Step 1: (if not already completed) Enabling Encryption
Immediate Insight streams data to the client by opening two websocket connections to the browser, a control channel and a data channel. By default, Immediate Insight is configured for HTTP. To activate encryption (HTTPS) on websockets:
- Type set-ssl command to enable encryption on browser sessions.
- Type reload server to make changes take effect.
- Quit browser and re-login using https instead of http (https://ip-address-of-server:3201) – Chrome is the recommended browser.
Note: You will get a Certificate warning but will be able to login after ignoring it.
Step 2: Managing Certificates & Stopping Warning Messages
We recommend the best practice use of matching CA certs installed in user’s browsers to reduce the possibility of man-in-the-middle attacks and provide a smoother user experience.
During installation, a self-signed rootCA pair is generated automatically in app/config/certs.
Note: You can replace this pair with your own CA by overwriting the rootCA.key and rootCA.pem files, however this is an advanced task – most can use the self-signed certs provide.
Type “set-certs” followed by “reload server” to activate the certificate.
Next, copy app/config/certs/rootCA.pem file from the Immediate Insight server to your computer (using an SFTP or SCP client)
Load the Certificate into your Browser. Instructions for Chrome:
- Settings -> Show Advanced Settings -> HTTPS/SSL -> Manage Certificates
- Trusted Root Certification Authorities -> Import (specify rootCA.pem file)
Restart browser – next time you log into Immediate Insight you should not see cert warning.
Note: While the system has a reasonable set of security measures in place, the present release is designed to run in a secure and trusted environment. If you have a need to expose it directly to the Internet, please contact firstname.lastname@example.org to discuss additional hardening procedures.