SSL

Owned by Bernhard Wolkerstorfer (Unlicensed)
Last updated: Jun 19, 2019 by Philip Albrecht
3 min read

If a custom domain for an applicant portal is used, it should be secured by an SSL certificate and forced to be called through HTTPS. This pages describes the information that is required in order to get support for creating an SSL certificate for an applicant portal, if a new certificate is required.

Certificate

This section explains how to a SSL certificate for an eRecruiter application. If the certificate should be used for multiple eRecruiter applications under the same top-level domain (i.e. erecruiter.net) a wildcard certficate can be used (i.e. *.erecruiter.net).

Certificate Request

The first in getting started with the SSL certificate is to provide the following information to the eRecruiter support, so that a certificate signing request (CSR) can be generated:

  • domain name that should be secured
  • company legal address including country, state/province
  • company full name
  • company's organizational unit's e-mail address which is responsible for security or IT
  • company's organizational unit name which is responsible for security or IT

The eRecruiter support will use this information to create a new CSR for the provided domain name (wildcard certificates are possible) which will be transmitted to the technical contact person at the company owning the domain name.

Certificate

The technical contact person for the company owning the domain name will use the CSR from the previous step to get a certificate from the certificate authority of choice (ex. Verisign, RapidSSL, Geotrust, ATRUST,...) and forward the new certificate to the eRecruiter support. The following restriction apply to the certificate:

  • certificate signing algorithm must be SHA2 with a SHA2 certificate chain
  • certificate is required to support certificate transparency
  • certificate need to be issues in DER, PEM or PKCS12 format

Installation

The following section explains how to install the certificate for the eRecruiter applications.

SaaS / Hosting

  • The eRecruiter support will use the transmitted certificate and the generated private key to install an secure the applicant portal. The private key should be transferred in a secure manner. It is recommended to add a password to the private key to transmit it through e-mail. The password should be transmitted through a different channel, we recommend text message (SMS) or through a phone call with the eRecruiter support.
  • The applicant portal will also be configured to force SSL connection and forward any plain HTTP request to the HTTPS endpoint.

On-Premise - IIS Installation

The certificate can be installed directly into the IIS service. There for the certificate needs to be installed as server certificate through the IIS management console. After the installation the IIS site binding needs to be configured to support SSL (binding on port 443 with the certificate installed). It is also recommended to configure the IIS cipher suites this can be done through the Windows registry or by using the free IISCrypto tool (select "Best practise").

On-Premise - Reverse Proxy Installation

If a reverse proxy is used (officially supported Apache, nginx or HAproxy) the certificate can be installed on the reverse proxy for SSL termination - only if the network between the proxy and the eRecruiter applications is trusted - and the communication can be done through standard HTTP. The installation of the certificate should be done using the recommended way for the proxy software (see proxy vendor documentation) and the proxy must set the following HTTP headers to allow the eRecruiter application to work properly.

HTTP HeaderDescriptionExample
X-Forwarded-ForThe external IP address for the client calling the eRecruiter application%CLIENT_IP%
X-Forwarded-HostThe host name that was used by the client calling the eRecruiter application (e.g. vhost name)app.erecruiter.net
X-Forwarded-PortThe port that was used by the client calling the eRecruiter application.443
X-Forwarded-ProtoThe protocol that was used by the client calling the eRecruiter application.https

The following example demonstrates the usage of the headers in a reverse proxy scenario with SSL termination:

  • Reverse proxy configuration
    • Host: app.erecruiter.net
    • Port: 443
    • Protocol: HTTPS
  • Application server configuration
    • Host: internal.mynetwork.com
    • Port: 80
    • Protocol: HTTP
  • HTTP Headers set by the reverse proxy when forwarding the request to the application server (example: forwarding the request from https://app.erecruiter.net to http://internal.mynetwork.com):
    • X-Forwarded-For: 134.134.134.124
    • X-Forwarded-Host: app.erecruiter.net
    • X-Forwarded-Port: 443
    • X-Forwarded-Proto: https

To validate the configuration the diagnostics page attached to this page (HttpDiag.aspx) can be used. It needs to be placed in the root folder of the eRecruiter application to test. The diagnostics page must be removed after validation as it may poses a security risk.