(5.4+) Using the HSTS installer

HTTP Strict Transport Security (HSTS) forces all web traffic to your IVG/VIS installation to use HTTPS with SSL by sending a Strict-Transport-Security response header to all incoming requests. This helps to eliminate any potential HTTP connections that can expose sensitive data unintentionally.

Use the steps in this article to enable HSTS for IVG/VIS for version 5.4.1 and higher.

Run the HSTS installer

Remove the existing /etc/VirtualHold/.keystore file.

Verify if /etc/VirtualHold/.keystore already exists using the below command:

ls -l /etc/VirtualHold/.keystore

If it exists, delete it:

rm -f /etc/VirtualHold/.keystore

Copy the IVG HSTS installer binary file to the server(s).

Copy ivg-configure-tomcat-hsts to the IVG server and provide execute permissions to HSTS installer:

chmod a+x ivg-configure-tomcat-hsts

Copy the IVG configuration file to the server(s).

Copy install_ivg.cfg to the same directory where HSTS installer ivg-configure-tomcat-hsts is copied.

Copy SSL certificates to the server(s).

Create a directory called certs in the same directory HSTS installer and IVG config file exists:

mkdir certs

Copy the files below to certs directory. Be sure to use these exact names as destination files:

  • Private key file: server.key
  • Server Certificate file: server.pem
  • CA certs file: ca.pem

Make sure to rename the files as mentioned above. Otherwise, the HSTS installer file will fail.

Run the HSTS installer.

Now run the HSTS installer with the below command. Directories named install_ivg, ivg-configure-tomcat-hsts and certs should be present before executing the command.

./ivg-configure-tomcat-hsts

Update media server configuration

The final step is to modify the /etc/VirtualHold/toolkit.properties file to update the external.mediaserver.1 value with https, as shown below.

Starting value:

external.mediaserver.1=http://localhost:8080/voices/

Updated value (change the starting value to this):

external.mediaserver.1=https://<<serverip_address OR server FQDN Name>>:9443/voices/

Overall, three changes must be made in media server configuration:

  • Protocol: https
  • Server: Replace localhost with either server IP address or FQDN name with which SSL certificates are generated.
  • Port: 9443

Example

As an example, the updated value would appear as shown below:

external.mediaserver.1=https://10.100.61.117:9443/voices/