You can enable HTTPS with the Xpress Insight Server.
- Ensure that your SSL certificate (certificate.pem) and private key (privatekey.pem) files are saved in the <INSIGHT_HOME>\server\wildfly-x.y.z\standalone\configuration directory, where x.y.z represents the version, subversion, and patch numbers. .
- Convert the PEM files into a PKCS12 key store, and then into a java format keystore. You will be prompted to provide a password. Note the password, for example: openssl pkcs12 -export -name host.company.com -in certificate.pem -inkey privatekey.pem -out xpress-insight.p12
- Convert the PKCS12 file into a Java Key Store file. You will be prompted to enter the password entered in the previous step, and to provide a password for the destination keystore. Note this also: keytool -importkeystore -destkeystore xpress-insight.jks -srckeystore xpress-insight.p12 -srcstoretype pkcs12 -alias host.company.com
- Ensure the Insight Server is not running.
- Save a backup of standalone.xml.
- Open <INSIGHT_HOME>\server\wildfly-x.y.z\standalone\configuration\standalone.xml.
- Find the <subsystem xmlns="urn:wildfly:elytron:...> section that contains the tags <providers> and <audit-logging>, and add this example code, including the passwords set in the previous steps.
<tls>
<key-stores>
<key-store name="InsightKeystore">
<credential-reference clear-text="[keystore_password]"/>
<implementation type="JKS"/>
<file path="xpress-insight.jks"
relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="InsightKeyManager"
key-store="InsightKeystore">
<credential-reference clear-text="[keystore_password]"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="InsightSslContext"
key-manager="InsightKeyManager" protocols="TLSv1.2"
cipher-suite-filter="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" />
</server-ssl-contexts>
</tls> FICO recommends two ciphers for use as the
cipher-suite-filter attribute. These are:
The
WildFly Elytron Security Guide section titled
Configuring a server SSLContext lists all of the allowed cipher suites. For more, see
https://docs.wildfly.org/18/WildFly_Elytron_Security.html.
|
|
Note If passwords provided in this step are wrong, the server logs out (
java.security.UnrecoverableKeyException). To avoid using a plain text password within the credential-reference, configure the Credential Store and refer to the credentials by their aliases, for example:
<credential-reference store="store-name" alias="password-alias"/> For more on configuring the credential store, see
Using the Credential Store to Store Passwords.
|
- Locate the <http-listener> and add an additional listener line underneath, for example:
<https-listener name="https" socket-binding="https" max-post-size="536870912" ssl-context="InsightSslContext" enable-http2="true"/>
- Configure the session cookie to only be transmitted over a secure connection. Amend the existing session-cookie configuration in standalone.xml and change secure from false to true:
<session-cookie name="OMSID" http-only="true" secure="true"/>
- Start up the Xpress Insight Server. Navigate to https://host.company.com:8443/insight and log on as normal.
Note If passwords provided in this step are wrong, the server logs out ( java.security.UnrecoverableKeyException). To avoid using a plain text password within the credential-reference, configure the Credential Store and refer to the credentials by their aliases, for example: