====== Runbook: TLS postavljanje ======

<WRAP round info>
**Trajanje:** ~15 minuta \\
**Uloga:** Security-Admin \\
**Preduvjet:** Certifikat (PFX ili PEM+KEY)
</WRAP>

HTTPS za Data Gateway aktivirati.

----

===== Tijek rada =====

<mermaid>
flowchart TD
    A[Start] --> B{Certifikat dostupan?}
    B -->|Ne| C[Certifikat pribaviti]
    B -->|Da| D[appsettings.json prilagoditi]
    C --> D
    D --> E[Gateway ponovno pokrenuti]
    E --> F[HTTPS testirati]
    F --> G{Uspjesno?}
    G -->|Da| H[HTTP deaktivirati]
    G -->|Ne| I[Logove provjeriti]
    H --> J[Gotovo]

    style J fill:#e8f5e9
    style I fill:#ffebee
</mermaid>

----

===== 1. Certifikat pribaviti =====

**Opcija A: Let's Encrypt (besplatno)**

<code bash>
# Certbot instalirati
sudo apt install certbot

# Certifikat zatraziti
sudo certbot certonly --standalone -d gateway.example.com

# Rezultat:
# /etc/letsencrypt/live/gateway.example.com/fullchain.pem
# /etc/letsencrypt/live/gateway.example.com/privkey.pem
</code>

**Opcija B: Samopotpisani (samo za test!)**

<code bash>
# Samopotpisani certifikat kreirati
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
    -subj "/CN=gateway.example.com"

# U PFX konvertirati
openssl pkcs12 -export -out gateway.pfx -inkey key.pem -in cert.pem -passout pass:changeit
</code>

**Opcija C: Interna CA**

-> Pogledajte [[..:..:..:pqcrypt:szenarien:operator:tagesgeschaeft:zertifikat-ausstellen|PQ Crypto: Certifikat izdati]]

----

===== 2. Certifikat smjestiti =====

<code bash>
# Windows
mkdir %GATEWAY_ROOT%\certs
copy gateway.pfx %GATEWAY_ROOT%\certs\

# Linux
sudo mkdir -p /opt/data-gateway/certs
sudo cp cert.pem key.pem /opt/data-gateway/certs/
sudo chmod 600 /opt/data-gateway/certs/*
sudo chown datagateway:datagateway /opt/data-gateway/certs/*
</code>

----

===== 3. appsettings.json konfigurirati =====

**S PFX datotekom:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}
</code>

**S PEM datotekama:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/cert.pem",
          "KeyPath": "certs/key.pem"
        }
      }
    }
  }
}
</code>

**TLS verziju forsirati:**

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        },
        "SslProtocols": ["Tls12", "Tls13"]
      }
    }
  }
}
</code>

----

===== 4. Gateway ponovno pokrenuti =====

<code bash>
# Windows
Restart-Service -Name "DataGateway"

# Linux
sudo systemctl restart data-gateway

# Docker
docker restart gateway
</code>

----

===== 5. HTTPS testirati =====

<code bash>
# Jednostavan test
curl -k https://localhost/health

# S provjerom certifikata
curl https://gateway.example.com/health

# TLS detalje prikazati
curl -v https://gateway.example.com/health 2>&1 | grep -E "SSL|TLS|subject|expire"

# OpenSSL test
openssl s_client -connect gateway.example.com:443 -servername gateway.example.com
</code>

----

===== 6. HTTP deaktivirati (opcionalno) =====

Samo HTTPS dozvoliti:

<code json>
{
  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://0.0.0.0:443",
        "Certificate": {
          "Path": "certs/gateway.pfx",
          "Password": "changeit"
        }
      }
    }
  }
}
</code>

Ili HTTP->HTTPS Redirect:

<code csharp>
// Program.cs
app.UseHttpsRedirection();
</code>

----

===== 7. Kontrolna lista =====

| # | Provjera | Da/Ne |
|---|-----------|---|
| 1 | Certifikat valjan (nije istekao) | - |
| 2 | Certifikat za ispravan hostname | - |
| 3 | Private Key zasticen (chmod 600) | - |
| 4 | HTTPS dostupan | - |
| 5 | TLS 1.2+ aktivan | - |
| 6 | HTTP deaktiviran ili Redirect | - |
| 7 | Firewall Port 443 otvoren | - |

----

===== Rjesavanje problema =====

| Problem | Uzrok | Rjesenje |
|---------|---------|--------|
| ''Unable to configure HTTPS'' | Pogresan put | Certifikat-put provjeriti |
| ''Password incorrect'' | Pogresna PFX lozinka | Lozinku provjeriti |
| ''Certificate expired'' | Certifikat istekao | Novi certifikat |
| ''SSL_ERROR_RX_RECORD_TOO_LONG'' | HTTP umjesto HTTPS | Port/Protocol provjeriti |
| ''NET::ERR_CERT_COMMON_NAME_INVALID'' | CN/SAN pogresan | Certifikat s ispravnim imenom |

----

===== SSL test online =====

Za javno dostupne servere:

  * **SSL Labs:** [[https://www.ssllabs.com/ssltest/|ssllabs.com/ssltest]]
  * **Qualys:** Cilj je Grade A+

----

===== Povezani runbookovi =====

  * [[.:zertifikat-erneuern|Certifikat obnoviti]] - Renewal proces
  * [[.:firewall-regeln|Firewall pravila]] - Port 443 otvoriti
  * [[..:monitoring:alerting|Alerting]] - Nadzor certifikata

----

<< [[.:start|<- Sigurnost]] | [[.:zertifikat-erneuern|-> Certifikat obnoviti]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Data Gateway Professional//

{{tag>operator runbook tls https zertifikat ssl}}