This section explains how to install purchased SSL/TLS certificates into Clarity LIMS v5 and later.
Clarity LIMS can work with Named or WildCard certificates.
Typically, the process to install the certificates into Clarity LIMS is as follows:
Request a certificate from your IT organization, or purchase a certificate from a third-party SSL/TLS vendor.
Install the certificate using the script installCertificates.sh provided with Clarity LIMS. This script prompts for the required inputs and helps you to configure Clarity LIMS to use your SSL/TLS certificate.
Some IT organizations have preexisting certificates issued by an internal organization, typically referred to as an 'internal CA.' These internal CA certificates are not fully compatible with Java, and prevent the automation worker—and all integrations—from properly communicating with the Clarity LIMS server. Internal CA certificates are therefore not supported in Clarity LIMS.
Obtaining the Certificate
You will need your organization or the third-party SSL/TLS vendor to provide you with the following:
An Apache 2.4-compatible SSL/TLS Certificate
The Certificate private key
The corresponding certificate chain, properly prepared for Apache 2.4. This component may not be required, depending on the organization that signs your certificate.
Your IT organization might provide you with a WildCard certificate. Clarity LIMS can use WildCard certificates, as long as the Apache 2.4-compatible certificate, private key, and certificate chain files are provided.
If purchasing from a third-party vendor, make sure that the vendor provides you with an Apache 2.4-compatible bundle that includes the components listed above. To purchase from a vendor, refer to their documentation.
Private key password considerations
By default, a private key has a password associated with it. On startup, Apache requests a passphrase to access the private key. You can use either of the following methods to resolve this issue:
Method 1 — Place a passphrase file on the system and reference it in your clarity.conf file.
Create a passphrase file in a directory that has read, write, and execute permissions for only the root or apache user.
Edit the clarity.conf file. The clarity.conf file is in the /etc/httpd/conf.d directory.
Add the following line to your clarity.conf file, before the section:
Method 2: Removing passphrase from an OpenSSL key
Removing the passphrase from an OpenSSL key is a security risk. Only remove the passphrase if you know that this risk is acceptable.
Remove the password from an OpenSSL key using the following command:
Copy
Install SSL/TLS Certificates for Use with Clarity LIMS
Assumptions and Prerequisites
You have installed BaseSpace Clarity LIMS and run the 40_install_proxy.sh script.
You have OpenSSL (installed by default on the Clarity LIMS Linux server when you install Clarity LIMS). OpenSSL is used by the installCertificates.sh script.
You have the files listed in the following table (obtained from the process described previously) available on the Clarity LIMS server. In the example shown below, these files are located at /tmp/certs.
File description
Example file name (used in examples below)
Install the signed SSL/TLS Certificates
On the Clarity LIMS server, as the root user, run the installCertificates.sh script:
[root@doclarity04 ~]# cd /opt/gls/clarity/config/
[root@doclarity04 config]# bash installCertificates.sh
Java KeyTool detected
  This script will prompt you to supply the required SSL Certificates for your ClarityLIMS server.
  These files include:
  - A private key file and signed Certificate file for use by apache.
  - Optionally, depending on the organization that signs your Certificate, you may receive a 'Chain' file.
Enter the full path to the SSL Private Key for your server:/tmp/certs/private.key
Enter the full path to the Apache Certificate for your server - This is the Certificate signed by the SSL Vendor or Certificate Authority:/tmp/certs/customer_domain.crt
Enter the full path to the SSL Vendor Chain file:/tmp/certs/intermediate.crt
INFO: Testing Apache
Syntax OK
Apache Proxy is readyÂ
Pre-installation Requirements
Before installing Clarity LIMS, you must purchase hardware and software that meet the minimum requirements (see Technical Overview). Following those purchases there are several components that you must organize, install, or configure.
The following sections discuss these components, and how to install and configure them. These sections apply to on-premise customers only. Before completing the steps described, make sure that the server has the minimum requirements. See Technical Requirements for details.
Before the Illumina support team can install Clarity LIMS, the items listed above must be set up and configured as described in this document. Confirm the completion of this work with the support team.
Purchase SSL / TLS Certificate(s)
All instances of Clarity LIMS must have a purchased SSL / TLS certificate installed.
Certificate Authorities will no longer issue SSL / TLS certificates for internal server names. As a result, to obtain a certificate you must have a valid, public DNS entry for your server.
Before installing or upgrading Clarity LIMS, do the following:
Purchase an SSL / TLS certificate.
Save the certificate files on the server on which the Clarity LIMS server is installed.
Provide the Illumina Support team with the private key and password for the SSL / TLS certificate.
For instructions on obtaining a certificate, see .
Check SELinux Mode
Security-Enhanced Linux (SELinux) is not supported for use with Clarity LIMS. Make sure that SELinux is set to either permissive or disabled mode.
