Enabling HTTPS for NXLog Manager

To operate with HTTPS enabled, NXLog Manager requires either a certificate issued by a certificate authority (CA) or a self-signed certificate. A self-signed certificate and private key are generated during the installation of NXLog Manager. The self-signed certificate can be used for testing and providing encryption for the initial setup; however, for production systems, it should be replaced with the certificate issued by a certificate authority.

After the installation, the key and certificate are stored under the following path:

Table 1. Path for Certificate and Private Key
Version of Manager	Path	Private Key	Certificate
5.x	`<NXLogManager_HOME>/conf/`	`jetty9-key.pem`	`jetty9-cert.pem`

In case the private key is password-protected, the password can be set by specifying the ServerKeyPassword property in the <NXLogManager_HOME>/conf/jetty-config.xml file.

Since Jetty9 supports hashed passwords, they can be generated by using Jetty’s password utility. For example, enter the following command to generate a secured version of the password newpass for user myuser:

> java -cp <NXLogManager_HOME>/lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password myuser newpass

where -xxx signifies the version of Jetty installed in NXLog Manager. The following output will be generated:

newpass
OBF:1xmi1vu91vv91xfj1vu11vv11xms
MD5:e6053eb8d35e02ae40beeeacef203c1a
CRYPT:myBmXhAi5GjtE

The first line is a plain text password. Copy the secured version of your choice with the prefix and paste it in the <NXLogManager_HOME>/etc/start.ini file under the jetty.sslContext.keyStorePassword property.

Using custom certificates on NXLog Manager version 5.7+

In some instances, you may need to use custom certificates with NXLog Manager version 5.7+. You can accomplish this by importing the certificates into the keystore. Follow the steps below to complete this process:

Open a terminal and change to the jetty-base directory:
```
$ cd /opt/nxlog-manager/bin/jetty-base/etc
```
Remove the current keystore.p12 file to prepare for the new one:
```
$ rm keystore.p12
```
Use the following command to create a new keystore.p12 file, where server.pem and server.key are the certificate and private key to be imported into the keystore. Set the password to jetty9:
```
$ openssl pkcs12 -export -in /path/to/server.pem -inkey /path/to/server.key -out keystore.p12 -name nxlog-manager
```

Run the command below to import the new keystore.p12 into the keystore.jks file. If prompted, select "yes" to replace existing entries. Use jetty9 as the password:

$ keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -srcalias nxlog-manager -destalias nxlog-manager
...
Importing keystore keystore.p12 to keystore.jks...
Enter destination keystore password: jetty9
Enter source keystore password: jetty9
Existing entry alias nxlog-manager exists, overwrite? [no]: yes

The certificates should now be successfully imported into the keystore.

Configuring ports

Beginning with version 5.5, NXLog Manager is shipped with SSL enabled via the default port 9443. The port can be customized in the <NXLogManager_HOME>/conf/jetty-config.xml file.

To enable SSL in versions prior to 5.5, uncomment three sections in <NXLogManager_HOME>/conf/jetty-config.xml which look as follows:

jetty-config.xml

    <New id="sslContextFactory" class="com.nxsec.log4ensics.web.common.server.util.ssl.SslContextFactory">
        <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
        <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
        <Set name="ServerKeyPassword"></Set>
        <Set name="EndpointIdentificationAlgorithm"></Set>
        <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
        <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
        <Set name="ExcludeCipherSuites">
            <Array type="String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            </Array>
        </Set>
    </New>

jetty-config.xml

    <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Arg><Ref refid="httpConfig"/></Arg>
        <Call name="addCustomizer">
            <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
        </Call>
    </New>

jetty-config.xml

    <Call  name="addConnector">
        <Arg>
            <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
                <Arg name="server"><Ref refid="Server" /></Arg>
                <Arg name="factories">
                    <Array type="org.eclipse.jetty.server.ConnectionFactory">

                        <!-- uncomment to support proxy protocol
                        <Item>
                            <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
                        </Item>-->

                        <Item>
                            <New class="org.eclipse.jetty.server.SslConnectionFactory">
                                <Arg name="next">http/1.1</Arg>
                                <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
                            </New>
                        </Item>
                        <Item>
                            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                                <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
                            </New>
                        </Item>
                    </Array>
                </Arg>

                <Set name="host"><Property name="jetty.host" /></Set>
                <Set name="port"><Property name="jetty.https.port" default="9443" /></Set>
                <Set name="idleTimeout"><Property name="ssl.timeout" default="30000"/></Set>
            </New>
        </Arg>
    </Call>


    <Call class="java.lang.System"  name="setProperty">
        <Arg>org.apache.jasper.compiler.disablejsr199</Arg>
        <Arg>true</Arg>
    </Call>

    <!-- Fix for java.lang.IllegalStateException: Form too large 207624>200000 -->
    <Call name="setAttribute">
      <Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg>
      <Arg><Property name="jetty.maxFormContentSize" default="1000000"/></Arg>
    </Call>

Disabling older SSL/TLS versions

For security reasons, older and/or unused versions of SSL/TLS can be disabled by adding an exclusion for those protocols in the Jetty configuration.

Follow these steps to disable older SSL/TLS protocols:

Open the <NXLogManager_HOME>/conf/jetty-config.xml file with a text editor.

Under the sslContextFactory section, add an ExcludeProtocols property as follows:

    <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
            <Item>SSLv3</Item>
            <Item>TLSv1</Item>
            <Item>TLSv1.1</Item>
        </Array>
    </Set>

The example below shows the complete sslContextFactory section after adding the list of excluded protocols.

jetty-config.xml

<New id="sslContextFactory" class="com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory">
    <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
    <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
    <Set name="ServerKeyPassword"></Set>
    <Set name="EndpointIdentificationAlgorithm"></Set>
    <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
    <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
    <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
            <Item>SSLv3</Item>
            <Item>TLSv1</Item>
            <Item>TLSv1.1</Item>
        </Array>
    </Set>
    <Set name="ExcludeCipherSuites">
        <Array type="String">
            <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
            <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
            <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
            <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
            <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
            <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
        </Array>
    </Set>
</New>

Restart the NXLog Manager service to apply the changes.