Initializing help system before first use

Establishing Trust Between the Server and Worker

You can configure your deployment to use secure https: connections between the server and worker.
To enable https: connections, you must configure the server and worker to use SSL.

When configuring SSL, you can install a certificate provided by a certificate authority, or a self-signed certificate you create. You can also allow Insight to automatically generate and use a self-signed certificate. (For information about how to create a self-signed certificate, see the Xpress Insight documentation.)

You must also establish trust between the server and worker by sharing their public certificates.

Configuring SSL

To configure the server and worker to use SSL, follow these steps.
  1. (Optional) If you have previously run docker compose up to start the Insight containers with SSL enabled, you must remove any previously generated self-signed certificates before installing new certificates.
    In Docker Desktop, open the public-certificates volume and delete the following files.
    • insight-cacerts-server
    • insight-cacerts-worker
    • insight-keystore-server-ssl
    • insight-keystore-worker-ssl
  2. In the root directory for the configuration you are using, edit the .env file.
  3. Change the values of the following variables as indicated: 
    SERVER_PORT=8443
ENABLE_SSL=true
SERVER_PROTOCOL=https
  4. Change the default SSL password by editing the ssl_keystore_password.txt file.
    Note that if you change the SSL keystore password after auto-generating certificates, you must delete the old certificates so Insight will generate new ones.
If you want to use auto-generated self-signed certificates, no further configuration is required. The next time you run docker compose up, Insight will automatically generate self-signed certificates.

If you want to install certificates from a certificate authority, or use a self-signed certificate you have created, continue with these steps:

  1. Edit the override.properties files to set the required application properties for both the server and worker.
    In server-config/override.properties: 
    server.ssl.key-alias=insight-server-https
server.ssl.key-store=config/insight-keystore-server-ssl
    In worker-config/override.properties: 
    server.ssl.key-alias=insight-worker-https
server.ssl.key-store=config/insight-keystore-worker-ssl
  2. Rename and copy your keystore files as follows:
    • Rename the server keystore to insight-keystore-server-ssl and copy to server-config.
    • Rename the worker keystore to insight-keystore-worker-ssl and copy to worker-config.
  3. Make sure your certificates are stored in the keystore under the aliases insight-worker-http and insight-server-https.
    You can use a different alias, but if you do, you must also override the default name by adding the server.ssl.key-alias property to override.properties. Each keystore file should contain only one certificate.

Establishing Trust Between the Server and Worker

To establish the trust relationship between the server and worker, follow these steps:
Make sure you have configured both the server and the worker to use SSL, and that both containers are running.
  1. Use the docker ps command to find the container IDs of the Insight sever and worker.
  2. Use the following command to open a Bash shell inside the server container: 
    docker exec -it server_container_id bash
  3. Run the following commands: 
    cd server
java -Djavax.net.ssl.trustStore=insight-cacerts -jar webapp.jar --trust-ssl worker:8443
    Note: If you encounter a Permission Denied error, reopen the Bash prompt using the root user: 
    docker exec -u -root -it container_id bash
  4. Exit Bash.
  5. Use the following command to open a Bash shell inside the worker container: 
    docker exec -it worker_container_id bash
  6. Run the following commands: 
    java -Djavax.net.ssl.trustStore=insight-cacerts -jar webapp.jar --trust-ssl server:8443
  7. Exit Bash.
  8. Open ssl_keystore_password.txt and verify that the password is set to changeit.
    This password is used for public certificate keystores and cannot be changed. By default, it is also used as the password for the private certificates in the insight-keystore-ssl passwords. For improved security, you should change the passwords for these keystores and add the new password to override.properties: 
    server.ssl.key-store-password=encrypted_keystore_password
    Tip: For more information about how to encrypt the password, see Encrypting Sensitive Application Properties.
Verify the configuration by restarting the containers using docker compose up. You should see the message Using provided SSL keystore in the server and worker logs.
Parent Topic Enabling HTTPS Connections

© 2001-2025 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.