SSL

SSL

If a custom domain for an applicant portal is used, it should be secured by an SSL certificate and forced to be called through HTTPS. This pages describes the information that is required in order to get support for creating an SSL certificate for an applicant portal, if a new certificate is required.

Certificate

This section explains how to order a SSL certificate for an eRecruiter application. If the certificate should be used for multiple eRecruiter applications under the same top-level domain (i.e. erecruiter.net) a wildcard certficate can be used (i.e. *.erecruiter.net).

Certificate Request

The first in getting started with the SSL certificate is to provide the following information to the eRecruiter support, so that a certificate signing request (CSR) can be generated:
  1. company legal address including
    1. C = country
    2. ST = state/province
    3. L = location address (streetname, nr, postal code)
  2. O = company's full name
  3. OU = company's organizational unit name which is responsible for security or IT
  4. CN = domain name that should be secured
  5. e = company's organizational unit's e-mail address which is responsible for security or IT
The eRecruiter support will use this information to create a new CSR for the provided domain name (wildcard certificates are possible) which will be transmitted to the technical contact person at the company owning the domain name.

Certificate

The technical contact person for the company owning the domain name will use the CSR from the previous step to get a certificate from the certificate authority of choice (ex. Verisign, RapidSSL, Geotrust, ATRUST,...) and forward the new certificate to the eRecruiter support. The following restriction apply to the certificate:
  1. certificate signing algorithm must be SHA2 with a SHA2 certificate chain
  2. certificate is required to support certificate transparency
  3. certificate need to be issues in DER, PEM or PKCS12 format

Installation

The following section explains how to install the certificate for the eRecruiter applications.

SaaS / Hosting

  1. The eRecruiter support will use the transmitted certificate and the generated private key to install an secure the applicant portal. The private key should be transferred in a secure manner. It is recommended to add a password to the private key to transmit it through e-mail. The password should be transmitted through a different channel, we recommend text message (SMS) or through a phone call with the eRecruiter support.
  2. The applicant portal will also be configured to force SSL connection and forward any plain HTTP request to the HTTPS endpoint.

On-Premise - IIS Installation

The certificate can be installed directly into the IIS service. There for the certificate needs to be installed as server certificate through the IIS management console. After the installation the IIS site binding needs to be configured to support SSL (binding on port 443 with the certificate installed). It is also recommended to configure the IIS cipher suites this can be done through the Windows registry or by using the free IISCrypto tool (select "Best practise").

On-Premise - Reverse Proxy Installation

If a reverse proxy is used (officially supported Apache, nginx or HAproxy) the certificate can be installed on the reverse proxy for SSL termination - only if the network between the proxy and the eRecruiter applications is trusted - and the communication can be done through standard HTTP. The installation of the certificate should be done using the recommended way for the proxy software (see proxy vendor documentation) and the proxy must set the following HTTP headers to allow the eRecruiter application to work properly.

HTTP Header
Description
Example
X-Forwarded-For
The external IP address for the client calling the eRecruiter application
%CLIENT_IP%
X-Forwarded-Host
The host name that was used by the client calling the eRecruiter application (e.g. vhost name)
app.erecruiter.net
X-Forwarded-Port
The port that was used by the client calling the eRecruiter application.
443
X-Forwarded-Proto
The protocol that was used by the client calling the eRecruiter application.
https
The following example demonstrates the usage of the headers in a reverse proxy scenario with SSL termination:
  1. Reverse proxy configuration
    1. Host: app.erecruiter.net
    2. Port: 443
    3. Protocol: HTTPS
  2. Application server configuration
    1. Host: internal.mynetwork.com
    2. Port: 80
    3. Protocol: HTTP
  3. HTTP Headers set by the reverse proxy when forwarding the request to the application server (example: forwarding the request from https://app.erecruiter.net/ to http://internal.mynetwork.com/):
    1. X-Forwarded-For: 134.134.134.124
    2. X-Forwarded-Host: app.erecruiter.net
    3. X-Forwarded-Port: 443
    4. X-Forwarded-Proto: https
To validate the configuration the diagnostics page attached to this page (HttpDiag.aspx) can be used. It needs to be placed in the root folder of the eRecruiter application to test. The diagnostics page must be removed after validation as it may poses a security risk.

    • Related Articles

    • Maintenance / Monitoring

      After the successful installation the following topic should be considered in order to setup a monitored and maintained system: Backup / Restore Directory Structure DNS Double-Opt-In Google Tag Manager Monitoring Security Recommendations SMTP ...
    • SMTP

      The SMTP-settings are required to enable sending emails via your own SMTP server directly from your eRecruiter instance, applicant portal and customer portal. The configuration of the SMTP-Server requires the following parameters: global sender ...
    • E-Mail Import (POP3-Postfach)

      E-Mails, die im Postfach eingehen, können schnell und bequem in den eRecruiter geladen werden. Sowohl der E-Mailtext als auch eventuell angehängte Dateien werden übernommen und können entweder einem bestehenden Bewerber oder einem neuen Bewerber, ...
    • Application Installation

      This section will explain how to acquire the installation package and copy the application into the proper directories. The link for installation package download will be provided by the eRecruiter consultant or support upon request as it will ensure ...