SSL (AEN 4.1.1)

The Anaconda Enterprise Notebooks (AEN) Server uses nginx to proxy all incoming http(s) requests to the Server running on a local port. Also, nginx is used for SSL termination. The default setup uses http (non-SSL) since cert files are required to configure SSL and each Enterprise will have their own cert files.

SSL certs with passphrases are not currently supported.

The www.enterprise.conf file is the default nginx .conf file used for Anaconda Enterprise Notebooks. It is copied to the /etc/nginx/conf.d directory during Server install.

Note: This document is for the case where you are setting up SSL after the Gateway has been installed and registered with the Server.

Required files

To configure SSL on AEN you will need the following files

  • Server certificate and key
  • Server CA bundle
  • Gateway certificate and key
  • Gateway CA bundle
  1. Copy the Gateway certificate and key to /opt/wakari/wakari-gateway/etc/ on the Gateway as gateway.crt and gateway.key.
  2. Copy the Gateway CA bundle to /opt/wakari/wakari-server/etc/ on the Server
  3. Copy the Server certificate and key to /etc/nginx on the Server as server.crt and server.key
  4. Copy the Server CA bundle to /opt/wakari/wakari-gateway/etc/ on the Gateway

If you have a certificate that was signed by a private root CA and/or an intermediate authority then the following must be true

  • The Gateway CA bundle needs to contain the root CA, any intermediate and the certificate.
  • The Server CA bundle needs to be separate files for the root CA, any intermediate and the certificate.

Configure SSL on the Server

The www.enterprise.https.conf is a nginx configuration file for SSL configurations. It is setup to use cert files called server.crt and server.key but these value must be changed to point to signed cert files for your domain. NOTE: self-signed certs or certs signed by a private root CA require additional configuration

Perform the following steps as root:

  1. Stop Nginx: service nginx stop

  2. Move the /etc/nginx/conf.d/www.enterprise.conf file to a backup directory.

  3. Copy the /opt/wakari/wakari-server/lib/python2.7/site-packages/

    wk_server/config/www.enterprise.https.conf file to /etc/nginx/conf.d

Note: that only one of www.enterprise.conf or www.enterprise.https.conf can be in /etc/nginx/conf.d

  1. Edit the /etc/nginx/conf.d/www.enterprise.https.conf file and change the server.crt and server.key values to the names of the real cert and key files if they are different.

  2. Start nginx: service nginx start

  3. Update the WAKARI_SERVER and CDN settings in the config files to use https instead of http. The config files that need to be changed are:

    /opt/wakari/wakari-server/etc/wakari/config.json
    /opt/wakari/wakari-gateway/etc/wakari/wk-gateway-config.json
    /opt/wakari/wakari-compute/etc/wakari/config.json
    
  4. Edit /opt/wakari/wakari-server/etc/wakari/wk-server-config.json and add

    "verify_gateway_certificate": "/opt/wakari/wakari-server/etc/gateway.crt"
    
  5. Restart Anaconda Enterprise Notebooks services the Server:

    service wakari-server restart
    
  6. Browse to Anaconda Enterprise Notebooks and verify that the browser uses https.

  7. In the Admin settings, under Data Centers select the Gateway and check the https box.

    ../../../_images/ae-notebooks/4.1.1/install/https.png

Note: this step may return an error since the Gateway has not yet been configured for SSL.

Configure SSL on the Gateway

  1. Edit /opt/wakari/wakari-compute/etc/wakari/config.json to change http to https.

#. Modify the configuration file /opt/wakari/wakari-gateway/etc/wakari/wk-gateway-config.json and add:

{
    EXISTING_CONFIGURATION,
    "https": {
        "key": "/opt/wakari/wakari-gateway/etc/gateway.key",
        "cert": "/opt/wakari/wakari-gateway/etc/gateway.crt"
    }
}
  1. If you have a Server cert that was signed by a private root CA (and/or intermediate authority) add the following to the https key
"ca": ["/opt/wakari/wakari-gateway/etc/server.crt"]

Note: The ca key must contain separate values for the paths to the CA root, any intermediate and the certificate for the Server

Restart the Gateway: sudo service wakari-gateway restart

SSL on Compute Nodes

Anaconda Enterprise does not provide for SSL on the compute nodes directly. We recommend installing the Compute on the same machine as the Gateway and using http://localhost:5002 for the URL value while adding it as a resource.

You would need a Gateway for each and every Compute node.

Security Reminder

The permissions on the cert files need to set correctly to prevent them from being read by others. Only the root user needs to be able to read the cert files since nginx is run by root.

Assuming the cert files are called server.crt and server.key, use the root account to set the permissions as follows:

chmod 600 server.key
chmod 600 server.crt

Strict Transport Security Header

Strict-Transport-Security is enabled by default in the www.enterprise.https.conf file.

add_header Strict-Transport-Security max-age=31536000;

It can remain enabled if either of the following is true.

  1. The Gateway is running on a different host than the Server; or
  2. SSL has been enabled for the Gateway

It is necessary that you comment out this line if both of the following conditions are true:

  1. The Gateway is running on the same host as the Server; and
  2. SSL has not been enabled for the Gateway

Leaving it enabled when these conditions are true will cause a mismatch in protocols between the Server and Gateway and apps will fail to launch correctly.