The Administration > Client Access page is used to configure the HTTPS certificate and DNS name that all clients use to connect to the system. HTTPS must be configured and maintained in order to provide a secure connection between UIP and its clients. Only secure TLS 1.2 connections will be accepted after HTTPS has been configured. HTTP connection attempts will be redirected to HTTPS after a certificate has been configured.
Certificates issued by widely-trusted certificate authorities expire after 397 days (13 months) so they must be updated annually. UIP administrators should include this in their annual maintenance planning for the UIP system.
Users will need to reload the website in order for their web browser to start using an updated certificate.
If you are configuring HTTPS access for the first time or you are changing the system name, access to the system will be interrupted for several minutes while all of its services are reconfigured and restarted. During this time you will be redirected to a maintenance page. From there, users will be able to access the system using its new URL after all of the services have finished restarting.
If a certificate and its corresponding private key are uploaded to the Client Access page they can be used to enable HTTPS client connections.
It is recommended, but not required, to also upload the intermediate Certificate Authority (CA) certificates in the host certificate's chain of trust. Doing so will help ensure that clients will trust connections to this system.
The certificate(s) and private key can be uploaded as a single file or multiple files. All uploaded file(s) must use the Base64 encoded PEM format.
The first and last lines of the host certificate and CA certificates will be the following:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
The private key of the host certificate must also be provided. Only one private key should be uploaded. The first and last lines of the private key file will be the following.
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
If the certificate authority provided a PFX format certificate file it can be converted into a PEM format file compatible with UIP using the following OpenSSL command.
# Extract certificate, private key, and CA chain from PFX (requires password used to create PFX) openssl pkcs12 -in certificate.pfx -nocerts -nodes -chain -out certificate.pem
The uploaded certificate must not be expired. To check the validity dates of the certificate and plan for its future replacement date run the following OpenSSL command.
# Display the Valid From and Valid To time when certificate is valid openssl x509 -noout -startdate -enddate -in certificate.pem
The client access system name must be listed within the Subject Alternative Name (SAN) X.509 extension of the HTTPS Certificate explicitly or by wildcard. Run the following OpenSSL command to display the SAN extension of the certificate.
# Display the x.509 Subject Alternative Name of certificate openssl x509 -noout -ext subjectAltName -in certificate.pem
The system name is what users type into their web browser to access the system. When an HTTPS Certificate is configured the system name choices will be limited selections which are compatible with the uploaded certificate. If the certificate contains a wildcard a field will be displayed for specifying the wildcard portion of the name.
The chosen name must resolve back to the IP address of the host machine. The IP address of the UIP host machine should be reserved/fixed so that it does not change without notice. UIP will test to validate that its containers can resolve the specified name back to the systems configured IP address. If the application indicates that it cannot verify your chosen name you may need to follow the System Requirements > Configure DNS Servers instructions.
If you are configuring your system on an IaaS platform or in a network environment where the external DNS name (system name) does not match the local host name, this page will check the system name by using ICMP. ICMP must be allowed through any external firewalls or proxies in to the UIP instance while saving this page.