Main Content

Enable HTTPS

MATLAB® Production Server™ uses HTTPS to establish secure connections between server instances and clients. HTTPS provides certificate-based authentication for the client to validate the connection to the server. Optionally, you can configure HTTPS such that the server can provide certificate-based authentication of the client. For more information on configuring client authentication, see Configure Client Authentication. HTTPS also provides an encrypted data path between the clients and server instances.

Acquire and Copy SSL Certificate and Key

To set up HTTPS on a server instance, you must save an SSL certificate and the corresponding private key to the <instance_root>/x509/ folder of your server instance. The SSL certificate and private key must be in PEM format.

To generate a self-signed SSL certificate, you can use the following openssl command:

openssl req -x509 -nodes -newkey rsa:4096 -keyout private_key.pem -out cert_chain.pem -days 365
The command generates a self-signed certificate cert_chain.pem with a private key private_key.pem. The certificate is valid for 365 days. For more information, see OpenSSL.

Self-signed SSL certificates are suitable for use in testing environments as they offer encryption but do not offer authentication. SSL certificates signed by a certificate authority (CA) are suitable for production environments.

Edit Configuration File

To configure HTTPS, specify the following properties in the main_config configuration file of the server instance:

When you set the https property on the server, you must set both the x509-cert-chain and x509-private-key properties; otherwise, the server fails to start. For more information about the server configuration file, see Server Configuration Properties.

The following configuration excerpt configures a server instance to accept secure connections on port port, using the certificate stored in ./x509/cert_chain.pem and the unencrypted private key stored in ./x509/private_key.pem.

...
--https port
--x509-cert-chain ./x509/cert_chain.pem
--x509-private-key ./x509/private_key.pem
...

In production settings that require greater security than that provided by an unencrypted private key, use an encrypted private key. You specify the passphrase for decrypting the private key in a file with owner-read-only access, and use the x509-passphrase property to tell the server instance about it.

...
--https port
--x509-cert-chain ./x509/cert_chain.pem
--x509-private-key ./x509/private_key.pem
--x509-passphrase ./x509/key_passphrase
...

You must set either the http property, the https property or both properties for the server to start. To ensure that clients communicate with the server using only HTTPS and not HTTP, you must disable the http property. If both the https and http properties are enabled, clients can communicate with the server using both HTTPS and HTTP. It is recommended that you enable the https property unless HTTP support is required.

Related Topics