Headwind MDM can work without Internet connection, see details here: https://qa.h-mdm.com/2583/
However HTTPS setup is complicated. Here's the detailed instruction how to set up HTTPS on the LAN.
1. Prerequisites
HTTPS requires a domain name and a certificate. Check for the following prerequisites:
1.1. In your LAN, you have a DNS where you can set up a domain for Headwind MDM server
1.2. The domain for Headwind MDM server can be used as a "real" domain on the Internet and is owned by you
1.3. You are able to generate a long-term SSL certificate (1-5 years is the appropriate validity period)
2. SSL certificate generation
Prior to installing the Headwind MDM server part on the LAN, you need to generate a SSL certificate.
2.1. Create a cloud-based virtual machine (for example, the simplest DigitalOcean Droplet instance or a free-tier AWS instance) running Ubuntu Linux 20.04 LTS and having an IPv4 address.
2.2. Sign in to the domain registrar account. Open the DNS settings of your domain, and add the "A" record for the domain:
@ A your-server-ip-address
@ means the domain itself, without any subdomains.
If you would like to use a subdomain of your domain, for example, mdm.your-domain.com, then use the subdomain prefix instead of @:
mdm A your-server-ip-address
2.3. Sign in to your virtual machine as root using SSH.
2.4. Generate a CSR (Certificate Signing Request) for your domain. As a recommended option, create a subdirectory for all your certificate files.
# mkdir ssl
# cd ssl
# openssl genrsa -out your-domain.com.key 2048
# openssl req -new -sha256 -key your-domain.com.key -out your-domain.com.csr
The last command will ask you for your company data. Enter the requested data.
IMPORTANT! When the command will ask for "Common Name", enter your domain name, otherwise the SSL certificate authority will fail to create the certificate!
Notice: your-domain.com.key and your-domain.com.csr are the text files so they can have any name. But for the case of visibility, we recommend using your domain name as a part of the file name - replace your-domain.com by your domain name.
To view your CSR file, use the command:
# cat your-domain.com.csr
2.5. Sign in to your SSL certificate authority account and generate a certificate.
You will be prompted to enter the CSR. Copy the text displayed at the previous step (including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----) and paste in the appropriate field.
If the certificate generation wizard asks you for the server type, select "Other" (a default option), this should generate a certificate in the X.509 (PEM) format.
3. Validate the domain ownership
After you submit the CSR to the SSL certificate authority, it will prompt you to confirm the domain ownership. An easiest way is to confirm the domain ownership through DNS (CNAME) - you must add a special DNS record in your domain registrar account, and the certificate authority will check its existence.
3.1. Select "DNS" or "CNAME" domain validation (or authentication option).
3.2. Submit the domain validation form and the certificate authority should give you an instruction how to set up an authentication DNS record.
3.3. Sign in to the domain registrar account and follow the instruction to create an authentication DNS record.
IMPORTANT! Only a prefix (without a domain) should be entered in the "Host" field of the DNS record (or a full domain name followed by a dot).
_1dba4203e89225dcd60aad5c082a53c1.your-domain.com - WRONG!
_1dba4203e89225dcd60aad5c082a53c1.your-domain.com. - RIGHT
_1dba4203e89225dcd60aad5c082a53c1 - RIGHT
3.4. Wait until the DNS record is saved (usually 15-30 minutes). Complete the domain validation as per the SSL certificate authority instructions.
4. Get the certificate
4.1. Open the domain list in your SSL certificate authority dashboard. After the domain validation is completed, you will be able to download the certificate.
Notice: Do not click "Renew" unless you know what you're doing!
The certificate files are usually downloaded in a ZIP file containing both the domain certificate and the bundle of higher level certificates.
4.2. Unzip the file and look into its contents. Use "Plain text" or "CER" or "CRT" files, these files are stored in X.509 plain text format which is friendly to copy to the remote access terminals.
What you need is the your-domain.com.crt (or .cer, or .pem) file, and the CA_bundle (or CA_chain) file.
4.3. Copy the private key, the certificate, and the CA bundle files to the target Headwind MDM host on the LAN (for instance, into the ~/ssl folder).
For further processing, we will use the following file names:
Private key: your-domain.com.key
Certificate: your-domain.com.crt
CA bundle: your-domain.com.ca-bundle
Notice: when you're connected to the private network, Internet may not be available. So we recommend to copy all files to your local computer prior to connecting to the private network.
At this step, you can remove the DNS records and destroy the virtual machine.
5. Local DNS setup
Update the configuration of the DNS server in your private network so the domain your-domain.com is resolved to the IP address of the server where Headwind should be installed.
Further steps should be done when you're connected to your private network where Headwind MDM should be installed.
6. Generate a JKS file for Tomcat
6.1. Sign in to your Headwind MDM server as root through SSH.
6.2. Install packages required for Headwind MDM (but not Headwind MDM itself):
# apt install -y aapt tomcat9 postgresql vim unzip
6.3. Run the commands:
# cd ~/ssl # We presume ~/ssl is the place where certificate files are copied at the previous step
# openssl pkcs12 -export -out your-domain.com.p12 -inkey your-domain.com.key -in your-domain.com.crt -certfile your-domain.com.ca-bundle
[ the command will ask for password, you can use any one, for example, 123456, this is safe because the key file will never be published ]
# keytool -importkeystore -destkeystore your-domain.com.jks -srckeystore your-domain.com.p12 -srcstoretype PKCS12
[ use the password entered at the previous step, and another one (or the same) password for the JKS file ]
7. Set up Headwind MDM
7.1. Copy the Headwind MDM (and Headwind Remote) installation files to the server.
7.2. Create the Headwind MDM database
# su postgres
# psql
# CREATE USER hmdm WITH PASSWORD 'topsecret';
# CREATE DATABASE hmdm WITH OWNER=hmdm;
# \q
# exit
7.3. Run the Headwind MDM installer
# unzip hmdm-5.04-install-ubuntu.zip
# cd hmdm-install
# ./hmdm_install.sh
Follow the installation prompts.
IMPORTANT! When the installer asks:
Setup HTTPS via LetsEncrypt [Y/n]?
Answer "N" (NO)
8. Set up Tomcat
At this step, you need to adjust the Tomcat configuration to use the JKS file generated at previous steps.
8.1. Copy the JKS file to the subdirectory accessible to Tomcat (notice: Tomcat works in a "sandbox" and has no access to files outside /var/lib/tomcat9 even if you grant access to the tomcat user).
# mkdir /var/lib/tomcat9/ssl
# cp ~/ssl/your-domain.com.jks /var/lib/tomcat9/ssl/your-domain.com.jks
# chown -R tomcat:tomcat /var/lib/tomcat9/ssl
8.2. Edit the Tomcat server configuration /var/lib/tomcat9/conf/server.xml
Find the commented block:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
Uncomment it and update, so it will look like:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/var/lib/tomcat9/ssl/your-domain.com.jks" certificateKeystorePassword="your-jks-password" type="RSA" />
</SSLHostConfig>
</Connector>
(your-jks-password is the password entered at step 6.3 (last command) )
8.3. Restart Tomcat by the command
# service tomcat9 restart
You can check that everything is OK, by running the command:
journalctl -f -u tomcat9.service
If the certificate is set up successfully, you will see a message like this:
INFO: Starting ProtocolHandler ["https-openssl-nio-8443"]
Jan 29, 2022 6:17:46 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in [28234] milliseconds
That's all! Headwind MDM must be accessible on your LAN by HTTPS protocol.