CSSCurrent en:Web Server Configuration
About Web Server Configuration
Cryptshare is using a Jetty Web Server for rendering the web pages. It is delivered, installed and configured as part of the Cryptshare Software. Reconfiguring the web server is not required in most cases. However if circumstances demand, it is possible to do so by modifying the respective configuration files. These files can be found in the sub-folder "resources/WEB-INF" of the installation directory. Apart from changes you may want to do for configuring ports and SSL settings we suggest to leave these files unchanged.
Web Server Configuration Files
File | Area | Description |
---|---|---|
ui-config.xml | User Interface | Port and SSL configuration for the user interface on Windows servers. |
ai-config.xml | Admin Interface | Port and SSL configuration for the administration interface |
Web Application Configuration Files
These files do not exist in the "resources/WEB-INF" directory by default, but can be created when needed to override the default settings.
File | Area | Description |
---|---|---|
ui-web.xml | User Interface | Application and security configuration for the user interface. |
ai-web.xml | Admin Interface | Application and security configuration for the administration interface |
ws-web.xml | Web Service Interface | Application and security configuration for the WSDL interface. |
Port Configuration
It is possible to adapt the ports without editing the XML configuration files. The desired port numbers can be specified instead via the file "launcher.ini", which is located in the installation directory. For more information, see the section about the system startup settings.
SSL/TLS Configuration
Any of the *-config.xml files contain SSL settings for the corresponding area of the Cryptshare application. The following settings can be modified:
- Password for 'TrustStore'
- Password for the Cryptshare 'Keystore'
- Password for the SSL certificate in use
- Accepted SSL protocols
- Denied SSL protocols
- Excluded SSL Cipher Suites
Changing Passwords
Cryptshare uses a Java TrustStore as well as a Keystore to keep the web site certificates for all parts of the application.
- ui-config.xml
- ai-config.xml
Managing Certificates
Detailed information on managing SSL certificates can be found in the chapter for Setting up an SSL Certificate. We suggest to use the Windows Tool "KeyStore Explorer" for managing Java Keystores: https://keystore-explorer.org/downloads.html The tool is freeware and can be used for all administrative tasks concerning SSL certificates for Java.
Managing Active Protocols and Cipher Suites
The Cryptshare Web Server has been pre-configured not to use any protocols or cipher suites known to be insecure. However this can prevent older browsers from successfully establishing an SSL connection with the Cryptshare server. In this case it is recommended to use another browser or an up to date browser version. If this is not possible or desired you can activate the required protocol or cipher suite by changing the setting in the corresponding configuration file (see section SSL Configuration above).
Enabling Server Name Indication (SNI)
SNI can be enabled by setting the system property cryptshare.ui.sniHostCheck
to true
.
Configure Default Settings for TLS
It is possible to configure default TLS settings of Cryptshare server. Therefore it is necessary to edit the configuration files of the jetty webserver (ui-config.xml / ai-config.xml). The files are located in the subdirectory 'resources/WEB-INF' in the installation directory. This is the relevant part of the configuration files:
ui-config.xml/ai-config.xml <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "resources/WEB-INF/configure.dtd"> <Configure id="Cryptshare" class="org.eclipse.jetty.server.Server"> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="KeyStorePath">lib/security/keystore</Set> <Set name="KeyStorePassword">CA0AZhuFM4NogQh</Set> <Set name="KeyManagerPassword">CA0AZhuFM4NogQh</Set> <Set name="TrustStorePath"> <SystemProperty name="java.home" default="."/>/lib/security/cacerts </Set> <Set name="TrustStorePassword">changeit</Set> <Set name="protocol">TLSv1.2</Set> <Set name="renegotiationAllowed">false</Set> <Set name="includeProtocols"> <Array type="java.lang.String"> <Item>TLSv1.2</Item> <Item>TLSv1.3</Item> </Array> </Set> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>SSLv3</Item> <Item>SSLv2Hello</Item> <Item>TLSv1.1</Item> </Array> </Set>
In the "includeProtocols" section all protocols are listed which will be available for establishing a secure connection to the server. In the "excludeProtocols" section all protocols are listed which will not be available for establishing a secure connection to the server.
Configuration of the Session Timeout for the User Interface
It is possible to manually configure the session timeout for the user interface. In the standard system there is a session timeout of 30 minutes. In order to configure a timeout different from the standard, the ui-web.xml must be modified. For this in the <session-config> block a new line can be inserted for the timeout (see below).
... <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-timeout>45</session-timeout> </session-config> ...
The specified value corresponds to a timeout in minutes.