MATLAB® Production Server™ uses HTTPS to establish secure connections between server instances and clients. HTTPS provides certificate-based authentication for the client to validate the connection to the server. Optionally, you can configure HTTPS such that the server can provide certificate-based authentication of the client. For more information on configuring client authentication, see Configure Client Authentication. HTTPS also provides an encrypted data path between the clients and server instances.
To set up HTTPS on a server instance, you must save an SSL certificate and the
corresponding private key to the
folder of your server instance. The SSL certificate and private key must be in PEM
To generate a self-signed SSL certificate, you can use the following
openssl req -x509 -nodes -newkey rsa:4096 -keyout private_key.pem -out cert_chain.pem -days 365
cert_chain.pemwith a private key
private_key.pem. The certificate is valid for 365 days. For more information, see OpenSSL.
Self-signed SSL certificates are suitable for use in testing environments as they offer encryption but do not offer authentication. SSL certificates signed by a certificate authority (CA) are suitable for production environments.
To configure HTTPS, specify the following properties in the
main_config configuration file of the server instance:
When you set the
https property on the server, you must set
properties; otherwise, the server fails to start. For more information about the
server configuration file, see Configure Server.
The following configuration excerpt configures a server instance to accept secure
connections on port port, using the certificate stored in
./x509/cert_chain.pem and the unencrypted private key stored
... --https port --x509-cert-chain ./x509/cert_chain.pem --x509-private-key ./x509/private_key.pem ...
In production settings that require greater security than that provided by an
unencrypted private key, use an encrypted private key. You specify the passphrase
for decrypting the private key in a file with owner-read-only access, and use the
x509-passphrase property to tell
the server instance about it.
... --https port --x509-cert-chain ./x509/cert_chain.pem --x509-private-key ./x509/private_key.pem --x509-passphrase ./x509/key_passphrase ...
You must set either the
http property, the
https property or both properties for the server to start. To
ensure that clients communicate with the server using only HTTPS and not HTTP, you
must disable the
http property. If both the
http properties are enabled,
clients can communicate with the server using both HTTPS and HTTP. It is recommended
that you enable the
https property unless HTTP support is