Configure Built-in TLS in Command Line - Help

Configuring TLS in your current Hub installation

Using the command line, you can switch between the following secure mode configurations:

HTTP — default HTTP mode. TLS is disabled
HTTPS(keystore) — secure HTTPS mode. TLS is enabled. The private key/certificate data is stored in a keystore file.
HTTPS(privateKeyAndCert) — secure HTTPS mode. TLS is enabled. The private key, certificate, and certificate chain(optional) are stored in separate files in the PEM format.

To switch to a desired mode, you need to stop Hub and run the configure command defining all the properties required for the configuration of your choice. See below for detailed instructions and a complete list of the properties for each configuration.

To switch to the HTTP mode:

Stop Hub: <hub_home>/bin/hub.sh stop
Enter the following command:
<hub_home>/bin/hub.sh configure --listen-port=8080 --secure-mode=disable
Start Hub: <hub_home>/bin/hub.sh start

To switch to the HTTPS (keystore) mode:

Create a temporary folder and place the file keystore.jks containing the server's private key and certificate in that folder.
Stop Hub: <hub_home>/bin/hub.sh stop
Run the following command:
<hub_home>/bin/hub.sh configure --listen-port=443 --secure-mode=tls --tls-server-cert-storage-type=keystore --tls-server-cert-folder=<folder with file keystore.jks> --tls-server-cert-keystore-password=<keystore password> --tls-server-cert-keystore-key-alias=<private key entry alias> --tls-server-cert-keystore-key-password=<private key entry password> -- tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
Start Hub: <hub_home>/bin/hub.sh start

To switch to the HTTPS (privateKeyAndCert) mode:

Create a temporary folder (let's call it <certificates_folder>) to store the files with private key, certificate, and certificate chain (if any).
Place the private key (in the PEM format) into file <certificates_folder>/privateKey.pem.
Place the server certificate (in the PEM format) associated with the private key into the file <certificates_folder>/certificate.crt.
If you have a certificate chain for signing the server's certificate (in the PEM format), place it into the file <certificates_folder>/certificateChain.crt.
Stop Hub: <hub_home>/bin/hub.sh stop
Run the following command:
<hub_home>/bin/hub.sh configure --listen-port=443 --secure-mode=tls --tls-server-cert-storage-type=privateKeyAndCert --tls-server-cert-folder=<certificates_folder> --tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
If the private key is encrypted, also add the tls-server-cert-keystore-key-password property to provide the passphrase for the key.
Start Hub: <hub_home>/bin/hub.sh start

Redirecting HTTP traffic

If you are going to use a secure HTTPS mode, you can optionally set up a Redirect listen port — a non-secure port that will receive all HTTP requests and redirect them to the secure listen port. To do so, add the parameters tls-redirect-from-http=true and tls-redirect-from-http-listen-port=<your redirect port number> to the configure command.

Configuration Parameters

HTTP

Property	Value	Description
secure-mode	disable	The default value of the property. TLS is disabled by default.
listen-port		The port on which Hub listens to the HTTP traffic.

HTTPS (common properties)

Property	Value	Description
secure-mode	tls	TLS is enabled
tls-server-cert-storage-type	`keystore\|privateKeyAndCert`	Defines the format (storage type) of a server certificate. See descriptions of each storage type below.
tls-redirect-from-http	`true` or `false`. The default value is `false`.	Set to true, to enable an additional port (defined by property `tls-redirect-from-http-listen-port`) to accept unencrypted HTTP traffic and redirect it to a secure port defined by the property `listen-port`.
tls-redirect-from-http-listen-port		Specify an additional port to accept unencrypted HTTP traffic and redirect it to a secure port defined by the property `listen-port` (to enable this port, set the property `tls-redirect-from-http` to `true`)
tls-server-cert-folder		Specify the directory that contains server certificate files to be applied to Hub. The directory should contain the file `keystore.jks`. If you are using the keystore format (the property `tls-server-cert-storage-type` is set to keystore in that case). The directory should contain the files `privateKey.pem`, `certificate.crt` and `certificateChain.crt` (if any) if you are using the PEM format (the property `tls-server-cert-storage-type` is set to `privateKeyAndCert` in that case).

HTTPS (keystore - additional settings)

Property	Value	Description
tls-server-cert-storage-type	keystore	Use this property if your private key/certificate data is stored in a generated keystore file. In this mode, the server's private key/certificate pair will be derived from the file `internal/cert/keystore/keystore.jks` located in the conf directory. The keystore file is saved in the JKS format.
tls-server-cert-keystore-password		Keystore integrity password
tls-server-cert-keystore-key-alias		Alias that is associated with the private key/certificate entry in the keystore.
tls-server-cert-keystore-key-password		Password that protects your server's private key entry in the keystore.

HTTPS (privateKeyAndCert - additional settings)

Property	Value	Description
tls-server-cert-storage-type	privateKeyAndCert	In this mode the server's private key/certificate pair is taken from the files `internal/cert/privateKeyAndCert/privateKey.pem`, `internal/cert/privateKeyAndCert/certificate.crt` that are located in the `conf` directory. Also, a certificate chain can be defined in the file `internal/cert/privateKeyAndCert/certificateChain.crt`. All files are assumed to be stored in the PEM format. Private key in PKCS#8 or PKCS#1 format.
tls-server-cert-private-key-passphrase	string	If you use an encrypted private key, then use this property to provide the passphrase that was used for encryption. Supported for both PKCS#8 and PKCS#1 formats.