Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / FirstSpirit Server (fs-server.conf) / SSL Parameters

Area: SSL Parameters

################
# SSL parameters
################
# List of enabled protocols (comma separated). "DEFAULT" means use java defaults.
# Recommended value for Java 7 or greater: TLSv1.2
# For Java 6 only TLSv1 is supported.
#
# fs.ssl.protocols=DEFAULT
# fs.ssl.protocols=TLSv1.2
fs.ssl.protocols=TLSv1
 
# List of enabled cipher suites (comma separated). "DEFAULT" means use java defaults
# (recommended).
#
# fs.ssl.cipherSuites=DEFAULT
fs.ssl.cipherSuites=TLS_DH_anon_WITH_AES_128_CBC_SHA
 
# Client authentication parameters
# If client authentication is needed, a keystore on client side must be configured:
# -Dfs.ssl.keyStore=pathToKeystore -Dfs.ssl.keyStorePassword=123456 or
# -Djavax.net.ssl.keyStore=pathToKeystore -Djavax.net.ssl.keyStorePassword=123456
fs.ssl.wantClientAuth=false
fs.ssl.needClientAuth=false
# Jetty style OBF password obfuscation is supported for key and truststore passwords,
# if the FirstSpirit specific parameters are used.
 
# Keystore
fs.ssl.keyStore=
fs.ssl.keyStorePassword=
fs.ssl.keyManagerPassword=
 
# Truststore
fs.ssl.trustStore=
fs.ssl.trustStorePassword=

This area provides parameters for using the SSL/TLS protocols to encrypt internal communication between the FirstSpirit server, FirstSpirit cluster nodes, FirstSpirit SiteArchitect, and the FirstSpirit web applications. By default, internal communication is encrypted without using client authentication and certificates. However, these aspects can be individually configured using the encryption parameters explained below with a view to ensuring maximum security

For more information on the “Encryption of internal communication” security concept, see Parameterizing encryption.

The following parameters can be configured in the fs-server.conf file:

fs.ssl.protocols

This parameter can be used to configure a list of valid protocol versions for internal communication. TLSv1.2 is selected by default. The values that can be configured here depend on which JDK is being used. If DEFAULT is passed, the default protocol version of the respective JRE is automatically used.

fs.ssl.cipherSuites

This parameter can be used to configure a list of valid cipher suites (standardized collections of cryptographic algorithms). Multiple entries are separated using commas. An anonymous TLS mode is passed by default, as there can be no assurance that all FirstSpirit installations will feature a certificate store.
Recommended configuration: To ensure secure encryption, the first step is to install a trustworthy certificate (via a certificate store) and then configure the DEFAULT value at this point. (Similar procedure to that described in HTTPS server configuration.)

fs.ssl.keyStore

This parameter is used to specify the path to the Java Key Store (JKS).

fs.ssl.keyStorePassword

This parameter is used to specify the password for the Java Key Store (JKS).

fs.ssl.keyManagerPassword

The JKS contains multiple private keys, each of which can have a password just like the key store itself. This parameter can be used to configure the password for the private key. In most cases, the key does not have a separate password and so it is sufficient to configure the fs.ssl.keyStorePassword parameter.

fs.ssl.trustStore

This parameter is used to specify the path to the Java Trust Store.

fs.ssl.trustStorePassword

This parameter is used to specify the password for the Java Trust Store.

fs.ssl.wantClientAuth

Client SSL authentication is disabled by default (default value: false). To enable client SSL authentication for internal communication over TLS, this parameter must be set to true. If true is passed here, a valid certificate for client SSL authentication is requested, but is not absolutely necessary (in contrast to the fs.ssl.needClientAuth parameter).  

fs.ssl.needClientAuth

Client SSL authentication is disabled by default (default value: false). To enable client SSL authentication for internal communication over TLS, this parameter must be set to true. In this case, a valid certificate is required for successful client SSL authentication.

Example of how to configure an encrypted connection:

fs.ssl.needClientAuth=true
fs.ssl.cipherSuites=DEFAULT
fs.ssl.keyStore=/home/server_cert.jks
fs.ssl.keyStorePassword=q1w2e3r4t

Global configuration: As an alternative to the FirstSpirit keystore parameters, the Java keystore parameters can be used instead. In this case, use of the FirstSpirit parameters is no longer permitted. In addition, the Java parameters affect all SSL instances in the Java VM (that is, they are not restricted to FirstSpirit):

fs.ssl.needClientAuth=true
fs.ssl.cipherSuites=DEFAULT
javax.net.ssl.keyStore=/home/server_cert.jks
javax.net.ssl.keyStorePassword=q1w2e3r4t

See also:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization

© 2005 - 2024 Crownpeak Technology GmbH | All rights reserved. | FirstSpirit 2024.10 | Data privacy