Adding a Connector With TLS
You can set up a Model Manager server to accept secure connections by adding a connector with TLS encryption enabled.
An alternative to adding a connector is using a reverse proxy with TLS configured — see Running Behind a Reverse Proxy.
To add a new connector:
1
Write a label for the connector in the Label field.
2
Select when and how the connector should start listening on its port in the Start mode list. Select Automatic if the connector should start listening when the Model Manager server starts. Select Manual if the connector should only start listening when clicking Start on the Connector page.
3
Select Default in the Port list if the connector should listen on the default port — the default port is 443 if TLS is enabled, 80 if TLS is disabled. Select Manual to manually write the port to listen on in the shown input field.
4
Select All in the Listener address list to let the connector listen on all local addresses. Select Custom and write an IP address in the shown input field to only listen on that address.
5
Select between Enabled or Disabled in the Enable TLS list to explicitly set whether or not TLS is enabled for the connector. Select Automatic if TLS should be enabled if, and only if, a TLS host configuration has been added.
6
Select between Enabled or Disabled in the Support HTTP/2 list to explicitly set whether or not the HTTP/2 protocol is enabled for the connector. Select Automatic if HTTP/2 is to be enabled if, and only if, TLS is enabled.
To enable TLS for the new connector, you need to add a TLS host configuration with an associated server certificate for every hostname that should accept secure connections from clients. You can use a wildcard in your hostname if it is supported by the corresponding server certificate.
Click Add TLS Host Configuration to add a new TLS host configuration for the connector.
1
Select Default in the Hostname list to accept connections regardless of the hostname used by a connecting client. The Default option can be used for at most one TLS host configuration. Select Custom and write the name of the host associated with your certificate in the shown text field to use a custom hostname for this TLS host configuration. You can write either a fully qualified domain name, say modelmanager.example.com, or a wildcard domain name, say *.example.com.
If no TLS host configuration uses the Default option for the Hostname, the first configuration in the list will be used for all connections for which the hostname of a connecting client does not match any Custom hostname — effectively changing it to use the Default option. Using Custom hostnames is therefore only useful if there is more than one TLS host configuration for a connector.
2
Select the TLS versions that are available when communicating with clients in the Client compatibility list. Select Modern for TLSv1.3, Intermediate for TLSv1.2 and TLSv1.3., or Automatic if the Model Manager server should decide.
3
Under Certificates, click Add Certificate to add a server certificate.
a
Either write a new name, or keep the suggested name, for the certificate in the Name field. The name must be unique in the list of certificates for a TLS host configuration.
b
Select the type of location used to store certificates in the Location list. A Model Manager server supports the following locations: PEM Files, PKCS#12 Keystore, Windows Native Certificate Store, and MacOS Native Keychain.
c
Provide the settings specific for the selected location.
4
Click Save to save the new connector.
If you add a TLS-enabled connector and only want to allow secure connections to the server, you should add firewall rules that block external access on the port set during installation — 8181, by default.
PEM Files
The PEM files location type has the following settings:
Certificate file. The path on the Model Manager server computer to the certificate file.
Chain file. The path on the Model Manager server computer to the certificate chain file. Leave empty if the certificate does not have a chain file.
Key file. The path on the Model Manager server computer to the file containing the certificate key. Leave empty if there is no separate file for the key.
Key password. The key password for the certificate.
PKCS#12 Keystore
The PKCS#12 Keystore location type has the following settings:
Keystore file. The path on the Model Manager server computer to the keystore file.
Keystore password. The password for the keystore file.
Key alias. The alias of the certificate to use from the keystore. Select from the list of available aliases.
Key password. The key password for the certificate.
Windows Native Certificate Store
Select the alias of the certificate to use from the Windows native certificate store in the Key alias list. The alias is typically the friendly name for the certificate, as reported by the Windows® certificate manager, or the first encountered common name of the certificate if it does not have a friendly name.
A Model Manager server can only access server certificates in the Personal > Certificates directory in the Current user certificate store. It cannot access the Local computer certificate store or the per-service Service account certificate stores.
If the Model Manager server has been installed as a Windows® service, the Current user certificate store belongs to the user account the service is configured to log on as — for example NT AUTHORITY\LocalService for LocalService when running Windows® using an English system locale. This means that importing or administrating certificates must be done running as this same service account. The tool PsExec from Sysinternals can be used to launch the Windows® certificates management tool interactively as a service account, for example:
psexec -i -u "NT AUTHORITY\LocalService" mmc certmgr.msc
The service account names depend on the system locale used when running Windows®.
MacOS Native Keychain
Select the alias of the certificate to use from the macOS native keychain in the Key alias list.