SSL/TLS Support?

[Ranjit Khera]

Hi,

Does Archivematica support HTTPS connections?

There are two particular config options that I'm referring to:

• Upload URL in the AtoM DIP upload config
• and Storage Service URL in General config.
  

Since credentials are sent with both these connections they really should be implemented with TLS. I've managed to modify the nginx config and enabled https but it doesn't seam like Archivematica understands the protocol.

The confusing thing is the help text for the Storage Service URL suggests that you can use https. Is this a typo in the UI?

We're running Archivematica 1.6.1 & Storage Server 0.10.1 on RHEL 7.4.

Any advice would be appreciated.

Thanks.

Ranjit.
Unix Systems Administrator
Warwickshire County Council

[Geoffrey Brimhall]

archivematica uses nginx proxy via "proxy_pass" directive, so you should be able to have nginx do ssl termination before the proxy. 

Directions for this are at

https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-termination/

[Ranjit Khera]

Hi,

Thanks for the reply, but I think you may have misunderstood my question.

I'm asking about support for Archivematica (dashboard and the microservices) connecting to HTTPS sites (AtoM and the Storage Service in this case). Specifically, a connection with an TLS certificate signed by an internal CA.

I've already managed to get the dashboard, storage service and AtoM secured with TLSv1.2 and HTTP/2.

Ranjit.

[tim.hut...@usask.ca]

Hi Ranjit,

I'm not sure about AtoM, but we did recently run into an issue using the Sword API (for Islandora/Archivematica integration) relating to https.

In case it helps, part of our workaround was to edit the nginx server block configuration:

add an extra `proxy_set_header` directive with key `X-Forwarded-Proto` and value `https`

Prior to that the application apparently wasn't recognizing the https protocol, so that API calls were returning http rather than https.

There is a more general fix in progress, but I don't know if this just affects Sword API calls or anything more general.

Tim

[Ranjit Khera]

Hi,

Thanks for the response.

I did a little more digging and it turns out the basic problem I was having was certificate validation by the python requests module. For our test install we are using certificates signed by our internal CA and as such the python module is unable to verify them.

To fix this I ended up adding an environment variable (REQUESTS_CA_BUNDLE) in the /etc/sysconfig/archivematica* files to point to our CA certificate file and this has fixed it.

Ranjit

[Justin Simpson]

Perfect, thanks for the update.  A work around for a test environment would be to set the DEBUG variable in the dashboard Django settings module to true, which makes requests warn about self signed certs but not fail.  Not a good solution for a production environment, but could help in troubleshooting for people in a similar situation.

This transmission is intended for the named addressee(s) only and may contain confidential, sensitive or personal information and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

--
You received this message because you are subscribed to the Google Groups "Archivematica Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivematica-tech+unsub...@googlegroups.com.
To post to this group, send email to archivematica-tech@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica-tech/f4a82649-49ba-4a18-b310-4cc6ec605c36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.