Enabling TLS with Datameer

Enable TLS for use with Datameer in enterprise or production environments.

Your operations team might want to enable a firewall in front of Datameer to ensure that only TLS is available (blocking regular HTTP). Even with this setting, Datameer uses both HTTP and HTTPS services. 

For using Datameer on a standard port (443), system administrators need to implement additional configuration.

This change eliminates the need to type ":8443" at the end of the URL each time they access Datameer.

All port changes should be made in the start.ini file, which overrides jetty.port.

Enabling TLS 

Datameer comes packed with Jetty 9. To enable the HTTPS and SSL module within the current Datameer installation directory, perform the following step:

  1. Add the HTTPS and SSL module to start up configuration:

    Enable modules
     # Check default configuration
    java -jar start.jar --list-config | grep -i 'etc/jetty*'
    # Add SSL and HTTPS to the startup modules
    java -jar start.jar --add-to-start=ssl,https
    # Check final configuration
    java -jar start.jar --list-config
  2. Optionally, configure the HTTPS default port:

    start.ini
    grep -in '8443' start.ini
    99:jetty.secure.port=8443
    129:https.port=8443

    Disable the ServerConnector that accepts HTTP connections

    If you configure the DAS_PORT environment variable, you need to disable the ServerConnector that accepts HTTP connections. Otherwise, this port would already be in use when the SslServerConnector tries to start. 

  3. Optional Step The standard keystore holds only the Jetty default certificate. You can use this or create your own. Follow Import Custom SSL Certificates to create one and edit the paths and passwords in jetty-ssl.xml  for your keystore.

    etc/keystore
    keytool -list -keystore etc/keystore -storepass storepwd -v

    You don't need to create a new instance of SslContextFactory as one already exists in etc/jetty-ssl.xml. If necessary, edit path and password for your keystore only in start.ini.

Configuring TLS

Create a backup

Before implementing any changes create a backup of the original configuration file and consult the corresponding documentation from Jetty about Configuring SSL/TLS.
# Create a backup of the original configuration file
cp etc/jetty-ssl.xml etc/jetty-ssl.xml.original

Disable SSLv3 protocol (to prevent POODLE attack)

Review Disabling/Enabling specific cipher suites before making any changes.

This has already been configured in:

<datameer-install-path>/etc/jetty-ssl.xml
  <Set name="ExcludeProtocols">
    <Array type="String">
      <Item>SSLv3</Item>
    </Array>
  </Set>

Exclude insecure cipher suites

Review Disabling/Enabling specific cipher suites before making any changes.

To exclude insecure cipher suites you need to specify them: 

etc/jetty-ssl.xml
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>.*RC4.*</Item>
      <Item>.*DES.*</Item>
      <Item>SSL_RSA_WITH_NULL_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
      <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item>
      <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item>
      <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    </Array>
  </Set>

Set the secure flag for cookies

Mark cookies as Secure and HTTP-Only where appropriate to minimize the impact of cross-site scripting attacks. This flag is set automatically.

Disable TLS renegotiation

Review Configuring SslContextFactory before making any changes.

TLS renegotiation should be disabled to prevent an attack based on this feature:

<datameer-install-path>/etc/jetty-ssl.xml
<Set name="renegotiationAllowed">FALSE</Set>

You should also create a change log:

Changelog
#Create a log of changes made diff -e etc/jetty-ssl.xml.original etc/jetty-ssl.xml > changes.jetty-ssl.xml

Disable HTTP connections

Working within the  current  Datameer installation directory, remove the module that accepts HTTP connections from Jetty startup configuration:
start.ini
# ---------------------------------------
# Module: http
# --module=http
### HTTP Connector Configuration
 
## HTTP port to listen on
# jetty.port=8080
 
## HTTP idle timeout in milliseconds
# http.timeout=30000

Custom Certificates

To use a custom certificate follow the instructions under Import Custom SSL Certificates.

Caveats

According to w3.org doc ports below 1024 are privileged on Linux. Only root can bind to such ports. Otherwise, the embedded Jetty web service fails to start. 

logs/<date>.stderrout.log
dmlog
...
==> logs/<date>.stderrout.log <==
WARN:oejuc.AbstractLifeCycle:main: FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Keine Berechtigung
...
java.lang.reflect.InvocationTargetException
...
WARN  o.e.j.u.component.AbstractLifeCycle - FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Permission denied

You can either use ports >1024 or run under the root account (not recommended). If it is necessary to use ports <1024, use port forwarding or other configurations.

Port forwarding 

Forwarding the port
ifconfig
eth0      Link encap:Ethernet  Hardware Adresse <mac>
...
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1