Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / FirstSpirit Server (fs-server.conf) / SSL Parameters
Area: SSL Parameters
################
# SSL parameters
################
# List of enabled protocols (comma separated). "DEFAULT" means use java defaults.
# Recommended value for Java 7 or greater: TLSv1.2
# For Java 6 only TLSv1 is supported.
#
# fs.ssl.protocols=DEFAULT
# fs.ssl.protocols=TLSv1.2
fs.ssl.protocols=TLSv1
# List of enabled cipher suites (comma separated). "DEFAULT" means use java defaults
# (recommended).
#
# fs.ssl.cipherSuites=DEFAULT
fs.ssl.cipherSuites=TLS_DH_anon_WITH_AES_128_CBC_SHA
# Client authentication parameters
# If client authentication is needed, a keystore on client side must be configured:
# -Dfs.ssl.keyStore=pathToKeystore -Dfs.ssl.keyStorePassword=123456 or
# -Djavax.net.ssl.keyStore=pathToKeystore -Djavax.net.ssl.keyStorePassword=123456
fs.ssl.wantClientAuth=false
fs.ssl.needClientAuth=false
# Jetty style OBF password obfuscation is supported for key and truststore passwords,
# if the FirstSpirit specific parameters are used.
# Keystore
fs.ssl.keyStore=
fs.ssl.keyStorePassword=
fs.ssl.keyManagerPassword=
# Truststore
fs.ssl.trustStore=
fs.ssl.trustStorePassword=
This area provides parameters for using the SSL/TLS protocols to encrypt internal communication between the FirstSpirit server, FirstSpirit cluster nodes, FirstSpirit SiteArchitect, and the FirstSpirit web applications. By default, internal communication is encrypted without using client authentication and certificates. However, these aspects can be individually configured using the encryption parameters explained below with a view to ensuring maximum security
For more information on the “Encryption of internal communication” security concept, see Parameterizing encryption.
The following parameters can be configured in the fs-server.conf file:
fs.ssl.protocols
This parameter can be used to configure a list of valid protocol versions for internal communication. TLSv1.2 is selected by default. The values that can be configured here depend on which JDK is being used. If DEFAULT is passed, the default protocol version of the respective JRE is automatically used.
fs.ssl.cipherSuites
This parameter can be used to configure a list of valid cipher suites (standardized collections of cryptographic algorithms). Multiple entries are separated using commas. An anonymous TLS mode is passed by default, as there can be no assurance that all FirstSpirit installations will feature a certificate store.
Recommended configuration: To ensure secure encryption, the first step is to install a trustworthy certificate (via a certificate store) and then configure the DEFAULT value at this point. (Similar procedure to that described in HTTPS server configuration.)
fs.ssl.keyStore
This parameter is used to specify the path to the Java Key Store (JKS).
fs.ssl.keyStorePassword
This parameter is used to specify the password for the Java Key Store (JKS).
fs.ssl.keyManagerPassword
The JKS contains multiple private keys, each of which can have a password just like the key store itself. This parameter can be used to configure the password for the private key. In most cases, the key does not have a separate password and so it is sufficient to configure the fs.ssl.keyStorePassword parameter.
fs.ssl.trustStore
This parameter is used to specify the path to the Java Trust Store.
fs.ssl.trustStorePassword
This parameter is used to specify the password for the Java Trust Store.
fs.ssl.wantClientAuth
Client SSL authentication is disabled by default (default value: false). To enable client SSL authentication for internal communication over TLS, this parameter must be set to true. If true is passed here, a valid certificate for client SSL authentication is requested, but is not absolutely necessary (in contrast to the fs.ssl.needClientAuth parameter).
fs.ssl.needClientAuth
Client SSL authentication is disabled by default (default value: false). To enable client SSL authentication for internal communication over TLS, this parameter must be set to true. In this case, a valid certificate is required for successful client SSL authentication.
Example of how to configure an encrypted connection:
fs.ssl.needClientAuth=true
fs.ssl.cipherSuites=DEFAULT
fs.ssl.keyStore=/home/server_cert.jks
fs.ssl.keyStorePassword=q1w2e3r4t
- For the FirstSpirit web applications, the encryption parameters can be configured centrally on the application server (as an environment variable or a -D property, see Configuring in web applications and servlets).
- For cluster nodes, configuration can – once again – be performed using the fs-server.conf file (see Configuring for cluster nodes).
- And in the case of FirstSpirit SiteArchitect, the connection settings can be used (see Configuring for FirstSpirit SiteArchitect).
Global configuration: As an alternative to the FirstSpirit keystore parameters, the Java keystore parameters can be used instead. In this case, use of the FirstSpirit parameters is no longer permitted. In addition, the Java parameters affect all SSL instances in the Java VM (that is, they are not restricted to FirstSpirit):
fs.ssl.needClientAuth=true
fs.ssl.cipherSuites=DEFAULT
javax.net.ssl.keyStore=/home/server_cert.jks
javax.net.ssl.keyStorePassword=q1w2e3r4t
See also:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization