Initializing help system before first use

Instructions for Enabling HTTPS on the Xpress Insight Server

You can enable HTTPS with the Xpress Insight Server.
  1. Ensure that your SSL certificate (certificate.pem) and private key (privatekey.pem) files are saved in the <INSIGHT_HOME>\server\wildfly-x.y.z\standalone\configuration directory, where x.y.z represents the version, subversion, and patch numbers. .
  2. Convert the PEM files into a PKCS12 key store, and then into a java format keystore. You will be prompted to provide a password. Note the password, for example: openssl pkcs12 -export -name host.company.com -in certificate.pem -inkey privatekey.pem -out xpress-insight.p12
  3. Convert the PKCS12 file into a Java Key Store file. You will be prompted to enter the password entered in the previous step, and to provide a password for the destination keystore. Note this also: keytool -importkeystore -destkeystore xpress-insight.jks -srckeystore xpress-insight.p12 -srcstoretype pkcs12 -alias host.company.com
  4. Ensure the Insight Server is not running.
  5. Save a backup of standalone.xml.
  6. Open <INSIGHT_HOME>\server\wildfly-x.y.z\standalone\configuration\standalone.xml.
  7. Find the <subsystem xmlns="urn:wildfly:elytron:...> section that contains the tags <providers> and <audit-logging>, and add this example code, including the passwords set in the previous steps. 
    <tls>
  <key-stores>
    <key-store name="InsightKeystore">
      <credential-reference clear-text="[keystore_password]"/>
      <implementation type="JKS"/>
      <file path="xpress-insight.jks" 
      relative-to="jboss.server.config.dir"/>
    </key-store>
  </key-stores>
  <key-managers>
    <key-manager name="InsightKeyManager" 
    key-store="InsightKeystore">
      <credential-reference clear-text="[keystore_password]"/>
    </key-manager>
  </key-managers>		
  <server-ssl-contexts>
    <server-ssl-context name="InsightSslContext" 
    key-manager="InsightKeyManager" protocols="TLSv1.2" 
    cipher-suite-filter="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" />
   </server-ssl-contexts>
</tls>
    FICO recommends two ciphers for use as the cipher-suite-filter attribute. These are:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    The WildFly Elytron Security Guide section titled Configuring a server SSLContext lists all of the allowed cipher suites. For more, see https://docs.wildfly.org/18/WildFly_Elytron_Security.html.
    Note If passwords provided in this step are wrong, the server logs out ( java.security.UnrecoverableKeyException). To avoid using a plain text password within the credential-reference, configure the Credential Store and refer to the credentials by their aliases, for example: 
    <credential-reference store="store-name" alias="password-alias"/>
    For more on configuring the credential store, see Using the Credential Store to Store Passwords.
  8. Locate the <http-listener> and add an additional listener line underneath, for example: 
    <https-listener name="https" socket-binding="https" max-post-size="536870912" ssl-context="InsightSslContext" enable-http2="true"/>
  9. Configure the session cookie to only be transmitted over a secure connection. Amend the existing session-cookie configuration in standalone.xml and change secure from false to true: 
    <session-cookie name="OMSID" http-only="true" secure="true"/>
  10. Start up the Xpress Insight Server. Navigate to https://host.company.com:8443/insight and log on as normal.
Parent Topic Enabling HTTPS with Xpress Insight Server

© 2001-2020 Fair Isaac Corporation. All rights reserved. This documentation is the property of Fair Isaac Corporation (“FICO”). Receipt or possession of this documentation does not convey rights to disclose, reproduce, make derivative works, use, or allow others to use it except solely for internal evaluation purposes to determine whether to purchase a license to the software described in this documentation, or as otherwise set forth in a written software license agreement between you and FICO (or a FICO affiliate). Use of this documentation and the software described in it must conform strictly to the foregoing permitted uses, and no other use is permitted.