ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Security scan on OPMS has flagged Unmanaged /self signed certificates


Article ID: 240259


Updated On:


CA App Synthetic Monitor


Our security office has detected an unmanaged self signed certificate tied back to a new OPMS server that we deployed. 

We need to replace the certificate with a properly signed certificate or otherwise negate the risk


On the OPMS, the API is available on port 443 so that it can be used by a shared tunnel client running on a different OPMS.

The certificate is signed by a self-signed CA which is trusted by every OPMS on the network. This is OK because the OPMS is not accessed on this port from anywhere else except another OPMS.  Thus the security issue is a false positive.



Release : SAAS



Instead of replacing the cert the OPMS can be configured to not listen on port 443. This is achieved by commenting that ssl endpoint from the nginx listener configuration.
Edit the file /etc/nginx/sites-enabled/smartpop.conf and comment out the whole section beginning with 

server {
 listen       *:443 ssl;

To the end of the file
Then run 'monit restart nginx'.   
This will stop the OPMS listening on port 443.

Additional Information

If taking a backup of the smartpop.conf file do not leave it in the same folder as the nginx process will read all files in that folder and process the content.