Skip to content

Client Access

The Administration > Client Access page is used to configure the HTTPS certificate and DNS name that all clients use to connect to the system. HTTPS must be configured and maintained in order to provide a secure connection between UIP and its clients. HTTP connection attempts will be redirected to HTTPS after a certificate has been configured.

Important

Certificates issued by widely-trusted certificate authorities expire after 397 days (13 months) so they must be updated annually. UIP administrators should include this in their annual maintenance planning for the UIP system.

Users will need to reload the website in order for their web browser to start using an updated certificate.

Warning

If you are configuring HTTPS access for the first time or you are changing the system name, access to the system will be interrupted for several minutes while all of its services are reconfigured and restarted. During this time you will be redirected to a maintenance page. From there, users will be able to access the system using its new URL after all of the services have finished restarting.

HTTPS Certificate

If a certificate and its corresponding private key are uploaded to the Client Access page they can be used to enable HTTPS client connections. Only secure TLS 1.2 connections will be accepted after HTTPS has been configured.

The uploaded certificate must not be expired and the client access system name must be listed within the Subject Alternative Name (SAN) X.509 extension of the HTTPS Certificate explicitly or by wildcard.

# Display the Valid From and Valid To time when certificate is valid 
openssl x509 -noout -startdate -enddate -in certficate.pem

# Display the x.509 Subject Alternative Name of certificate
openssl x509 -noout -ext subjectAltName -in certficate.pem

The certificate file must be a Base64 encoded PEM file. It is recommended, but not required, to upload all of the intermediate Certificate Authority (CA) certificates in the host certificate's chain of trust. Doing so will help ensure that clients will trust connections to this system. The first and last lines of the certificate file will be the following.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

If the certificate authority provided a PFX format certificate file the private key and public key chain can be extracted using the following OpenSSL commands.

# Extract private key from PFX (requires password used to create PFX)
openssl pkcs12 -in sourceFile.pfx -nocerts -nodes -out private.key

# Extract certificate public key chain from PFX (requires password used to create PFX)
openssl pkcs12 -in sourceFile.pfx -cacerts -nokeys -chain -out certificatechain.crt

The RSA private key of the host certificate must also be provided. Only one private key should be uploaded. The first and last lines of the private key file will be the following.

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

System Name

The system name is what users type into their web browser to access the system. When an HTTPS Certificate is configured the system name choices will be limited selections which are compatible with the uploaded certificate. If the certificate contains a wildcard a field will be displayed for specifying the wildcard portion of the name.

The chosen name must resolve back to the IP address of the host machine. The IP address of the UIP host machine should be reserved/fixed so that it does not change without notice. UIP will test to validate that its containers can resolve the specified name back to the systems configured IP address. If the application indicates that it cannot verify your chosen name you may need to follow the System Requirements > Configure DNS Servers instructions.

Warning

If you are configuring your system on an IaaS platform or in a network environment where the external DNS name (system name) does not match the local host name, this page will check the system name by using ICMP. ICMP must be allowed through any external firewalls or proxies in to the UIP instance while saving this page.