CSSCurrent en:Web Server Configuration

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche

About Web Server Configuration

Cryptshare is using a Jetty Web Server for rendering the web pages. It is delivered, installed and configured as part of the Cryptshare Software. Reconfiguring the web server is not required in most cases. However if circumstances demand, it is possible to do so by modifying the respective configuration files. These files can be found in the sub-folder "resources/WEB-INF" of the installation directory. Apart from changes you may want to do for configuring ports and SSL settings we suggest to leave these files unchanged.

Web Server Configuration Files

File Area Description
ui-config.xml User Interface Port and SSL configuration for the user interface on Windows servers.
ai-config.xml Admin Interface Port and SSL configuration for the administration interface

Web Application Configuration Files

These files do not exist in the "resources/WEB-INF" directory by default, but can be created when needed to override the default settings.

File Area Description
ui-web.xml User Interface Application and security configuration for the user interface.
ai-web.xml Admin Interface Application and security configuration for the administration interface
ws-web.xml Web Service Interface Application and security configuration for the WSDL interface.

Port Configuration

It is possible to adapt the ports without editing the XML configuration files. The desired port numbers can be specified instead via the file "launcher.ini", which is located in the installation directory. For more information, see the section about the system startup settings.

SSL/TLS Configuration

Any of the *-config.xml files contain SSL settings for the corresponding area of the Cryptshare application. The following settings can be modified:

  • Password for 'TrustStore'
  • Password for the Cryptshare 'Keystore'
  • Password for the SSL certificate in use
  • Accepted SSL protocols
  • Denied SSL protocols
  • Excluded SSL Cipher Suites

Changing Passwords

Cryptshare uses a Java TrustStore as well as a Keystore to keep the web site certificates for all parts of the application.

When changing the password this has to be configured for all existing configuration files:
  • ui-config.xml
  • ai-config.xml

Managing Certificates

Detailed information on managing SSL certificates can be found in the chapter for Setting up an SSL Certificate. We suggest to use the Windows Tool "KeyStore Explorer" for managing Java Keystores: https://keystore-explorer.org/downloads.html The tool is freeware and can be used for all administrative tasks concerning SSL certificates for Java.

Managing Active Protocols and Cipher Suites

The Cryptshare Web Server has been pre-configured not to use any protocols or cipher suites known to be insecure. However this can prevent older browsers from successfully establishing an SSL connection with the Cryptshare server. In this case it is recommended to use another browser or an up to date browser version. If this is not possible or desired you can activate the required protocol or cipher suite by changing the setting in the corresponding configuration file (see section SSL Configuration above).

Please note that this is not recommended as it may allow low-security SSL connections to be established.

Enabling Server Name Indication (SNI)

SNI can be enabled by setting the system property cryptshare.ui.sniHostCheck to true.

Configure Default Settings for TLS

It is possible to configure default TLS settings of Cryptshare server.  Therefore it is necessary to edit the configuration files of the jetty webserver (ui-config.xml / ai-config.xml). The files are located in the subdirectory 'resources/WEB-INF' in the installation directory. This is the relevant part of the configuration files:


<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
		<Set name="KeyStorePath">lib/security/keystore</Set>
		<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
		<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
		<Set name="TrustStorePath">
			<SystemProperty name="java.home" default="."/>/lib/security/cacerts
		<Set name="TrustStorePassword">changeit</Set>
		<Set name="protocol">TLSv1.2</Set>
		<Set name="renegotiationAllowed">false</Set>
		<Set name="includeProtocols">
			<Array type="java.lang.String">
		<Set name="excludeProtocols">
			<Array type="java.lang.String">

In the "includeProtocols" section all protocols are listed which will be available for establishing a secure connection to the server. In the "excludeProtocols" section all protocols are listed which will not be available for establishing a secure connection to the server.

Configuration of the Session Timeout for the User Interface

It is possible to manually configure the session timeout for the user interface. In the standard system there is a session timeout of 30 minutes. In order to configure a timeout different from the standard, the ui-web.xml must be modified. For this in the <session-config> block a new line can be inserted for the timeout (see below).


The specified value corresponds to a timeout in minutes.