Enabling HTTPS for NXLog Manager

Starting with version 5.5, NXLog Manager is shipped with enabled HTTPS. To operate with it, NXLog Manager requires either a certificate issued by a certificate authority (CA) or a self-signed certificate. A self-signed certificate and private key are generated during the installation of NXLog Manager. A self-signed certificate can be used for testing and providing encryption for the initial setup; however, for production systems, it should be replaced with a certificate issued by a certificate authority.

After the installation, the key and certificate are stored under the following paths:

Table 1. Paths for Certificate and Private Key
Version of Manager Path Private Key Certificate

5.x

<NXLogManager_HOME>/conf/

jetty9-key.pem

jetty9-cert.pem

6.x

<NXLogManager_HOME>/etc/

keystore.p12

In case the private key is password-protected, the following properties are available to set the password:

  • for versions 5.x, it can be set under the ServerKeyPassword property of the <NXLogManager_HOME>/conf/jetty-config.xml file.

  • for versions 6.x, the password can be specified under the jetty.sslContext.keyStorePassword property of the <NXLogManager_HOME>/etc/start.ini file.

Since Jetty9 supports hashed passwords, they can be generated by using Jetty’s password utility. For example, enter the following command to generate a secured version of the password newpass for user myuser:

> java -cp <NXLogManager_HOME>/lib/jetty-util-xxx.jar org.eclipse.jetty.util.security.Password myuser newpass

where -xxx signifies the version of Jetty installed in NXLog Manager. The following output will be generated:

newpass
OBF:1xmi1vu91vv91xfj1vu11vv11xms
MD5:e6053eb8d35e02ae40beeeacef203c1a
CRYPT:myBmXhAi5GjtE

The first line is a plain text password. Copy the secured version of your choice with the prefix and paste it in the <NXLogManager_HOME>/etc/start.ini file under the jetty.sslContext.keyStorePassword property.

Configuring ports

Starting with version 5.5, NXLog Manager is shipped with SSL enabled via the default port 9443.

For versions 6.x, the port can be customized in the <NXLogManager_HOME>/etc/start.ini file by editing the jetty.ssl.port parameter.

For versions 5.x, the port can be customized in the <NXLogManager_HOME>/conf/jetty-config.xml file.

To enable SSL in versions 5.x prior to 5.5, uncomment three sections in <NXLogManager_HOME>/conf/jetty-config.xml which appear as follows:

jetty-config.xml
    <New id="sslContextFactory" class="com.nxsec.log4ensics.web.common.server.util.ssl.SslContextFactory">
        <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
        <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
        <Set name="ServerKeyPassword"></Set>
        <Set name="EndpointIdentificationAlgorithm"></Set>
        <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
        <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
        <Set name="ExcludeCipherSuites">
            <Array type="String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            </Array>
        </Set>
    </New>
jetty-config.xml
    <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Arg><Ref refid="httpConfig"/></Arg>
        <Call name="addCustomizer">
            <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
        </Call>
    </New>
jetty-config.xml
    <Call  name="addConnector">
        <Arg>
            <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
                <Arg name="server"><Ref refid="Server" /></Arg>
                <Arg name="factories">
                    <Array type="org.eclipse.jetty.server.ConnectionFactory">

                        <!-- uncomment to support proxy protocol
                        <Item>
                            <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
                        </Item>-->

                        <Item>
                            <New class="org.eclipse.jetty.server.SslConnectionFactory">
                                <Arg name="next">http/1.1</Arg>
                                <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
                            </New>
                        </Item>
                        <Item>
                            <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                                <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
                            </New>
                        </Item>
                    </Array>
                </Arg>

                <Set name="host"><Property name="jetty.host" /></Set>
                <Set name="port"><Property name="jetty.https.port" default="9443" /></Set>
                <Set name="idleTimeout"><Property name="ssl.timeout" default="30000"/></Set>
            </New>
        </Arg>
    </Call>


    <Call class="java.lang.System"  name="setProperty">
        <Arg>org.apache.jasper.compiler.disablejsr199</Arg>
        <Arg>true</Arg>
    </Call>

    <!-- Fix for java.lang.IllegalStateException: Form too large 207624>200000 -->
    <Call name="setAttribute">
      <Arg>org.eclipse.jetty.server.Request.maxFormContentSize</Arg>
      <Arg><Property name="jetty.maxFormContentSize" default="1000000"/></Arg>
    </Call>

Disabling older SSL/TLS versions

For security reasons, older and/or unused versions of SSL/TLS can be disabled by adding an exclusion for those protocols in the Jetty configuration.

Follow these steps to disable older SSL/TLS protocols in versions 6.x:

  1. Create a new file <NXLogManager_HOME>/etc/tweak-ssl.xml.

  2. Open tweak-ssl.xml with a text editor and add the following content:

    tweak-ssl.xml
    <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
    <!-- Tweak SsslContextFactory Includes / Excludes -->
    <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <!-- Eliminate Insecure Protocols -->
        <Call name="addExcludeProtocols">
            <Arg>
                <Array type="java.lang.String">
                    <Item>SSLv3</Item>
                    <Item>TLSv1</Item>
                    <Item>TLSv1.1</Item>
                </Array>
            </Arg>
        </Call>
    </Configure>
  3. Open the <NXLogManager_HOME>/etc/start.ini file with a text editor and add the path of the above file under the --module=https section as follows:

    start.ini
    --module=https
    etc/tweak-ssl.xml
  4. Restart the NXLog Manager service to apply the changes.

Follow these steps to disable older SSL/TLS protocols in versions 5.x:

  1. Open the <NXLogManager_HOME>/conf/jetty-config.xml file with a text editor.

  2. Under the sslContextFactory section, add an ExcludeProtocols property as follows:

        <Set name="ExcludeProtocols">
            <Array type="java.lang.String">
                <Item>SSLv3</Item>
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
            </Array>
        </Set>

    The example below shows the complete sslContextFactory section after adding the list of excluded protocols.

    jetty-config.xml
    <New id="sslContextFactory" class="com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory">
        <Set name="ServerCertificate"><Property name="jetty.home" default=".." />/conf/jetty9-cert.pem</Set>
        <Set name="ServerKey"><Property name="jetty.home" default=".." />/conf/jetty9-key.pem</Set>
        <Set name="ServerKeyPassword"></Set>
        <Set name="EndpointIdentificationAlgorithm"></Set>
        <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
        <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
        <Set name="ExcludeProtocols">
            <Array type="java.lang.String">
                <Item>SSLv3</Item>
                <Item>TLSv1</Item>
                <Item>TLSv1.1</Item>
            </Array>
        </Set>
        <Set name="ExcludeCipherSuites">
            <Array type="String">
                <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            </Array>
        </Set>
    </New>
  3. Restart the NXLog Manager service to apply the changes.