M Web Server/Enabling TLS

Here's how to turn on TLS on GT.M/YDB: There is precious little documentation on doing it:

1. As root, go to the install dir of GTM/YDB, then plugin, then gtmcrypt: cd $gtm_dist/plugin/gtmcrypt.

2. Extract source.tar: tar x < source.tar

3. You will need to compile some files. Before doing that, make sure you openssl-dev, libconfig-dev, and gpgme-dev libraries are installed.

You may need more, but that's what I figured out right now.

4. login to root account, (to allow installing of libraries)

5. define the gtm_dist environment variable then call simple make gtm_dist=../.. make 6. define the gtm_dist environment variable then call make install to enable installation of libraries

gtm_dist=../.. make install

Log out of root; and go back to your application directory. mkdir certs

7. Create your certificate with a key that has a password. I know from previous interaction with the GT.M developers is that they don't allow passwordless keys for business reasons. Here's is how I did it; but you may already have a certificate. I moved all the files into a cert directory after this.

.//mycert.key -passin pass:monkey1234 -out ./mycert.pem
 * 1) openssl genrsa -aes128 -passout pass:monkey1234 -out ./mycert.key 2048
 * 2) openssl req -new -key ./mycert.key -passin pass:monkey1234 -subj  '/C=US/ST=Washington/L=Seattle/CN=www.smh101.com' -out ./mycert.csr
 * 3) openssl req -x509 -days 365 -sha256 -in ./mycert.csr -key
 * 1) mv cert* certs/

8. Create a file (name doesn't matter) called gtmcrypt_config.libconfig with the following contents. Note the section called dev. This can be called anything. It lets you put a pair of cert/key for each environment you need to configure.

tls: { dev: { format: "PEM"; cert: "/home/sam/workspace/db/foia201712/certs/mycert.pem"; key: "/home/sam/workspace/db/foia201712/certs/mycert.key"; } }

9. In your file that sets up the GT.M environment, add set the env variable gtmcrypt_config to be the path to your config file: export gtmcrypt_config="$vista_home/gtmcrypt_config.libconfig"

10. Find out the hash of your key password using the maskpass utility. For example, for me it's: gtm_dist/plugin/gtmcrypt/maskpass <<< 'monkey1234' | cut -d ":" -f2 | tr -d ' 7064420FDCAEE313B222

11. In your environment file, gtmtls_passwd_{section name} to be that hash. For me (Sam Habiel), it's: export gtmtls_passwd_dev="7064420FDCAEE313B222"

12. Start the M Web server with the config name ("dev") like this: D JOB^VPRJREQ(9081,"dev")

At this point, if you go to your browser and type the address: https://localhost:9081 you should be able to see the web pages via TLS