Documentation Center

Graphic Hub Administrator Guide

Version 3.6 | Published December 10, 2021 ©

SSL in REST

SSL/TLS can be activated in GH REST by enabling Use SSL HTTPS connection in Web Server Configuration Settings. This encrypts connections to the REST interface using the HTTPS protocol. If the HTTPS page includes content retrieved through a regular HTTP connection, the connection is only partially encrypted. Most popular browsers block mixed content by default.

Information: The certificate, private key and password can be changed by modifying the current GH REST installation.

In the Web Server Configuration panel the SSL/TLS versions, to be supported by the server, can be chosen from the option list once the Use SSL https connection option is enabled.

images/download/attachments/85895974/rest_gh_rest_ssl_version_list.png

SSL/TLS Configuration

To configure GH REST to support HTTPS (HTTP over SSL/TLS) connections the following information is needed:

  • Certificate, Private Key and Password.

  • Vizrt Viz GH REST SSL/TLS Configuration.

  • Verification of New SSL/TLS Configuration.

Certificate, Private Key and Password

The certificate and private key files must be .pem filetype. The generation of those files is in the responsibility of the customer.

OpenSSL for Windows (Optional)

IMPORTANT! Self-signed certificates are highly discouraged for production because they are meant for testing purposes only.

Optionally, for testing purposes, OpenSSL for Windows can be utilized to create a self-signed Certificate Signing Request (CSR) which generates the certificate and private key files.

  • OpenSSL for Windows can be downloaded and installed from https://slproweb.com/products/Win32OpenSSL.html:

    images/download/attachments/85895974/rest_gh_rest_ssl_openssl_download_annotated.png

  • Using the command line the installation of OpenSSL can be verified using:
    openssl version
    images/download/attachments/85895974/rest_gh_rest_ssl_openssl_version.PNG

  • A self-signed CSR, combined with a password (which should not be forgotten), can be generated using:
    openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -days 365
    images/download/attachments/85895974/rest_gh_rest_ssl_openssl_req.PNG
    The newkey option can also be rsa:2048.

  • The file pair, of certificate and private key, can be found in the directory where the above command was executed:

    images/download/attachments/85895974/rest_gh_rest_ssl_openssl_certs_dir.png

How Graphic Hub REST looks in a browser with a self-signed certificate (left) compared to vizrt.com (right):

images/download/attachments/85895974/rest_gh_rest_ssl_openssl_gh_rest_website_annotated.png

images/download/attachments/85895974/rest_gh_rest_ssl_openssl_vizrt_website.png

images/download/attachments/85895974/rest_gh_rest_ssl_openssl_gh_rest_website_sec_tooltip.png images/download/attachments/85895974/rest_gh_rest_ssl_openssl_vizrt_website_sec_tooltip.png

An invalid self-signed certificate indication (left) compared to a valid one (right).

images/download/attachments/85895974/rest_gh_rest_ssl_openssl_gh_rest_website_cert_modal.png images/download/attachments/85895974/rest_gh_rest_ssl_openssl_vizrt_website_cert_modal.png

Vizrt Viz GH REST SSL/TLS Configuration

  1. The certificate, private key and password can be changed in GH REST by modifying the installation:

    • In modern Windows versions, Settings > Apps > Vizrt Viz GH REST > Modify can be used.

      images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_modern_windows_annotated.png

    • In older Windows versions, Control Panel > Programs and Features > Vizrt Viz GH REST > Change can be used.

      images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_older_windows_annotated.png

  2. In the Change, repair or remove installation phase click Change:

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_installer2.png

  3. Click Next a few times to navigate the installation wizard to the SSL Configuration phase and place the file paths and password in the fields:

    Important: Files with limited accessibility (unprivileged or from network shares) may cause access issues in GH REST where the installer is unable to complete or start the server.

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_installer3.png

  4. Click Next a few times and then click Change:

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_installer4.png

  5. When the installer completes click Next, then Finish:

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_configuration_installer5.png

Verification of New SSL/TLS Configuration

  • The status of the new configuration can be tested using OpenSSL (for example, to test TLSv1.2):
    openssl s_client -connect localhost:19398 -tls1_2

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_verification_openssl_s_client1.png

  • As a verification, the specified protocol in the command is displayed in the output under SSL-Session > Protocol:

    images/download/attachments/85895974/rest_gh_rest_ssl_tls_verification_openssl_s_client2_annotated.png

GH Terminal

While the Graphic Hub REST interface can run with SSL/TLS encryption, Graphic Hub Terminal cannot. Because of this, the connection between them is considered mixed content and hence blocked. This may cause an Unable to connect error message:

images/download/attachments/85895974/rest_gh_rest_ssl_activated_error.png
This issue can be resolved by adding a security exemption. The steps to do this depend on the browser in use:

  • Google Chrome

    • Click the shield icon in the right of the address bar, or

    • Start Chrome from the command line using the additional flag --allow-running-insecure-content.

  • Internet Explorer

    • Scroll to the bottom of the screen and click Show all content.

  • Mozilla Firefox

    • Click the shield icon to the left of the address bar.

    • Click the arrow next to the Connection is Not Secure warning, and select Disable protection for now.
      For details on how to show mixed content in other browsers, please refer to the documentation for the browser in question.