let's Encrypt using their Webroot mode. You must enter the domain name for your web-server in the Domain section. An IP address cannot be used. This is used when the web-server is exposed to the Internet and should not be used for private networks.
- User Defined: The SSL encryption uses a self-signed certificate (.crt or .pem file) and a (.key or .pem file) that has been uploaded to Litmus Edge Manager. The same certificate must be uploaded to the connected edge device.
[5] Select SSL Setting
- Select Instance Default Certificate to ensure that the SSL certificates that are used for the server and instances are valid and trusted by the server.
- Select Let's Encrypt Webroot mode to secure publicly available content in a domain by encryption, and then click Save. It issues a certificate when ownership is proven. This selection requires that a domain name is set. This selection cannot be used with an IP address.
- Select User Defined to use an SSL certificate and key file to secure content. A .crt or .pem file and a .key or .pem file is required for this selection.
[6] (User-Defined Only) Upload SSL Certificate
[7] (User-Defined Only) Key file
[8] (User-Defined Only) Root CA Certificate: Upload a CA chain file. Creating a CA (Certificate Authority) chain file involves consolidating the necessary certificates to establish a trust hierarchy for secure communication. To do this, you'll typically need the intermediate certificates that link your SSL certificate to the root certificate, ensuring a complete chain of trust. Begin by gathering the required certificates, which often include intermediate certificates, and the root certificate. Then, execute a command to combine all required certificates into a single file. See the example below.
Example: You have the following intermediate certificates: intermediate1.pem and intermediate2.pem. You create a CA chain file by combining the intermediate certificates with the root certificate (root.pem) with the following command: cat intermediate1.pem intermediate2.pem root.pem > ca-chain.pem. The CA chain file is named ca-chain.pem.
[9] View SSL Log: Enabling auto-scroll is helpful when running an import process.
[10] Save SSL Settings
The Edge Remote endpoint is the location of the Litmus Edge Manager remote service that forms a private secured connection between this Litmus Edge Manager instance and all of its associated Litmus Edge devices. This endpoint can be used for a DNS or an IP address.
By default and in most circumstances, the Edge Remote endpoint will be identical to the Litmus Edge Manager instance's IP address/DNS.
The only exception is when the Litmus Edge Manager is deployed on Google Kubernetes Engine. In this deployment situation, the IP address of the Litmus Edge Manager and the IP address of the LEM remote service will differ. The IP address of the Litmus Edge Manager remote service will be generated by Kubernetes and should be set as the Edge Remote endpoint accordingly. If a DNS is associated with the IP address received from Kubernetes, then the DNS should likewise also be set as the Edge Remote endpoint accordingly. Setting the DNS this way prevents the need to reactivate Litmus Edge devices when the Litmus Edge Manager IP address changes.
Refer to the following actions you can take on Litmus Edge Manager Admin Console's Domain/SSL pane.
[11] Edit Edge Remote
[12] Copy Edge Remote endpoint
[13] Save Edge Remote endpoint: You can only save when the DNS/IP address is valid.