Setting Up HTTPS for CoreHub Web UI and Secure Web Socket Connections

This guide explains how to enable and configure HTTPS with TLS encryption for secure connections to the Gluesync CoreHub web interface and secure web socket connections between nodes.

Overview

By default, Gluesync CoreHub runs with TLS encryption disabled. To ensure secure communications, you should enable HTTPS by:

Generating the required SSL certificates
Configuring CoreHub to use TLS encryption
Customizing the security configuration file

Generating SSL Certificates

While the trial kit comes with self-signed certificates, you may want to generate your own. Here’s how to create them:

#!/bin/bash
# Create a directory for certificates
mkdir certs
cd certs

# Generate root CA key (you'll be prompted for a password)
openssl genrsa -des3 -out rootCA.key 4096

# Generate root certificate
openssl req -x509 -new -nodes \
  -key rootCA.key \
  -sha256 \
  -days 1825 \
  -out rootCA.crt \
  -subj "/C=IT/ST=Italy/O=YourOrganization/L=YourCity/OU=YourUnit/CN=gluesync.com"

# Generate Gluesync key
openssl genrsa -out gluesync.com.key 2048

# Generate Certificate Signing Request (CSR)
openssl req -new -sha256 \
  -key gluesync.com.key \
  -subj "/C=IT/ST=Italy/O=YourOrganization/L=YourCity/OU=YourUnit/CN=gluesync.com" \
  -out gluesync.com.csr

# Generate Gluesync certificate
openssl x509 -req \
  -in gluesync.com.csr \
  -CA rootCA.crt \
  -CAkey rootCA.key \
  -CAcreateserial \
  -out gluesync.com.crt \
  -days 1825 \
  -sha256

# Create PKCS12 keystore
openssl pkcs12 -export \
  -name gluesync \
  -in gluesync.com.crt \
  -inkey gluesync.com.key \
  -out gluesync.com.p12

# Convert to Java KeyStore (JKS)
keytool -importkeystore \
  -destkeystore gluesync.com.jks \
  -srckeystore gluesync.com.p12 \
  -srcstoretype pkcs12 \
  -alias gluesync

Remember to replace the certificate subject information (/C=IT/ST=Italy/O=YourOrganization/…) with your organization’s details.

Enabling TLS in CoreHub

To enable TLS encryption, modify your CoreHub service definition in the docker-compose or in your Kubernetes configuration file:

gluesync-core-hub:
  image: molo17/gluesync-core-hub:LATEST
  environment:
    - type=corehub
    - ssl_enabled=true # Enable TLS
    - LOG_CONFIG_FILE=/opt/gluesync/data/logback.xml
  volumes:
    - ./gluesync.com.jks:/opt/gluesync/data/gluesync.com.jks
    # ... other volume mappings ...

The ssl_enabled environment variable is set to true to enable TLS encryption. The default HTTPS port is 1717.

Repeat this step for each node and agent present in your deployment.

Important Configuration Notes

Set ssl_enabled=true in the environment variables
Ensure the JKS file (gluesync.com.jks) is mounted correctly in the container
The default HTTPS port is 1717

Customizing the Security Configuration File

To ensure that all nodes share the same secret for the TLS certificates, you need to customize the security configuration file. This file should include the following settings:

{
  "ssl": {
    "sslCertificatePath": "/opt/gluesync/data/gluesync.com.jks",
    "certificateAlias": "gluesync",
    "certificatePassword": "gluesync",
    "certificateKeyPassword": "gluesync"
  }
}

Make sure to mount this configuration file on each node. This setup not only secures the communication between the client (browser) and the CoreHub UI but also secures the communication between each node by enabling WSS (WebSocket Secure).

This file should be named security-config.json and placed in the /opt/gluesync/data directory, just like the following example:

volumes:
  - ./security-config.json:/opt/gluesync/data/security-config.json

Verifying the Configuration

After enabling TLS:

Restart the CoreHub service
Access the web UI using https:// instead of http://
If using self-signed certificates, you may need to accept the security warning in your browser

Troubleshooting

If you can’t connect after enabling TLS, verify that:
- The JKS file is properly mounted
- The ssl_enabled environment variable is set to true
- The correct port is exposed in your docker-compose configuration