SSL Disabling On Appliance

From Swivel Knowledgebase
(Redirected from Disable SSL On Appliance)
Jump to: navigation, search


Overview

This article explains how to disable SSL on a PINsafe appliance, so that pages can be accessed using http, rather than https.

NOTE: carrying this out is a security risk. Allowing users to access PINsafe without SSL encryption is inherently insecure. In particular, it is not recommended to allow http access to a production environment over the internet. This solution is only advised for pre-production testing, or if the PINsafe appliance is only accessible on the internal network. If you are implementing this change simply to avoid problems with certificate errors, the correct solution is to get a commercial SSL certificate for production use.


Prerequisites

These instructions assume you have a PINsafe appliance with Webmin. Otherwise, the instructions apply to all versions of PINsafe.

How to Guide

NOTE: this process involves restarting Tomcat, so PINsafe services will be unavailable for a short time.

Open webmin in a web browser (https://<pinsafe_server>:10000). Replace <pinsafe_server> with the name or IP address of your PINsafe server. You will need to log in, so make sure you know the administrator password for your PINsafe appliance.

Select Servers from the top menu, then PINsafe.

Select Edit Tomcat Config File.

Assuming you want to disable SSL only for the applications on port 8443 (proxy, changepin, reset), locate the line that starts as follows:

<Connector address="0.0.0.0" port="8443" scheme="https"

Delete everything from scheme up until the end marker: />. The line should now look like this:

<Connector address="0.0.0.0" port="8443" />

If you also want to disable SSL for the pinsafe application (not recommended), then locate the line starting

<Connector address="0.0.0.0" port="8080" scheme="https"

and carry out the same procedure.

Click the Save button to return to the menu.

Finally, restart Tomcat to implement the changes. Most versions of PINsafe have the option to restart Tomcat on the webmin page you just returned to. However, this is not available on all versions, in which case you will have to restart Tomcat from the CMI menu on the appliance console.

Known Issues

Note that if you enable http in order to display a TURing image without certificate errors, and the image is embedded into a page that is using https, you may get warnings about mixing secure and non-secure elements on a web page. Read the warning carefully before choosing which button to click, as the response for Internet Explorer (IE) in particular has changed. In older versions of IE (6 or earlier), you selected "Yes" to allow mixed content. In newer versions, you select "No" to allow mixed content: "Yes" means show only secure content.