Introduction / FirstSpirit Server configuration / Additional security measures / Parameterizing encryption
Parameterizing encryption
Another component of the FirstSpirit security concept is the ability to encrypt internal communication. A parameter in the fs-server.conf file can be used to instruct the FirstSpirit Server to only accept connections with a predefined encryption type (e.g. TLS) (ALLOWED_ENCRYPTIONS=1, see FirstSpirit-Server / Communication).
This optional encryption function can be configured for all internal communication between the FirstSpirit server, FirstSpirit cluster nodes, FirstSpirit SiteArchitect, and the FirstSpirit web applications. Primarily, this includes:
- Server-server communication
(e.g. front-end server – FirstSpirit Server, generation server – FirstSpirit Server) - Client-server communication
(e.g. SiteArchitect – front-end server (HTTPs)/FirstSpirit Server (socket), Web browser – front-end server)
Advanced configuration options are available for encryption. It is now possible to define precisely which protocol version and which algorithms should be used for the encryption process. In addition, certificates for server and client authentication (two-way authentication) are supported. On the client side, any cluster nodes that are present must be taken into account in addition to the FirstSpirit web applications.
On the server side, configuration relies on the fs-server.conf file (including for cluster nodes). On the client side, it relies on Java or system parameters on the application server or utilizes the web.xml file of the web applications.
For FirstSpirit desktop applications, encryption is configured via -D parameters, for example in the connection settings of SiteArchitect or in the startup file of fs-cli.
-Dfirstspirit.encryption=#
-Dfirstspirit.compression=#
As there can be no assurance that all FirstSpirit installations will feature a certificate store, the default configuration settings only allow for conventional encryption (without authentication and certificates). These security settings must be configured separately by the server administrator:
- Configuration of the FirstSpirit server
- Configuration of the web applications and servlets
- Configuration of the cluster nodes
- Configuration of FirstSpirit SiteArchitect
For a full description of the configuration parameters, see FirstSpirit-Server / SSL Parameters. The parameters are written differently depending on whether they are stored in the fs-server.conf file or, for example, as system parameters on the application server. However, exactly the same functional description applies in both cases.
If certificates are to be used for authentication, valid certificates must first be created for the server and, where applicable, for the clients as well. The necessary steps are described in trusted security certificate.