Enabling TLS with Datameer

Enable TLS for use with Datameer in enterprise or production environments.

Your operations team might want to enable a firewall in front of Datameer to ensure that only TLS is available (blocking regular HTTP). Even with this setting, Datameer uses both HTTP and HTTPS services.

For using Datameer on a standard port (443), system administrators need to implement additional configuration.

This change eliminates the need to type ":8443" at the end of the URL each time they access Datameer.

All port changes should be made in the start.ini file, which overrides jetty.port.

1 Enabling TLS
2 Configuring TLS
- 2.1 Create a backup
- 2.2 Disable SSLv3 protocol (to prevent POODLE attack)
  - 2.2.1 <datameer-install-path>/etc/jetty-ssl.xml
- 2.3 Exclude insecure cipher suites
  - 2.3.1 etc/jetty-ssl.xml
- 2.4 Set the secure flag for cookies
- 2.5 Disable TLS renegotiation
  - 2.5.1 <datameer-install-path>/etc/jetty-ssl.xml
  - 2.5.2 Changelog
- 2.6 Disable HTTP connections
  - 2.6.1 start.ini
3 Custom Certificates
4 Caveats
- - 4.1.1 logs/<date>.stderrout.log
- 4.2 Port forwarding
  - 4.2.1 Forwarding the port

Enabling TLS

Datameer comes packed with Jetty 9. To enable the HTTPS and SSL module within the current Datameer installation directory, perform the following step:

Add the HTTPS and SSL module to start up configuration:
Enable modules
# Check default configuration java -jar start.jar --list-config | grep -i 'etc/jetty*' # Add SSL and HTTPS to the startup modules java -jar start.jar --add-to-start=ssl,https # Check final configuration java -jar start.jar --list-config
Optionally, configure the HTTPS default port:
start.ini
grep -in '8443' start.ini 99:jetty.secure.port=8443 129:https.port=8443
Optional Step: The standard keystore holds only the Jetty default certificate. You can use this or create your own. Follow Import Custom SSL Certificates to create one and edit the paths and passwords in jetty-ssl.xml for your keystore.

etc/keystore
keytool -list -keystore etc/keystore -storepass storepwd -v

Configuring TLS

Create a backup

Before implementing any changes create a backup of the original configuration file and consult the corresponding documentation from Jetty about Configuring SSL/TLS.

# Create a backup of the original configuration file
cp etc/jetty-ssl.xml etc/jetty-ssl.xml.original

Disable SSLv3 protocol (to prevent POODLE attack)

Review Disabling/Enabling specific cipher suites before making any changes.

This has already been configured in:

<datameer-install-path>/etc/jetty-ssl.xml

  <Set name="ExcludeProtocols">
    <Array type="String">
      <Item>SSLv3</Item>
    </Array>
  </Set>

Exclude insecure cipher suites

Review Disabling/Enabling specific cipher suites before making any changes.

To exclude insecure cipher suites you need to specify them:

etc/jetty-ssl.xml

  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>.*RC4.*</Item>
      <Item>.*DES.*</Item>
      <Item>SSL_RSA_WITH_NULL_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
      <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
      <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
      <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    </Array>
  </Set>

Set the secure flag for cookies

Mark cookies as Secure and HTTP-Only where appropriate to minimize the impact of cross-site scripting attacks. This flag is set automatically.

Disable TLS renegotiation

Review Configuring SslContextFactory before making any changes.

TLS renegotiation should be disabled to prevent an attack based on this feature:

<datameer-install-path>/etc/jetty-ssl.xml

<Set name="renegotiationAllowed">FALSE</Set>

You should also create a change log:

Changelog

#Create a log of changes made diff -e etc/jetty-ssl.xml.original etc/jetty-ssl.xml > changes.jetty-ssl.xml

Disable HTTP connections

Datameer recommends redirecting all HTTP requests to HTTPS instead of disabling the HTTP connector.

Working within the current Datameer installation directory, remove the module that accepts HTTP connections from Jetty startup configuration:

start.ini

# ---------------------------------------
# Module: http
# --module=http
### HTTP Connector Configuration
 
## HTTP port to listen on
# jetty.port=8080
 
## HTTP idle timeout in milliseconds
# http.timeout=30000

Custom Certificates

To use a custom certificate follow the instructions under Import Custom SSL Certificates.

Caveats

According to w3.org doc ports below 1024 are privileged on Linux. Only root can bind to such ports. Otherwise, the embedded Jetty web service fails to start.

logs/<date>.stderrout.log

dmlog
...
==> logs/<date>.stderrout.log <==
WARN:oejuc.AbstractLifeCycle:main: FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Keine Berechtigung
...
java.lang.reflect.InvocationTargetException
...
WARN  o.e.j.u.component.AbstractLifeCycle - FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Permission denied

You can either use ports >1024 or run under the root account (not recommended). If it is necessary to use ports <1024, use port forwarding or other configurations.

Port forwarding

Forwarding the port

ifconfig
eth0      Link encap:Ethernet  Hardware Adresse <mac>
...
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1