Google logo

Configure GEE Server 5.1.0 for SSL/HTTPS

Data transmission between Google Earth EC and GEE Server occurs on unencrypted HTTP by default. However, you may have strict requirements that secure HTTP (HTTPS) be used for all data communications. This article provides the steps to configure a GEE Server release 5.1.0 for use with HTTPS.

We also include the steps required to generate a self-signed SSL certificate for your server but we recommend you obtain a third-party certificate from a CA (Certificate Authority). Third-party certificates generally are trusted and do not lead to any issues with warning messages or exceptions. However, you may want to set up your own self-signed certificates to get up and running quickly.

Requirements

  • Google Earth Enterprise Server 5.1.0
  • A third-party or self-signed SSL certificate. Instructions for generating the latter are provided in the following setup procedure.

Generate self-signed SSL certificate and key

A self-signed server certificate is generated for demonstration purposes in the following steps. If you are using a CA-verified server certificates and keys, see the following section, Apply third-party/CA-verified certificates and keys.

To generate a self-signed SSL certificate and key:

  1. Change directory to the default certificate folder:

    cd /opt/google/gehttpd/conf

    The default SSL certificate and key files generated in the following steps and used in this example virtual host are /opt/google/gehttpd/conf/server.crt and /opt/google/gehttpd/conf/server.key respectively.

    Tip

    Your certificate location and names may be different but make sure that they match the entries in the httpd-ssl.conf file, as shown in Set your virtual host as a SSL server.

  2. Generate the server key:

    openssl genrsa –out server.key 1024

    Tip

    It is recommended that you do not use the –des3 option, which adds password protection when a key is created. While this adds an extra layer of security, it also requires manual input of the password should your system accidentally power down and restart, for example. Instead, generate the server key without a password or strip out the password with openssl rsa -in server.key -out myservername_nopasswd.key and use that instead.

  3. Generate the server certificate based on the server key:

    openssl req –new –x509 –days 365 –key server.key –out server.crt

    Tip

    Include as much information into the certificate as desired or accept the defaults, that is, Country, State, City, Company Name, Department, Server Name, and Administrator email address.

  4. Test the server certificate and verify all information is correct:

    openssl x509 -noout -text -in server.crt

Apply third-party/CA-verified certificates and keys

If you are using third-party/CA-verified certificates and keys, we recommend renaming them to use the default names for the virtual host configuration:

  1. Change your third-party server certificate file name to SSLCertificateFile /opt/google/gehttpd/conf/server.crt
  2. Change your third-party/CA verified key file name to SSLCertificateKeyFile /opt/google/gehttpd/conf/server.key

Optionally, if you choose not to use the default certificate and key names, you will need to modify the entries in /opt/google/gehttpd/conf/extra/httpd-ssl.conf with the custom names accordingly, listed under # Server Certificate and # Server Private Key respectively.

Setting up SSL/HTTPS

In this example procedure, you perform the following steps:

  • Add a virtual host ssl
  • Set up the Apache server configuration to serve virtual hosts over HTTPS.
  • Restart GEE Server

Note

The virtual host name “secure” is reserved for GEE Server use.

To add a virtual host for HTTPS serving:

  1. Register your new virtual host using the geserveradmin command. See Manage virtual hosts.

    geserveradmin –-addvh <Virtual Host Name> --ssl

    The –ssl option registers the newly created virtual host by creating a configuration file with the naming convention: _host.location_ssl located in the path <Apache path>/conf.d/virtual_servers/.

    For example, to create a location-based virtual host with a configuration file that specifies SSL:

    # /opt/google/bin$ ./geserveradmin --addvh test_ssl --ssl
    Registering Virtual Host: test_ssl ...
    Virtual Host registration successful.
    Location-based Virtual Host created:
    
    /conf.d/virtual_servers/test_ssl_host.location_ssl
    
  2. The newly created virtual host configuration file in this example, /opt/google/gehttpd/conf.d/virtual_servers/test_ssl_host.location_ssl, includes the <Location> directives for SSL, in this case, test_ssl.

    <Location “/test_ssl_host/*”>
       SetHandler fdb-handler
       SSLRequireSSL
       SSLVerifyClient none
    </Location>
    

    Tip

    Use of the SSLRequireSSL directive prevents all HTTP requests that do not use SSL, thereby protecting your data from all but HTTPS requests. See Apache HTTP Server Version 2.2 Documentation for more information.

    Tip

    Use of the SSLVerifyClient directive specifies the level of certificate verification required for the client. See Apache HTTP Server Version 2.2 Documentation for SSLVerifyClient for more information.

Set your virtual host as a SSL server

Tip

All commands must be executed as the root user unless otherwise specified.

To set your virtual host as a SSL server:

  1. Edit the Apache HTTP server configuration file, /opt/google/gehttpd/conf/gehttpd.conf file, as follows:

    1. Uncomment and change ServerName www.example.com to ServerName MyServerName, where MyServerName is the real address users would enter in the network.
    2. Check that Include conf/extra/httpd-ssl.conf appears and uncomment it. Note that this Include for the httpd-ssl.conf configuration is commented out by default as it should only be loaded if you serve a virtual host over HTTPS.
    3. Save and close the /opt/google/gehttpd/conf/gehttpd.conf file.
  2. Edit the Apache server configuration file, /opt/google/gehttpd/conf/extra/httpd-ssl.conf file, which provides SSL support. It contains the configuration directives to instruct the server how to serve pages over an HTTPS connection. For detailed information about these directives see Apache 2.2 documentation.

    1. Ensure the ServerName www.example.com is uncommented and matches the name defined in the /opt/google/gehttpd/conf/gehttpd.conf file, that is, the alias or real address users would enter in the network.

    2. Check that the SSL virtual hosts configuration file location is already included in the <VirtualHost _default_:443> list of directives:

      <VirtualHost_default_:443>

      Include conf.d/virtual_servers/*.location_ssl

    3. Save and close the /opt/google/gehttpd/conf/extra/httpd-ssl.conf file.

  3. Restart the Google Earth Enterprise Server software:

    /etc/init.d/geserver restart

  4. Publish a database to the SSL/HTTPS virtual host.

  5. Test the connections with Google Earth Enterprise Client for HTTP and HTTPS-based virtual servers.