If a custom domain for an applicant portal is used, it should be secured by an SSL certificate and forced to be called through HTTPS. This pages describes the information that is required in order to get support for creating an SSL certificate for an applicant portal, if a new certificate is required.
This section explains how to a SSL certificate for an eRecruiter application. If the certificate should be used for multiple eRecruiter applications under the same top-level domain (i.e. erecruiter.net) a wildcard certficate can be used (i.e. *.erecruiter.net).
The first in getting started with the SSL certificate is to provide the following information to the eRecruiter support, so that a certificate signing request (CSR) can be generated:
The eRecruiter support will use this information to create a new CSR for the provided domain name (wildcard certificates are possible) which will be transmitted to the technical contact person at the company owning the domain name.
The technical contact person for the company owning the domain name will use the CSR from the previous step to get a certificate from the certificate authority of choice (ex. Verisign, RapidSSL, Geotrust, ATRUST,...) and forward the new certificate to the eRecruiter support. The following restriction apply to the certificate:
The following section explains how to install the certificate for the eRecruiter applications.
The certificate can be installed directly into the IIS service. There for the certificate needs to be installed as server certificate through the IIS management console. After the installation the IIS site binding needs to be configured to support SSL (binding on port 443 with the certificate installed). It is also recommended to configure the IIS cipher suites this can be done through the Windows registry or by using the free IISCrypto tool (select "Best practise").
If a reverse proxy is used (officially supported Apache, nginx or HAproxy) the certificate can be installed on the reverse proxy for SSL termination - only if the network between the proxy and the eRecruiter applications is trusted - and the communication can be done through standard HTTP. The installation of the certificate should be done using the recommended way for the proxy software (see proxy vendor documentation) and the proxy must set the following HTTP headers to allow the eRecruiter application to work properly.
| HTTP Header | Description | Example |
|---|---|---|
| X-Forwarded-For | The external IP address for the client calling the eRecruiter application | %CLIENT_IP% |
| X-Forwarded-Host | The host name that was used by the client calling the eRecruiter application (e.g. vhost name) | app.erecruiter.net |
| X-Forwarded-Port | The port that was used by the client calling the eRecruiter application. | 443 |
| X-Forwarded-Proto | The protocol that was used by the client calling the eRecruiter application. | https |
The following example demonstrates the usage of the headers in a reverse proxy scenario with SSL termination:
To validate the configuration the diagnostics page attached to this page (HttpDiag.aspx) can be used. It needs to be placed in the root folder of the eRecruiter application to test. The diagnostics page must be removed after validation as it may poses a security risk.