|Managing the Node API|
Communicating with Aspera nodes over HTTPS
The Aspera Node API provides an HTTPS interface for encrypted communication between node machines (on Port 9092, by default). For example, if you are running the Faspex Web UI or the Shares Web UI on Machine A, you can encrypt the connection (using SSL) with your transfer server or file-storage node on Machine B. Enterprise Server nodes are preconfigured to use Aspera's default, self-signed certificate (aspera_server_cert.pem), located in the following directory:
About PEM Files: The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.
To generate a new certificate, follow the instructions below.
In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter the following command (where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of your CSR):
$ openssl req -new -nodes -keyout my_key_name.key -out my_csr_name.csr
After entering the command in the previous step, you will be prompted to input several pieces of information, which are the certificate's X.509 attributes.
Generating a 1024 bit RSA private key ....................++++++ ................++++++ writing new private key to 'my_key_name.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [Some-State]:Your_State_Province_or_County Locality Name (eg, city) :Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) :Your_Department Common Name (i.e., your server's hostname) :secure.yourwebsite.com Email Address :firstname.lastname@example.org
You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering a challenge password by pressing Enter.
... Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
After finalizing the attributes, the private key and CSR are saved to your root directory.
You now need to send your unsigned CSR to a Certifying Authority (CA). Once completed, you will have a valid, signed certificate.
At this point, you may need to generate a self-signed certificate for either of the following reasons:
You can also generate a self-signed certificate through OpenSSL. To generate a temporary certificate (good for 365 days), run the following command:
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
Case 1: If you have individual certificate files, the contents of the new .pem file should be added in the following sequence:
Case 2: If you have a bundle of certificates, the contents of the new .pem file should be added in the following sequence:
In this case (you have a certificate bundle), create a new file named aspera_server_cert.chain. This file must reside in the same installation directory as the .pem files. Place the root certificate in this file, followed by the bundle.
You must restart (not reload) the Aspera node service after generating a new certificate. To do so, run the following command(s):
# /etc/init.d/asperanoded restart