Introduction / FirstSpirit Server configuration / Additional security measures / Authentication of all internal connections

Additional security measures

Authentication of all internal connections to the FirstSpirit server

In FirstSpirit Version 5.2 and higher, internal communication between the FirstSpirit server components is subject to higher security requirements. This means that all connections to the FirstSpirit server must undergo authentication. In other words, all web applications (and cluster nodes, see Clustering – load distribution on generation) that communicate with the FirstSpirit Server must be authenticated first.

To enable authentication of the web applications on the FirstSpirit Server, app passwords (application-specific passwords) can be stored in the server properties. These passwords can be configured for all FirstSpirit web applications (fs5root, fs5webmon, etc.) and all cluster nodes. As part of this process, the preconfigured default password must be overwritten. New passwords are generated on a one-time basis and are not saved (see Note). Therefore, they must be transferred directly to the relevant web application or cluster node as soon as they are displayed in the configuration dialog.

Note: The passwords themselves are not saved by FirstSpirit; only the salted hash value of the app passwords (based on the SHA-2 procedure with 384-bit length) is stored in the Server Repository. It is therefore not possible to read the original passwords using current technology.

The preconfigured default password is kept in the fs-isolated-server.jar file. This ensures that older FirstSpirit installations remain compatible once they have been updated to FirstSpirit Version 5.2 by eliminating the need to configure all web applications and cluster nodes with the new app passwords directly.

Important The default password is reassigned in conjunction with each FirstSpirit build. Whenever a FirstSpirit update is performed (or fs-isolated-server.jar is updated), all web applications have to be updated. This also applies, in particular, to any web applications installed on an external web server (cf.Updating a web component). This will ensure that the default password used in the fs-isolated-server.jar (FirstSpirit server) and fs-isolated-webrt.jar (application server) files is identical. Otherwise, authentication will no longer be possible after the update is performed.  

To ensure a fully secured connection, the default password should be disabled. (Reasoning: The preconfigured default password is stored in the JAR file and so is not fully protected against unauthorized access.)

To operate the FirstSpirit server securely, we recommend:

  • Only allowing ServerManager and SiteArchitect to communicate directly with the FirstSpirit Server over HTTPS (see also Configuring connection settings). In this case, access to the FirstSpirit server is only ever permitted once the user has undergone authentication along with the relevant permissions.
  • Only allowing internal communication between the FirstSpirit web applications (fs5root, fs5webmon, fs5webedit, fs5preview, fs5staging) and the FirstSpirit Server to take place in socket mode. In the interest of ensuring secure operation, we recommend setting up app passwords (possible with FirstSpirit Version 5.2 and higher) for these communication channels (see above).

Important App passwords only affect socket connections between the FirstSpirit server and the FirstSpirit web applications/cluster nodes. No other internal FirstSpirit communication channels are affected.

For more information on configuring see App passwords.

© 2005 - 2023 Crownpeak Technology GmbH | All rights reserved. | FirstSpirit 2023.2 | Data privacy