Parallels H-Sphere Documentation System Administrator Guide

 

Securing Your CP Server with SSL

 
 

Related Docs:   Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Reseller Shared SSL Securing Transferred Data through SSL (User guide)

Last modified: 27 Dec 2007

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

This document gives a step-by-step instruction on how to secure your CP apache server with a regular SSL certificate.

You can secure your control panel with a wildcard certificate if you install it on the same domain name. For example, if your cp domain name is cp.example.com, you can secure it by installing wildcard certificate to example.com.

We recommend that you configure your system to be accessible both by http and https, because SiteStudio doesn't fully support https protocol.

To secure your CP with regular SSL:

  1. Create or choose a directory to store SSL-related files. E.g.:
    #mkdir cert
    Make this directory available only for root:
    #chmod 700 cert
    Go to this directory:
    #cd cert
  2. Generate an SSL private key with the OpenSSL utility:
    #openssl genrsa -des3 -out server.key 1024
    When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234. A unique private key will be generated into the server.key file.
    For more, read modssl documentation.
  3. Copy this file to a secure location. You will need it later.
  4. Make the newly generated file readable only by root:
    #chmod 600 server.key
  5. To view the content of the private key file, use the command:
    #openssl rsa -noout -text -in server.key
  6. Remove pass phrase from the private key:
  7. #openssl rsa -in server.key -out server.key.unsecure
  8. Now you don't need the private key with the pass phrase any more. Overwrite it with the private key without the pass phrase:
    #cp server.key.unsecure server.key
  9. Generate an SSL certificate signing request based on the private key:
    #openssl req -new -key server.key -out server.csr
    You will have to answer many questions related to your company. Your answers are required to be included in the certificate.
    Note: Common name is the URL at which you want your control panel to be available, e.g. cp.yourdomain.com (not yourdomain.com).
  10. Check the content of the certificate request file:
    #openssl req -noout -text -in server.csr
    If you find a mistake in the data you have submitted, you can re-generate the request anew.
  11. Make sure to back up your SSL files:
    # mkdir backup
    # chmod 700 backup

    # cp ./*.* backup/
  12. Send the generated CSR file to a trusted Certificate Authority for signing. They will send you back the certificate. Save it as server.crt.
  13. To view the content of the certificate, run:
    # openssl x509 -noout -text -in server.crt
  14. Save the private key and the certificate:
    # cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/
    # cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  15. Important: Make sure to back up the ssl.key and ssl.crt files to a safe location. You may need them in the future.
  16. If your certificate was signed by a non-trusted certificate authority, run the following command:
    # cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
  17. If your certificate doesn't require chain certificate, skip this item. Otherwise, do the following:
    • Store chain certificate in file:
      /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
    • Create custom CP apache config template if you don't have any
    • Add line (according to Step 2 "Edit template" in the above mentioned document) :
      SSLCertificateChainFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
      to file:
      /hsphere/local/home/cpanel/apache/etc/httpd.conf.tmpl.custom
  18. Open the file hsphere.properties:
    # vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties
    and change lines:
    CP_PORT = 8080
    CP_PROTOCOL=http://
    to:
    CP_PORT = 8443
    CP_PROTOCOL=https://
  19. Restart H-Sphere.
  20. Check the log file:
    # vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log

Now your control panel must be available at both http://cp.yourdomain.com:8080 and https://cp.yourdomain.com:8443

 

Disabling HTTP access.

We don't recommend disabling HTTP access, because it is required by SiteStudio. Still, if you have chosen to disable http, do the following:

  1. Open the file ~cpanel/apache/etc/httpd.conf
  2. If you would like to exclude http access and use only secure connections, comment out the line "Listen 8080" in the block IfDefine SSL.
  3. Restart H-Sphere.

 

Switching Between IP and Domain Name

You can't have your control panel available both by domain name and IP address. You can have only one. To switch between IP and domain name control panel access:

  1. Open the /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties file.
  2. Set the value of CP_HOST to your new CP URL/IP. Make sure not to change the value of the PATH_SITE_STUDIO property.
  3. Save and exit the file.
  4. Restart H-Sphere.

-

Check for feedback from H-Sphere owners on how to use H-Sphere with POP3 SSL, IMAP SSL, SMTP SSL and SFTP.


Related Docs:   Securing Reseller Control Panels With SSL Installing Shared SSL Certificates Reseller Shared SSL Securing Transferred Data through SSL (User guide)



© Copyright 2017. Parallels Holdings. All rights reserved.