Enabling HTTPS for NXLog Manager
To operate with HTTPS enabled, NXLog Manager requires either a certificate issued by a certificate authority (CA) or a self-signed certificate. A self-signed certificate and private key are generated during the installation of NXLog Manager. The self-signed certificate can be used for testing and providing encryption for the initial setup; however, for production systems, it should be replaced with the certificate issued by a certificate authority.
After the installation, the key and certificate are stored under the following path:
| Version of Manager | Path | Private Key | Certificate |
|---|---|---|---|
5.x |
|
|
|
In case the private key is password-protected, the password can be set by
specifying the ServerKeyPassword property in
the <NXLogManager_HOME>/conf/jetty-config.xml file.
Since Jetty9 supports hashed passwords, they can be generated by using Jetty’s
password utility. For example, enter the following command to generate a
secured version of the password newpass for user myuser:
> java -cp <NXLogManager_HOME>/lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password myuser newpasswhere -xxx signifies the version of Jetty installed in NXLog Manager. The following output will be generated:
newpass
OBF:1xmi1vu91vv91xfj1vu11vv11xms
MD5:e6053eb8d35e02ae40beeeacef203c1a
CRYPT:myBmXhAi5GjtEThe first line is a plain text password. Copy the secured version of your
choice with the prefix and paste it in the <NXLogManager_HOME>/etc/start.ini
file under the jetty.sslContext.keyStorePassword property.
Configuring ports
Beginning with version 5.5, NXLog Manager is shipped with SSL enabled via
the default port 9443. The port can be customized in the
<NXLogManager_HOME>/conf/jetty-config.xml file.
To enable SSL in versions prior to 5.5, uncomment three sections in
<NXLogManager_HOME>/conf/jetty-config.xml which look as follows:
<New id="sslContextFactory" class="com.nxsec.log4ensics.web.common.server.util.ssl.SslContextFactory">
<Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
<Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
<Set name="ServerKeyPassword"></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
</Call>
</New> <Call name="addConnector">
<Arg>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="port"><Property name="jetty.https.port" default="9443" /></Set>
<Set name="idleTimeout"><Property name="ssl.timeout" default="30000"/></Set>
</New>
</Arg>
</Call>
<Call class="java.lang.System" name="setProperty">
<Arg>org.apache.jasper.compiler.disablejsr199</Arg>
<Arg>true</Arg>
</Call>
<!-- Fix for java.lang.IllegalStateException: Form too large 207624>200000 -->
<Call name="setAttribute">
<Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg>
<Arg><Property name="jetty.maxFormContentSize" default="1000000"/></Arg>
</Call>Disabling older SSL/TLS versions
For security reasons, older and/or unused versions of SSL/TLS can be disabled by adding an exclusion for those protocols in the Jetty configuration.
Follow these steps to disable older SSL/TLS protocols:
-
Open the
<NXLogManager_HOME>/conf/jetty-config.xmlfile with a text editor. -
Under the
sslContextFactorysection, add anExcludeProtocolsproperty as follows:<Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Set>The example below shows the complete
sslContextFactorysection after adding the list of excluded protocols.jetty-config.xml<New id="sslContextFactory" class="com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory"> <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set> <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set> <Set name="ServerKeyPassword"></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item> </Array> </Set> </New> -
Restart the NXLog Manager service to apply the changes.
