CSSCurrent en:Web Server Configuration
About Web Server Configuration
Cryptshare is using a Jetty Web Server for rendering the web pages. It is delivered, installed and configured as part of the Cryptshare Software. Reconfiguring the web server is not required in most cases. However if circumstances demand, it is possible to do so by modifying the respective configuration files. These files can be found in the subfolder "resources/WEB-INF" of the installation directory. Apart from changes you may want to do for configuring ports and SSL settings we suggest to leave these files unchanged.
Web Server Configuration Files
File | Area | Description |
---|---|---|
ui-config.xml | User Interface | Port and SSL configuration for the user interface on Windows servers. |
ai-config.xml | Admin Interface | Port and SSL configuration for the administration interface |
Web Application Configuration Files
These files do not exist in the "resources/WEB-INF" directory by default, but can be created when needed to override the default settings.
File | Area | Description |
---|---|---|
ui-web.xml | User Interface | Application and security configuration for the user interface. |
ai-web.xml | Admin Interface | Application and security configuration for the administration interface |
ws-web.xml | Web Service Interface | Application and security configuration for the WSDL interface. |
Port Configuration (before version 3.12.0.0)
Every \*-config.xml file contains the port configurations for the corresponding area of the Cryptshare application. There is always one setting for http and https port.
HTTP Port Configuration
- Open the xml configuration file for the area of the Cryptshare application you want to change ports for.
- Search the section "ServerConnector"
- Change the content of the XML tag with the "name" attribute value "port" to the port number you want to use.
- Restart the Cryptshare service.
HTTPS Port Configuration
- Open the xml configuration file for the area of the Cryptshare application you want to change ports for.
- Search the section "HttpConfiguration", 'httpConfig'
- Change value for the property 'jetty.secure.port' to the port number you want to use.
- Search the section for the 'HttpConfiguration', 'tlsHttpConfig'
- Change the value for the property 'jetty.tls.port' to the port number you want to use.
- Search the section 'host'
- Change the value for the property 'jetty.tls.port' to the port number you want to use.
- Restart the Cryptshare service.
Port Configuration (version 3.12.0.0 or higher)
Beginning with version 3.12.0.0, it is possible to adapt the ports without editing the XML configuration files. The desired port numbers can be specified instead via the file "launcher.ini", which is located in the installation directory. For more information, see the section about the system startup settings.
TLS Configuration
SSL Configuration
Any of the \*-config.xml files contain SSL settings for the corresponding area of the Cryptshare application. The following settings can be modified:
- Password for 'TrustStore'
- Password for the Cryptshare 'Keystore'
- Password for the SSL certificate in use
- Accepted SSL protocols
- Denied SSL protocols
- Excluded SSL Cipher Suites
Changing SSL Passwords
Cryptshare uses a Java TrustStore as well as a Keystore to keep the web site certificates for all parts of the application.
- ui-config.xml
- ai-config.xml
Managing SSL Certificates
Detailed information on managing SSL certificates can be found in the chapter for Setting up an SSL Certificate. We suggest to use the Windows Tool "KeyStore Exlorer" for managing Java Keystores: http://keystore-explorer.sourceforge.net/downloads.php The tool is freeware and can be used for all administrative tasks concerning SSL certificates for Java.
Managing Active Protocols and Cipher Suites
The Cryptshare Web Server has been pre-configured not to use any protocols or cipher suites known to be insecure. However this can prevent older browsers from successfully establishing an SSL connection with the Cryptshare server. In this case it is recommended to use another browser or an up to date browser version. If this is not possible or desired you can activate the required protocol or cipher suite by changing the setting in the corresponding configuration file (see section SSL Configuration above).
Configure Default Settings for TLS
It is possible to configure default TLS settings of Cryptshare server. Therefore it is necessary to edit the configuration files of the jetty webserver (ui-config.xml / ai-config.xml). The files are located in the subdirectory 'resources/WEB-INF' in the installation directory. This is the relevant part of the configuration files:
ui-config.xml/ai-config.xml <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd"> <Configure id="Cryptshare" class="org.eclipse.jetty.server.Server"> <New id="sslContextFactory" class="com.cryptshare.server.CSSSLContextFactory"> <Set name="KeyStorePath">lib/security/keystore</Set> <Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set> <Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set> <Set name="TrustStorePath"> <SystemProperty name="java.home" default="."/>/lib/security/cacerts </Set> <Set name="TrustStorePassword">changeit</Set> <Set name="protocol">TLSv1.2</Set> <Set name="renegotiationAllowed">false</Set> <Set name="includeProtocols"> <Array type="java.lang.String"> <Item>TLSv1.2</Item> <Item>TLSv1.3</Item> </Array> </Set> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>SSLv3</Item> <Item>SSLv2Hello</Item> <Item>TLSv1.1</Item> </Array> </Set>
In the "includeProtocols" section all protocols are listed which will be available for establishing a secure connection to the server. In the "excludeProtocols" section all protocols are listed which will not be available for establishing a secure connection to the server.
Reactivating TLS 1.0 and TLS 1.1
If it is necessary to reactivate TLS 1.0 and/or TLS 1.1 the configs of the jetty webserver have to be updated (see below):
ui-config.xml/ai-config.xml <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd"> <Configure id="Cryptshare" class="org.eclipse.jetty.server.Server"> <New id="sslContextFactory" class="com.cryptshare.server.CSSSLContextFactory"> <Set name="KeyStorePath">lib/security/keystore</Set> <Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set> <Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set> <Set name="TrustStorePath"> <SystemProperty name="java.home" default="."/>/lib/security/cacerts </Set> <Set name="TrustStorePassword">changeit</Set> <Set name="protocol">TLSv1.2</Set> <Set name="renegotiationAllowed">false</Set> <Set name="includeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>TLSv1.1</Item> <Item>TLSv1.2</Item> <Item>TLSv1.3</Item> </Array> </Set> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> <Item>SSLv2Hello</Item> </Array> </Set>
The TLS versions which should be enabled must be added to the "includeProtocols" section and removed from the "excludeProtocols" section.
Configuration of the Session Timeout for the User Interface
It is possible to manually configure the session timeout for the user interface. In the standard system there is a session timeout of 30 minutes. In order to configure a timeout different from the standard, the ui-web.xml must be modified. For this in the <session-config> block a new line can be inserted for the timeout (see below).
... <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-timeout>45</session-timeout> </session-config> ...
The specified value corresponds to a timeout in minutes.