CSSCurrent en:Web Server Configuration

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche



About Web Server Configuration

Cryptshare is using a Jetty Web Server for rendering the web pages. It is delivered, installed and configured as part of the Cryptshare Software. Reconfiguring the web server is not required in most cases. However if circumstances demand, it is possible to do so by modifying the respective configuration files. These files can be found in the subfolder "resources/WEB-INF" of the installation directory. Apart from changes you may want to do for configuring ports and SSL settings we suggest to leave these files unchanged.

Web Server Configuration Files

File Area Description
ui-config.xml User Interface Port and SSL configuration for the user interface on Windows servers.
ai-config.xml Admin Interface Port and SSL configuration for the administration interface

Web Application Configuration Files

These files do not exist in the "resources/WEB-INF" directory by default, but can be created when needed to override the default settings.

File Area Description
ui-web.xml User Interface Application and security configuration for the user interface.
ai-web.xml Admin Interface Application and security configuration for the administration interface
ws-web.xml Web Service Interface Application and security configuration for the WSDL interface.

Port Configuration (before version 3.12.0.0)

Every \*-config.xml file contains the port configurations for the corresponding area of the Cryptshare application. There is always one setting for http and https port.

HTTP Port Configuration

  • Open the xml configuration file for the area of the Cryptshare application you want to change ports for.
  • Search the section "ServerConnector"
  • Change the content of the XML tag with the "name" attribute value "port" to the port number you want to use.
  • Restart the Cryptshare service.

18945654.png

HTTPS Port Configuration

  • Open the xml configuration file for the area of the Cryptshare application you want to change ports for.
  • Search the section "HttpConfiguration", 'httpConfig'

  • Change value for the property 'jetty.secure.port' to the port number you want to use.
  • Search the section for the 'HttpConfiguration', 'tlsHttpConfig'
  • Change the value for the property 'jetty.tls.port' to the port number you want to use.
  • Search the section 'host'
  • Change the value for the property 'jetty.tls.port' to the port number you want to use.
  • Restart the Cryptshare service.

18945655.png

Port Configuration (version 3.12.0.0 or higher)

Beginning with version 3.12.0.0, it is possible to adapt the ports without editing the XML configuration files. The desired port numbers can be specified instead via the file "launcher.ini", which is located in the installation directory. For more information, see the section about the system startup settings.

TLS Configuration

SSL Configuration

Any of the \*-config.xml files contain SSL settings for the corresponding area of the Cryptshare application. The following settings can be modified:

  • Password for 'TrustStore'
  • Password for the Cryptshare 'Keystore'
  • Password for the SSL certificate in use
  • Accepted SSL protocols
  • Denied SSL protocols
  • Excluded SSL Cipher Suites

Changing SSL Passwords

Cryptshare uses a Java TrustStore as well as a Keystore to keep the web site certificates for all parts of the application.

When changing the password this has to be configured for all existing configuration files:
  • ui-config.xml
  • ai-config.xml

Managing SSL Certificates

Detailed information on managing SSL certificates can be found in the chapter for Setting up an SSL Certificate. We suggest to use the Windows Tool "KeyStore Exlorer" for managing Java Keystores: http://keystore-explorer.sourceforge.net/downloads.php The tool is freeware and can be used for all administrative tasks concerning SSL certificates for Java.

Managing Active Protocols and Cipher Suites

The Cryptshare Web Server has been pre-configured not to use any protocols or cipher suites known to be insecure. However this can prevent older browsers from successfully establishing an SSL connection with the Cryptshare server. In this case it is recommended to use another browser or an up to date browser version. If this is not possible or desired you can activate the required protocol or cipher suite by changing the setting in the corresponding configuration file (see section SSL Configuration above).

Please note that this is not recommended as it may allow low-security SSL connections to be established.
Strong Cipher Suites
Some strong cipher suites may not be used legally in certain countries and are therefore not activated by default. If you want to use these ciphers, please refer to the knowledge base technote Using Strong Encryption Ciphers.

Configure Default Settings for TLS

It is possible to configure default TLS settings of Cryptshare server.  Therefore it is necessary to edit the configuration files of the jetty webserver (ui-config.xml / ai-config.xml). The files are located in the subdirectory 'resources/WEB-INF' in the installation directory. This is the relevant part of the configuration files:

ui-config.xml/ai-config.xml

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New id="sslContextFactory" class="com.cryptshare.server.CSSSLContextFactory">
		<Set name="KeyStorePath">lib/security/keystore</Set>
		<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
		<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
		<Set name="TrustStorePath">
			<SystemProperty name="java.home" default="."/>/lib/security/cacerts
		</Set>
		<Set name="TrustStorePassword">changeit</Set>
		<Set name="protocol">TLSv1.2</Set>
		<Set name="renegotiationAllowed">false</Set>
		<Set name="includeProtocols">
			<Array type="java.lang.String">
				<Item>TLSv1.2</Item>
				<Item>TLSv1.3</Item>
			</Array>
		</Set>
		<Set name="excludeProtocols">
			<Array type="java.lang.String">
                <Item>TLSv1</Item>
				<Item>SSLv3</Item>
				<Item>SSLv2Hello</Item>
				<Item>TLSv1.1</Item>
			</Array>
		</Set>

In the "includeProtocols" section all protocols are listed which will be available for establishing a secure connection to the server. In the "excludeProtocols" section all protocols are listed which will not be available for establishing a secure connection to the server.

Reactivating TLS 1.0 and TLS 1.1

If it is necessary to reactivate TLS 1.0 and/or TLS 1.1 the configs of the jetty webserver have to be updated (see below):

ui-config.xml/ai-config.xml

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd">
<Configure id="Cryptshare" class="org.eclipse.jetty.server.Server">
	<New id="sslContextFactory" class="com.cryptshare.server.CSSSLContextFactory">
		<Set name="KeyStorePath">lib/security/keystore</Set>
		<Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set>
		<Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set>
		<Set name="TrustStorePath">
			<SystemProperty name="java.home" default="."/>/lib/security/cacerts
		</Set>
		<Set name="TrustStorePassword">changeit</Set>
		<Set name="protocol">TLSv1.2</Set>
		<Set name="renegotiationAllowed">false</Set>
		<Set name="includeProtocols">
			<Array type="java.lang.String">
				<Item>TLSv1</Item>
				<Item>TLSv1.1</Item>
				<Item>TLSv1.2</Item>
				<Item>TLSv1.3</Item>
			</Array>
		</Set>
		<Set name="excludeProtocols">
			<Array type="java.lang.String">
				<Item>SSLv3</Item>
				<Item>SSLv2Hello</Item>
			</Array>
		</Set>

The TLS versions which should be enabled must be added to the "includeProtocols" section and removed from the "excludeProtocols" section.

Configuration of the Session Timeout for the User Interface

It is possible to manually configure the session timeout for the user interface. In the standard system there is a session timeout of 30 minutes. In order to configure a timeout different from the standard, the ui-web.xml must be modified. For this in the <session-config> block a new line can be inserted for the timeout (see below).

...
<session-config>
   <cookie-config>
      <http-only>true</http-only>
   </cookie-config>
   <session-timeout>45</session-timeout>
</session-config>
...

The specified value corresponds to a timeout in minutes.