[KB7437] ESET Endpoint Encryption Server Apache Web Server Configuration

Issue

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE.

Visit What's new in ESET Full Disk Encryption to view EFDE content.

Details

Click to expand

If you have installed the ESET Endpoint Encryption Server using the All in one package from the ESET website, you can enable SSL/HTTPS settings in the Control Panel.

Solution

SSL Details

To enable SSL, follow the instructions below:

  1. Log in to ESET Endpoint Encryption server.

  2. Access the ESET Endpoint Encryption Server Control Panel.

  3. Select Global Settings.

  4. Click Apache Server SSL Configuration.

  5. Select Enable SSL Server support check box.

  6. Type in your selected port (the default HTTPS port is 443)

Figure 1-1

Certificate Options: Upload Certificate

If you have already purchased your SSL certificate:
  1. Select the Certificate Options tab and click Upload certificate.
Figure 2-1

  1. Click Browse and upload server.key to Private Key field and server.crt to Certificate field.

Figure 2-2

Certificate Options: Create new certificate

If you do not already have a certificate file, a self-generated certificate can be generated for test purposes:

  1. Select Certificate options tab and click Create new certificate.

Figure 2-3

  1. Type in the appropriate details into the form.

Figure 2-4

Redirect Options

If you want to force HTTPS usage:

  1. Click the Redirect Options tab.

  2. Select the Force HTTPS usage check box.

Figure 3-1

Manual Configuration

If you have installed the EEE Server stand-alone package and manually configured Apache, follow the instructions below: 

Certificates

If you have already purchased your SSL certificate, simply copy the supplied server.key and server.crt files into the folder Program Files\DESlock+ HTTP\conf\

Self Signed Certificates 

If you do not already have a certificate file, a self-generated certificate can be generated for test purposes using the openssl tool following the steps below: 

  1. Open an elevated command prompt.

  2. Navigate to Program Files\DESlock+ HTTP\bin (ProgramFiles (x86) on 64bit platforms).

  3. Type or copy/paste the command openssl req -config ..\conf\openssl.cnf -new -out server.csr.

  4. You will be required to type and verify the entry of a passphrase. All other requests can be left as default by pressing the Enter key on your keyboard except Common Name which must match the name of the webserver address hosting the certificate.

  5. Type in the command openssl rsa -in privkey.pem -out server.key.

  6. Type in the passphrase that you specified previously. If successful, the command should return the text writing RSA key.

  7. Type in the command del .rnd.

  8. Type in the command openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365. Note: this sets the certificate to last 365 days.

  9. Type in the command move server.key ..\conf\.

  10. Type in the command move server.crt ..\conf\.

Applying the certificate

With either a purchased or test certificate type perform the following steps: 

  1. As a security measure, be sure to change the file permissions on the certificate files so that they are read-only and only administrator users can access them.

  2. Open the file Program Files\DESlock+ HTTP\conf\httpd.conf (ProgramFiles (x86) on 64bit platforms).

  3. Find the line #LoadModule ssl_module modules/mod_ssl.so, remove the # symbol from the line.

  4. Find the line #Include conf/extra/httpd-ssl.conf, remove the # symbol from the line.

  5. At the end of the httpd.conf file, add these lines (this will redirect attempts to access using http to the https address instead):

LoadModule rewrite_module modules/mod_rewrite.so 

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^/dlpes(|/.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L] 

  1. Save the updated httpd.conf file. 

On 64-bit operating systems the following modification is required:

  1. You need to update the ssl configuration with the short path to the logs folder. You can find the short path filenames using the DIR /X command. The example below is of a default Windows 7 x64 system using the ES preinstall.

  2. Open \Program Files (x86)\DESlock+ HTTP\conf\extra\httpd-ssl.conf in notepad.

  3. Find the SSLSessionCache value and change as below commenting out the existing SSLSessionCache and applying the new path (highlighted below) then save the change: 

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache         "dbm:C:/Program Files (x86)/DESlock+ HTTP/logs/ssl_scache"

#SSLSessionCache        "shmcb:C:/Program Files (x86)/DESlock+ HTTP/logs/ssl_scache(512000)"

SSLSessionCache        "shmcb:C:/Progra\~2/DESloc\~1/logs/ssl_scache(512000)"

SSLSessionCacheTimeout  300

On all operating systems:

  • Restart the DESlockHTTP service within the services control panel.
Open port 443 when accessing the server from an external machine

If accessing the server from external machines you will need to open port 443 on firewalls for external connections.

English
Last Updated: Nov 22, 2022

Additional resources

User Guides

ESET Forum

YouTube videos
Support News Customer Advisories ESET Status Portal Contact ESET Technical Support

Existing customer?