For instructions, see the following sections of the Red Hat documentation:
5.4.1.2 Permissive Mode
5.4.2 Disabling SELinux
You can find additional documentation on users at /opt/gls/clarity/documentation/users/
Set Up Root Access Server
Clarity LIMS is installed using industry standard RPM packaging. The Illumina support team requires root credentials to the server during the installation process.
The following sections discuss the system user accounts that the support team sets up during the installation process. It is important that you do not change these system users.
The production server must be configured in US locale.
Server-based User Accounts
During initial installation, the RPMs create the following server-based user accounts in a common group named claritylims.
glsjboss: This user account is used for setting up and starting the Tomcat application server.
Setting User Account Password
During the installation process, no default passwords are created for the glsjboss, glsai, and glsftp user accounts.
Passwords must be set for these accounts.
Allow SSH Password-based Authentication
To enable SSH Password Authentication, add the following configuration to the /etc/ssh/sshd_config file:
Install and Configure the Database
After installing a supported database, Clarity LIMS requires certain changes to the default database configuration.
Additional tablespace names and user profiles may be needed, depending on the configuration of your system.
For more information or for assistance with your database configuration, contact the Illumina Support team.
Configure PostgreSQL Database for Use with Clarity LIMS
On your database server, create a Clarity LIMS user. The Clarity LIMS user must have either full rights and permissions, or the ones defined by this command:
CREATE ROLE clarity WITH NOSUPERUSER CREATEDB NOCREATEROLE LOGIN
NOTE: The Clarity LIMS user must use only the public schema. Clarity LIMS does not support other schemas.
Set Up Database Maintenance Tasks
To achieve optimum performance, we recommend you perform the following database maintenance tasks, using the appropriate tools and commands.
PostgreSQL: Routinely vacuum the database.
For instructions, refer to the PostgreSQL documentation.
IPv4 Support
Clarity LIMS supports only IPv4.
NOTE: Clarity LIMS will not work with IPv6.
Confirm Hostname Resolution
To access the Clarity LIMS server via DNS, make sure that the following apply:
The server local host file /etc/hosts does not contain an entry for that hostname bound to its loopback address.
Any hostname entries correspond to their entries in DNS.
The command hostname -f must return the fully-qualified domain name of the server.
For client systems:
Users should use the fully-qualified domain name (FQDN) when logging on to the system. Using the FQDN ensures persistence of the session ID.
Set the TimeZone (TZ) Environment Variable
Clarity LIMS requires the environment variable TZ be set on the Clarity LIMS server to your correct timezone. If the value is not configured, a default of GMT is configured by Clarity LIMS in the file /etc/profile.d/clarity.sh.
This file might update on upgrade. Any changes must be manually applied across upgrades.
Configure TCP/IP Settings
To allow proper system communication, the following ports on the Clarity LIMS server must be accessible by the LIMS clients:
TCP/IP Port 22 (SFTP) for file transfers between the client and server
TCP/IP Port 443 (HTTPS) for Apache proxy
TCP/IP Port 80 (HTTP) used to forward any unknown unsecured requests over SSL / TLS and port 443
The following ports are required on the local Clarity LIMS server:
TCP/IP Port 4369 for Epmd for RabbitMQ
TCP/IP Port 5432 for PostgreSQL database communications *
TCP/IP Port 9009 for Tomcat
The database ports are configurable and might be different in your organization.
Configure automation worker TCP/IP settings
Computers running an automation worker must be able to reach the Clarity LIMS server via the following ports:
TCP/IP Port 22 (SFTP) for file transfers between the client and server
TCP/IP Port 443 (HTTPS) for Apache proxy
TCP/IP Port 80 (HTTPS) used to forward any unknown, unsecured requests over SSL / TLS and port 443
Configure VPN Access for Hosted Systems
To facilitate instrument integrations, a site-to-site IPSEC VPN connection can be set up between your facility and the hosted instance.
There are two ports that must be opened: 4500/udp and 500/udp.
If a VPN is required, you must provide more detailed setup information to the Illumina Support team. Upon request, the Illumina Support team will provide the additional form required to do this.
Save any Apache Proxy Configuration
Clarity LIMS uses an Apache proxy and the Clarity LIMS installation process installs and configures it automatically. If the server already has an Apache proxy installed and configured, the installation process overwrites the current configuration. If that configuration is important, you must back it up before running the Clarity LIMS installation process. Any settings that are important to your organization must be reconfigured manually after an install or upgrade of Clarity LIMS.
Install and Configure HashiCorp Vault
In Clarity LIMS v6.0.0 and later, you can choose to install and configure a HashiCorp Vault to store Clarity LIMS-related passwords and secrets safely.
For more information, refer to .
glsai: This user account is used for setting up and starting the automation worker service.
glsftp: This user account is configured to allow SFTP access and to redirect the home directory to the data storage area. The glsftp user account is used by BaseSpace Clarity LIMS clients to import and export files from the LIMS file server.
