Configure GEE Server 5.1.0 for SSL/HTTPS¶
Data transmission between Google Earth EC and GEE Server occurs on unencrypted HTTP by default. However, you may have strict requirements that secure HTTP (HTTPS) be used for all data communications. This article provides the steps to configure a GEE Server release 5.1.0 for use with HTTPS.
We also include the steps required to generate a self-signed SSL certificate for your server but we recommend you obtain a third-party certificate from a CA (Certificate Authority). Third-party certificates generally are trusted and do not lead to any issues with warning messages or exceptions. However, you may want to set up your own self-signed certificates to get up and running quickly.
- Generate self-signed SSL certificate and key
- Apply third-party/CA-verified certificates and keys
- Setting up SSL/HTTPS
- Set your virtual host as a SSL server
- Google Earth Enterprise Server 5.1.0
- A third-party or self-signed SSL certificate. Instructions for generating the latter are provided in the following setup procedure.
Generate self-signed SSL certificate and key
A self-signed server certificate is generated for demonstration purposes in the following steps. If you are using a CA-verified server certificates and keys, see the following section, Apply third-party/CA-verified certificates and keys.
To generate a self-signed SSL certificate and key:
Change directory to the default certificate folder:
The default SSL certificate and key files generated in the following steps and used in this example virtual host are
Your certificate location and names may be different but make sure that they match the entries in the
httpd-ssl.conffile, as shown in Set your virtual host as a SSL server.
Generate the server key:
openssl genrsa –out server.key 1024
It is recommended that you do not use the
–des3option, which adds password protection when a key is created. While this adds an extra layer of security, it also requires manual input of the password should your system accidentally power down and restart, for example. Instead, generate the server key without a password or strip out the password with
openssl rsa -in server.key -out myservername_nopasswd.keyand use that instead.
Generate the server certificate based on the server key:
openssl req –new –x509 –days 365 –key server.key –out server.crt
Include as much information into the certificate as desired or accept the defaults, that is, Country, State, City, Company Name, Department, Server Name, and Administrator email address.
Test the server certificate and verify all information is correct:
openssl x509 -noout -text -in server.crt
Apply third-party/CA-verified certificates and keys
If you are using third-party/CA-verified certificates and keys, we recommend renaming them to use the default names for the virtual host configuration:
- Change your third-party server certificate file name to
- Change your third-party/CA verified key file name to
Optionally, if you choose not to use the default certificate and
key names, you will need to modify the entries in
/opt/google/gehttpd/conf/extra/httpd-ssl.conf with the custom
names accordingly, listed under
# Server Certificate and
# Server Private Key respectively.
Setting up SSL/HTTPS
In this example procedure, you perform the following steps:
- Add a virtual host
- Set up the Apache server configuration to serve virtual hosts over HTTPS.
- Restart GEE Server
The virtual host name “secure” is reserved for GEE Server use.
To add a virtual host for HTTPS serving:
Register your new virtual host using the
geserveradmincommand. See Manage virtual hosts.
geserveradmin –-addvh <Virtual Host Name> --ssl
The –ssl option registers the newly created virtual host by creating a configuration file with the naming convention: _host.location_ssl located in the path
For example, to create a location-based virtual host with a configuration file that specifies SSL:
# /opt/google/bin$ ./geserveradmin --addvh test_ssl --ssl Registering Virtual Host: test_ssl ... Virtual Host registration successful. Location-based Virtual Host created: /conf.d/virtual_servers/test_ssl_host.location_ssl
The newly created virtual host configuration file in this example,
/opt/google/gehttpd/conf.d/virtual_servers/test_ssl_host.location_ssl, includes the
<Location>directives for SSL, in this case,
<Location “/test_ssl_host/*”> SetHandler fdb-handler SSLRequireSSL SSLVerifyClient none </Location>
Use of the
SSLRequireSSLdirective prevents all HTTP requests that do not use SSL, thereby protecting your data from all but HTTPS requests. See Apache HTTP Server Version 2.2 Documentation for more information.
Use of the
SSLVerifyClientdirective specifies the level of certificate verification required for the client. See Apache HTTP Server Version 2.2 Documentation for SSLVerifyClient for more information.
Set your virtual host as a SSL server
All commands must be executed as the root user unless otherwise specified.
To set your virtual host as a SSL server:
Edit the Apache HTTP server configuration file,
/opt/google/gehttpd/conf/gehttpd.conffile, as follows:
- Uncomment and change
ServerName MyServerName, where
MyServerNameis the real address users would enter in the network.
- Check that
Include conf/extra/httpd-ssl.confappears and uncomment it. Note that this
httpd-ssl.confconfiguration is commented out by default as it should only be loaded if you serve a virtual host over HTTPS.
- Save and close the
- Uncomment and change
Edit the Apache server configuration file,
/opt/google/gehttpd/conf/extra/httpd-ssl.conffile, which provides SSL support. It contains the configuration directives to instruct the server how to serve pages over an HTTPS connection. For detailed information about these directives see Apache 2.2 documentation.
ServerName www.example.comis uncommented and matches the name defined in the
/opt/google/gehttpd/conf/gehttpd.conffile, that is, the alias or real address users would enter in the network.
Check that the SSL virtual hosts configuration file location is already included in the
<VirtualHost _default_:443>list of directives:
Save and close the
Restart the Google Earth Enterprise Server software:
Publish a database to the SSL/HTTPS virtual host.
Test the connections with Google Earth Enterprise Client for HTTP and HTTPS-based virtual servers.