Can't connect to manager using TLS on port 1943

sjaak
sjaak Member Posts: 106 ✭✭✭

Hi,
I've installed a Solace broker on an EC2 instance for test & training purposes. Works OK, we are able to manage the broker thru 8080, connect from Boomi using 55555 etc etc. Now, the next step is to use TLS for all connections. With Solace Cloud, that's easy. But how to set this up using your own EC2 instance? I had a look at the documentation. There's no listener active when I run a netstat -an|grep LISTEN on port 1943. We need that in order to install a certificate (PEM) right?

Tagged:

Comments

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi @sjaak ,

    The secured ports will be down by default, and we actually need to setup the server certificate first before we can enable the secured ports. Setting up a server certificate can be done via CLI first and load the cert into the broker as per the document since we don't have 1943 up just yet :)

    Have a look here and see if that helps: https://docs.solace.com/Configuring-and-Managing/Managing-TLS-SSL-Service.htm

    Thanks,
    Ari

  • sjaak
    sjaak Member Posts: 106 ✭✭✭
    edited October 2020 #3

    Chicken-egg problem :smile: Thank you, I'll have a look.

  • CloudGod
    CloudGod Member Posts: 24 ✭✭

    @sjaak said:
    Hi,
    I've installed a Solace broker on an EC2 instance for test & training purposes. Works OK, we are able to manage the broker thru 8080, connect from Boomi using 55555 etc etc. Now, the next step is to use TLS for all connections. With Solace Cloud, that's easy. But how to set this up using your own EC2 instance? I had a look at the documentation. There's no listener active when I run a netstat -an|grep LISTEN on port 1943. We need that in order to install a certificate (PEM) right?

    Hi sjaak,
    Regarding the PEM, you need to place both the certificate and the private key inside the **same ** PEM file.
    There's a good explanation on this here
    Basically, just copy and paste the information, including the separators into a single file. I suggest you follow the order:

    ----BEGIN RSA PRIVATE KEY-----
    (Your Private Key: your_domain_name.key)
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    (Your Primary SSL certificate: your_domain_name.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Intermediate certificate: CA.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Root certificate: TrustedRoot.crt)
    -----END CERTIFICATE-----
    

    Also, depending on your private key, you may need to convert it.
    I had issues with using private keys that start with

    -----BEGIN PRIVATE KEY-----
    

    So I converted them to RSA

    -----BEGIN RSA PRIVATE KEY-----
    

    Using the command:

    openssl rsa -in <yourfile>.key -out <yourfile>-rsa.key
    

    If you have any issues, try it as well.
    Cheers
    Jose

  • sjaak
    sjaak Member Posts: 106 ✭✭✭

    Always fun to converts certs with openssl. I'm familiar with that. Thanks for the tips Jose :)

  • sjaak
    sjaak Member Posts: 106 ✭✭✭

    Hi @arih and @CloudGod,
    it works. Thanks for the hints and tips :smile:

  • CloudGod
    CloudGod Member Posts: 24 ✭✭

    Hi sjaak,
    Glad I could help

    Cheers
    Jose