NOTE: Do not create these user accounts manually.
During initial installation of the elastic search subsystem, the RPM creates the following server-based user account in the elasticsearch group.
elasticsearch: This user account is used for setting up and starting the elastic search subsystem used by the LIMS search mechanism.
NOTE: Do not create these user accounts manually.
During initial installation of the RabbitMQ subsystem, the RPM creates the following server-based user account in the rabbitmq group.
rabbitmq: This user account is used for setting up and starting the RabbitMQ subsystem used by the search indexing mechanism.
NOTE: Do not create these user accounts manually.
During execution of the Clarity LIMS installation script, you are prompted for the password of the glsftp user. Use the same password you set at the operating system level for this user.
NOTE: You can find additional documentation on users at /opt/gls/clarity/documentation/users/
Create one database named ClarityDB and another named ClarityTenantLookup. Make sure that both databases are set up to receive remote connections from the Clarity LIMS application server.
Restart PostgreSQL
Confirm the completion of these items with the Illumina Support team, and provide the following information:
The database user name and password for both databases.
The following steps use the HashiCorp Vault user interface (UI) to guide you through the configuration of your HashiCorp Vault instance.
These configurations are mandatory for on premise Clarity LIMS deployments. For hosted deployments, this configuration is completed by Illumina.
Detailed information and instructions for HashiCorp Vault are available on the HashiCorp website: www.hashicorp.com.
Pre-requisites
You are planning to install Clarity LIMS v6.0.0 and newer.
You have installed the latest version of either HashiCorp Vault Open Source or Enterprise.
You have read the Getting Started tutorials for Vault on the HashiCorp website and/or possess a basic knowledge of HashiCorp Vault.
Configuration
Enable a new KV Secret Engine
To enable a new KV Secret Engine, refer to the Versioned Key/Value Secrets Engine tutorial provided on the HashiCorp Vault website.
Configuring Secret Engine
The following table lists the secrets required for Clarity LIMS. To use the paths shown in the table, replace $host with your fully qualified domain name (FQDN).
Path
Purpose
When configuration is complete, these secrets are listed in the Vault user interface.
Authentication Methods
AppRole
AppRole is the recommended authentication method to use with the Clarity LIMS Secret Utility tool.
To enable the AppRole authentication method, refer to the AppRole Pull Authentication tutorial provided on the HashiCorp Vault website.
When AppRole is enabled, create an AppRole with the appropriate Access Control List (ACL) policy (see the following section).
Make a note of the Role ID and Secret ID. You need these IDs when configuring Secret Utility.
Secret Utility does not manage your Role ID and Secret ID for you (eg, renewing, revoking, and so on). It accepts the Role ID and Secret ID as-is, and attempts to authenticate with Vault.
Token
Alternatively, the Clarity LIMS Secret Utility tool also works with the token authentication method.
To learn more about tokens, see the Tokens documentation on the HashiCorp Vault website.
Secret Utility does not manage your tokens for you (eg, renewing, revoking, and so on). It accepts the token as-is, and attempts to authenticate with Vault.
Authentication ACL Policies
After enabling the AppRole authentication method, create ACL policies to access the Secret Engine.
IMPORTANT: Replace "claritylims" with your Secret Engine path.
ACL Policies
You might need to update or create additional ACL policies for your System Administrator to rotate the credentials, when required.
To create the ACL policy, refer to the Vault Policies tutorial provided on the HashiCorp Vault website.
Verification
SSH into the Clarity LIMS instance.
After installing Clarity LIMS and configuring Secret Utility using the instructions provided in , run the command to read an existing password/secret from HashiCorp Vault.
You have system administrator permissions to perform the necessary operations to your HashiCorp Vault instance.
You have allowed the necessary port 443 from the Clarity LIMS instance to your HashiCorp Vault instance.
You have access to all the passwords required to be configured in your HashiCorp Vault instance.
Password for the apiuser user account that is used by Automation Worker to authenticate with Clarity LIMS API.
If you have configured a different user account, create it under $host/integration/apiusers/$username
global/platform.clientId
[Optional] Required for Clarity LIMS Platform Auth integration.
$host/clarity/app.ftp.password
Password for GLSFTP user on the Clarity LIMS instance.
$host/clarity/app.rabbitmq.password
Password for RabbitMQ admin on the Clarity LIMS instance.
$host/clarity/db.clarity.password
Password for the configured Clarity LIMS database user
$host/clarity/db.lablink.password
Password for the configured LabLink database user.
$host/clarity/db.tenant.password
Password for the configured Tenant Lookup DB database user.
$host/clarity/app.ldap.managerPass
[Optional] Password for the User DN configured for Clarity LIMS LDAP integration.