How do I connect to QIE using ssl/tls (https) connections instead of http?

Question

I would like to require the login and maintenance of QIE to use ssl/tls (https) connections instead of plain text.  How do I configure my system for this?

Answer 1

Starting with the 3.0.45 release of QIE, users can natively secure QIE using ssl/tls (https) connections.  For this to work, the private key and public certificate will need to be added to a keystore.  Once you have a password protected keystore you will follow these steps to secure QIE.

1) Add the following java options to the 'QIE Service Manager' Startup tab arguments:

-Dqie.secureConsole=true
-Dqie.consoleKeyStore={path to keystore (ex. C:\ProgramData\QIE\ssl\mykeystore.jks)}
-Dqie.consoleKeyStorePass={password}

   NOTE: When adding these options in a linux environment make sure that the options are after the -jar parameter.

2) Make sure that the jetty.port java option found in the 'QIE Service Manager' is set to a port other than 80 and 8080.  The most common ports to use would be 443 or 8443.

Once the java options have been configured, the QIE service will need to be restarted.  You can now connect to the management console using https.

Answer 2

QIE doesn't nativly support TLS for login or maintenance of the channels.  However, you can do this with Apache.  The following steps will walk you through the process.

1) Download and install apache
  -- It can be found at http://httpd.apache.org/download.cgi
      (note: Apache doesn't publish a windows installer, so if you need to install on windows you can download it from http://www.apachelounge.com/download)
      (note: If running apache with windows, you will also need to download and install the 'Microsoft Visual C++ 2015 Redistributable Package' found at https://www.microsoft.com/en-us/download/confirmation.aspx?id=48145 )
  -- Follow the instruction in the 'Readme.txt' for installing the services and auto-startup of ApacheMonitor.exe.

2) Log into QIE and create a new private key.  With that private key create a self-signed certificate.
  -- Export the new key (by itself, not with the certificate)
  -- Export the self-signed certificate (by itself, not with the key)

3) Edit httpd.conf file.  Find the section with all of the 'LoadModule' lines and ensure that the following are not commented with a #

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule xml2enc_module modules/mod_xml2enc.so

4) Edit the httpd.conf file for apache.  At the bottom add:

<VirtualHost *:443>
    ServerName localhost
    SSLEngine on
    SSLCertificateFile "{path to self-signed certificate}"
    SSLCertificateKeyFile "{path to private key}"

    ProxyRequests on
    ProxyPreserveHost on
    ProxyPass / http://localhost:8089/
    ProxyPassReverse / http://localhost:8089/
</VirtualHost>

<VirtualHost *:80>
    ServerName localhost
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^localhost
    RewriteRule ^(.*)$ https://localhost/$1
</VirtualHost>

5) Restart the apache services.

6) Configure QIE to listen on port 8089 instead of 80 by setting the '-Djetty.port' java option.  (It should look like -Djetty.port=8089)

7) Restart the QIE services.

8) To ensure that users can not connect directly to port 8089, you will want to make sure that the firewall is turned on to not allow external connections to this port.

Once everything is back up and running you should be able to brows to 'https://localhost' and you will get the login screen.  Also, you will be able to browse to 'http://localhost' and get redirected to 'https://localhost'.