Enabling HTTPS for NXLog Manager
Starting with version 5.5, NXLog Manager is shipped with enabled HTTPS. To operate with it, NXLog Manager requires either a certificate issued by a certificate authority (CA) or a self-signed certificate. A self-signed certificate and private key are generated during the installation of NXLog Manager. A self-signed certificate can be used for testing and providing encryption for the initial setup; however, for production systems, it should be replaced with a certificate issued by a certificate authority.
After the installation, the key and certificate are stored under the following paths:
Version of Manager | Path | Private Key | Certificate |
---|---|---|---|
5.x |
|
|
|
6.x |
|
|
In case the private key is password-protected, the following properties are available to set the password:
-
for versions 5.x, it can be set under the
ServerKeyPassword
property of the<NXLogManager_HOME>/conf/jetty-config.xml
file. -
for versions 6.x, the password can be specified under the
jetty.sslContext.keyStorePassword
property of the<NXLogManager_HOME>/etc/start.ini
file.
Since Jetty9 supports hashed passwords, they can be generated by using Jetty’s
password utility. For example, enter the following command to generate a
secured version of the password newpass
for user myuser
:
> java -cp <NXLogManager_HOME>/lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password myuser newpass
where -xxx signifies the version of Jetty installed in NXLog Manager. The following output will be generated:
newpass
OBF:1xmi1vu91vv91xfj1vu11vv11xms
MD5:e6053eb8d35e02ae40beeeacef203c1a
CRYPT:myBmXhAi5GjtE
The first line is a plain text password. Copy the secured version of your
choice with the prefix and paste it in the <NXLogManager_HOME>/etc/start.ini
file under the jetty.sslContext.keyStorePassword
property.
Configuring ports
Starting with version 5.5, NXLog Manager is shipped with SSL enabled via the default port 9443.
For versions 6.x, the port can be customized in the
<NXLogManager_HOME>/etc/start.ini
file by editing the jetty.ssl.port
parameter.
For versions 5.x, the port can be customized in the
<NXLogManager_HOME>/conf/jetty-config.xml
file.
To enable SSL in versions 5.x prior to 5.5, uncomment three sections in
<NXLogManager_HOME>/conf/jetty-config.xml
which appear as follows:
<New id="sslContextFactory" class="com.nxsec.log4ensics.web.common.server.util.ssl.SslContextFactory">
<Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
<Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
<Set name="ServerKeyPassword"></Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
</Array>
</Set>
</New>
<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
</Call>
</New>
<Call name="addConnector">
<Arg>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="port"><Property name="jetty.https.port" default="9443" /></Set>
<Set name="idleTimeout"><Property name="ssl.timeout" default="30000"/></Set>
</New>
</Arg>
</Call>
<Call class="java.lang.System" name="setProperty">
<Arg>org.apache.jasper.compiler.disablejsr199</Arg>
<Arg>true</Arg>
</Call>
<!-- Fix for java.lang.IllegalStateException: Form too large 207624>200000 -->
<Call name="setAttribute">
<Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg>
<Arg><Property name="jetty.maxFormContentSize" default="1000000"/></Arg>
</Call>
Disabling older SSL/TLS versions
For security reasons, older and/or unused versions of SSL/TLS can be disabled by adding an exclusion for those protocols in the Jetty configuration.
Follow these steps to disable older SSL/TLS protocols in versions 6.x:
-
Create a new file
<NXLogManager_HOME>/etc/tweak-ssl.xml
. -
Open
tweak-ssl.xml
with a text editor and add the following content:tweak-ssl.xml<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> <!-- Tweak SsslContextFactory Includes / Excludes --> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <!-- Eliminate Insecure Protocols --> <Call name="addExcludeProtocols"> <Arg> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Arg> </Call> </Configure>
-
Open the
<NXLogManager_HOME>/etc/start.ini
file with a text editor and add the path of the above file under the--module=https
section as follows:start.ini--module=https etc/tweak-ssl.xml
-
Restart the NXLog Manager service to apply the changes.
Follow these steps to disable older SSL/TLS protocols in versions 5.x:
-
Open the
<NXLogManager_HOME>/conf/jetty-config.xml
file with a text editor. -
Under the
sslContextFactory
section, add anExcludeProtocols
property as follows:<Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Set>
The example below shows the complete
sslContextFactory
section after adding the list of excluded protocols.jetty-config.xml<New id="sslContextFactory" class="com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory"> <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set> <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set> <Set name="ServerKeyPassword"></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>TLSv1</Item> <Item>TLSv1.1</Item> </Array> </Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item> </Array> </Set> </New>
-
Restart the NXLog Manager service to apply the changes.