How to Set up HTTPS for Timeline
Below is a general sequence of steps necessary for setting up HTTPS for Timeline.
Basic steps
- Obtain an SSL certificate.
- Extract the certificate and keys from a .pfx file.
Currently, Timeline does not accept .pfx files. You must extract the .cert and .key files from the .pfx file, so that the certificate and the key files are available separately.
For more information see "How to extract .cert and .key files from the .pfx". - Set up HTTPS.
You can enable SSL and configure HTTPS on one of the following stages:
- During the Timeline installation process
For more information see "How to set up HTTPS during the Timeline installation". - After the Timeline installation is completed.
For more information see "How to set up HTTPS without reinstalling Timeline".
How to extract .cert and .key files from .pfx
Prerequisites. Ensure OpenSSL is installed in the server that contains the SSL certificate.
Important. Name your private key and certificate files as server.key and server.cert respectively. The key and certificate files must be named server.key and server.cert since Timeline accepts only files with these names.
- Start OpenSSL from the OpenSSL\bin folder.
- Open the command prompt and go to the folder that contains your .pfx file.
- Run the following command to extract the private key:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating. Store the password to your key file in a secure place to avoid misuse. - Run the following command to extract the certificate:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.cert] - Run the following command to decrypt the private key:
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key] - Type the password that you created to protect the private key file in the previous step.
- The .cert file and the decrypted and encrypted .key files are available in the path, where you started OpenSSL.
- Rename your .cert and .key files to server.cert and server.key as Timeline only accepts files with these names.
How to set up HTTPS during Timeline installation
- Run the ABBYY-Timeline-5.3.*-installer.exe file and follow the on-screen instructions in the Installation Wizard. For more information see 'Installing Timeline'.
- Enable SSL between the remote PostgreSQL instance and application in the Database Connection step.
If your remote PostgreSQL is configured with SSL support: - Choose Use SSL for the database connection.
- Provide a path to your database SSL certificate.
If your PostgreSQL is configured with SSL support and a CA root certificate file is used, choose Use CA Root certificate file and provide the full path to your root certificate. - Enable SSL between application and client in the Timeline Base URL and Ports Configuration step:
- Specify TCP/IP port for the Timeline website. For example, 443.
- Choose Use HTTPS.
- Provide paths to server.cert, server.key, and the password (if presented) files.
- Setup a network connection for Timeline. For more information see 'Network Connection Settings'.
- In Windows Firewall, open the rules for inbound Timeline connections.
- Add a TCP/IP port specified during the installation process to the exception list. For example, 443 port.
- Check whether HTTPS is functioning properly
Open a browser on any computer and enter {TimelineUrl}:{port} in the address bar, where:
- {TimelineUrl} is the Base URL you specified during the Timeline installation or the public IP address or the full name of the computer where Timeline is installed.
- {port} is the custom port assigned to the Timeline website during the installation process. If you are using the default port (80 or 443), you do not need to add them to the {timelineURL}. By default, TCP/IP port 80 or 443 is used.
Example: https://mytimeline:30443
How to switch from HTTP to HTTPS without reinstalling Timeline
If you did not configure HTTPS when installing Timeline, you can do it later without reinstalling Timeline. To do this:
- Go to the computer on which Timeline is installed.
Note: To perform all activities below, you must be a system administrator of the computer. - Stop the timelinepi service using Services snap-in or open Command Prompt as administrator and use:
sc stop timelinepi - Open the Timeline installation folder and copy the server.cert and server.key to ssl subfolder.
- By default, the Timeline website uses 443 TCP/IP port when using HTTPS.
You can reassign port numbers. For more information see "Set a Different Website Base URL and Port Number for Timeline"
Then you need to make changes to the appropriate Windows Firewall rules or to the settings of any other firewall that you are using. - Make sure the HTTPS protocol is specified in the BASE_URL variable in the TimelinePI.xml configuration file. Update base_url with a port number in case of the custom port.
Example: BASE_URL=https://mytimeline.com:30443 - Start the timelinepi service using Services snap-in or run Command Prompt as administrator and use:
sc start timelinepi - Perform a health check.
22.09.2023 8:59:47