Activating HTTPS listener (Lobster Integration and Admin Console)
The following XML fragment is used to add an HTTPS listener (HTTPS connector) to the current HTTP server in the configuration file ./etc/hub.xml (Lobster Integration) or ./etc/admin.xml (Admin Console) for incoming, SSL-secured requests. Notice the different values of refid for Lobster Integration and the Admin Console.
Version | ./etc/hub.xml | ./etc/admin.xml |
|---|---|---|
Before 4.6.9 and as of LDP | Communication and GUI | Admin Console only |
4.6.9 through the end of the 4.6.x branch (new installations only, not updates) | Communication only (e.g., HTTP, AS2) | Admin Console and GUI |
Include a TLS-capable certificate in the Lobster integration. When creating a self-signed certificate in the Create new certificate dialog box, select the following check boxes:
Signing
Encryption
TLS Server
Signing/Encryption must be supported
For guidance on creating and managing a certificate for HTTPS web servers, see chapter Certificates.
Recommended reference method: In the parameter <Set name="serverCertSubjectName">, use the notation ksnote:mycertificate. mycertificate is the value you entered in the Note field of your certificate.
Use this method instead of specifying the certificate ID or the Common Name (CN). The certificate ID changes when your certificate expires. Common names are not guaranteed to be unique.
This avoids name conflicts and unnecessary changes to the configuration file. Make sure you use unique values in the Note field.
Note
If the specified certificate is not found, the first suitable certificate found is used automatically. An HTTP listener and an HTTPS listener can run in parallel.
Important
Changes to XML configuration files are only picked up on Integration Server restart. A restart is therefore required after every change.
<!-- SSL support by authentication service, preferred method -->
<!-- =========================================================== -->
<!-- Add a HTTPS Connector. -->
<!-- Configure an o.e.j.server.ServerConnector with connection -->
<!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. -->
<!-- All accepted TLS connections are wired to a HTTP connection.-->
<!-- -->
<!-- Consult the javadoc of o.e.j.server.ServerConnector, -->
<!-- o.e.j.server.SslConnectionFactory and -->
<!-- o.e.j.server.HttpConnectionFactory for all configuration -->
<!-- that may be set here. -->
<!-- =========================================================== -->
<Call id="httpsConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server">
<!-- Use "MainServer" for Lobster Integration and "AdminServer" for Admin Console -->
<Ref refid="MainServer" />
</Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory">
<New class="com.ebd.hub.server.http.jetty.AuthServiceSSLContextFactory">
<!-- <Set name="serverCertSubjectName">*CN=YourCertificateCommonName*</Set> -->
<!-- <Set name="serverCertSubjectName">certid:1574423144929056</Set> -->
<Set name="serverCertSubjectName">ksnote:mycertificate</Set>
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*NULL.*</Item>
<Item>.*RC4.*</Item>
<Item>.*MD5.*</Item>
<Item>.*DES.*</Item>
<Item>.*DSS.*</Item>
</Array>
</Arg>
</Call>
<Call name="addExcludeProtocols">
<Arg>
<Array type="java.lang.String">
<Item>SSL</Item>
<Item>SSLv2</Item>
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Arg>
</Call>
<Set name="renegotiationAllowed">FALSE</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_DHE_RSA.*</Item>
<Item>TLS_ECDHE.*</Item>
</Array>
</Set>
</New>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config">
<Ref refid="sslHttpConfig" />
</Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="port">443</Set>
<Set name="idleTimeout">180000</Set>
</New>
</Arg>
</Call>Forcing HTTPS for Admin Console
To force an HTTPS login for the Admin Console, the following two entries must be edited.
Configuration file ./etc/startup.xml
<!-- admin console: use SSL & port -->
<Call name="setAdminUrlParams"><Arg type="boolean">true</Arg><Arg type="int">443</Arg></Call>Configuration file ./etc/webdefault.xml
<!-- redirect to https -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Activating HTTPS listener (DMZ server)
To enable HTTPS on the DMZ server, perform the same steps in the configuration file /etc/hub.xml on the DMZ server as described above. The certificate specified there is also a certificate from the inner system (Lobster Integration).
Let's Encrypt (automatic certificate handling)
See section Let's Encrypt/ACME/Certbot (to receive and renew certificates from a Certificate Authority free of charge and automatically).