1. ProTop Knowledge Base
  2. Advanced Alerting Configuration

SSL / Secure Socket Layer for ProTop

How to configure ProTop to communicate over SSL.

Requirements:
  • Hashed certificate file from the server you want to communicate with via SSL in $PROTOP/certs
  • $PROTOP/bin/localenv containing the line:  export USESSL=y
  • $PROTOP/etc/[custid].pf containing the line: -certstorepath [PROTOPDIR]/certs

Configuration Steps

Obtain the certificate file, hash and copy it to $PROTOP/certs for any operating system using OpenSSL (openssl may need to be installed):

  1. Obtain the certificate file:
    $ openssl s_client -showcerts -connect demo.wss.com:443 < /dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > bundle.crt
  2. Generate the hash # for the bundle:
    $ openssl x509 -hash -in bundle.crt -noout
    $ 433abd26
  3. Copy the bundle to $PROTOP/certs using the hash number:
    $ cp bundle.crt $PROTOP/certs/433abd26.0
    NOTE: You may need to split the bundle into separate certificate files then hash and copy each individually. Simply open bundle.crt and put each section bounded by BEGIN and END into its own file and repeat steps 2 & 3.

UNIX and Linux

  1. Add to $PROTOP/bin/localenv (copy bin/localenv.x to bin/localenv if not present) :

    export USESSL=y

    Ex:

    USESSL=Y UNIX

  2. Add to $PROTOP/etc/[custId].pf:

    -certstorepath [PROTOPDIR]/certs

    Ex:

    CERTPATH

  3. Restart ProTop

Windows

  1. Add to %PROTOP%\bin\localenv.bat (copy bin\localenv.batx to bin\localenv.bat if not present):

    set USESSL=y

    Ex:

    WIN USESSL=y

  2. Add to %PROTOP%\etc\[custid].pf:

    -certstorepath [drive]:[PROTOPDIR]\certs

    Ex:

    WIN CERTSTOREPATH

  3. Restart ProTop

Troubleshooting

Set ProTop debug level to 5 using pt3agent.[resrc].dbg in Protop’s tmp directory and restart Protop

cd [PROTOPDIR]/tmp
echo 5 > pt3agent.proddb.dbg

Check in ProTop’s log directory for pt3agent.[resrc].log file for error messages.

Common problem:

Can’t find issuer certificate:

2020/08/06 22:50:28.790-04:00 0 Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for xxxxxxxx.0 in <path>/certs (9318)
2020/08/06 22:50:28.791-04:00 9407 Connection failure for host <dashboard> port 443 transport TCP. (9407)
2020/08/06 22:50:28.791-04:00 newSocket: Connection to HTTP server: <dashboard> port 443 is unavailable.

Solution:

  1. Ensure the certificate file exists in [path]/certs and has the required permissions
  2. Make sure -certstorepath [path to certificate] is valid in [PROTOPDIR]/etc/[custid].pf or [etc]/friendlyName.pf]
  3. If the portal uses more than one certificate, you may need to place all of the portal’s certificates individually in ProTop’s certs directory.  Save each BEGIN...END in the bundle.crt above into its own file, hash and save each to your certs directory
  4.  Potential workaround:  Place copies of the portal certificates in your $DLC/certs directory