Enabling TLS with Datameer
Enable TLS for use with Datameer in enterprise or production environments.
Your operations team might want to enable a firewall in front of Datameer to ensure that only TLS is available (blocking regular HTTP). Even with this setting, Datameer uses both HTTP and HTTPS services.
For using Datameer on a standard port (443), system administrators need to implement additional configuration.
This change eliminates the need to type ":8443" at the end of the URL each time they access Datameer.
All port changes should be made in the start.ini
file, which overrides jetty.port
.
Enabling TLS
Datameer comes packed with Jetty 9. To enable the HTTPS and SSL module within the current Datameer installation directory, perform the following step:
Add the HTTPS and SSL module to start up configuration:
Enable modules# Check default configuration java -jar start.jar --list-config | grep -i 'etc/jetty*' # Add SSL and HTTPS to the startup modules java -jar start.jar --add-to-start=ssl,https # Check final configuration java -jar start.jar --list-config
Optionally, configure the HTTPS default port:
start.inigrep -in '8443' start.ini 99:jetty.secure.port=8443 129:https.port=8443
Disable the ServerConnector that accepts HTTP connections
If you configure the DAS_PORT environment variable, you need to disable the ServerConnector that accepts HTTP connections. Otherwise, this port would already be in use when the SslServerConnector tries to start.
Optional Step: The standard
keystore
holds only the Jetty default certificate. You can use this or create your own. Follow Import Custom SSL Certificates to create one and edit the paths and passwords injetty-ssl.xml
for your keystore.
etc/keystorekeytool -list -keystore etc/keystore -storepass storepwd -v
Configuring TLS
Create a backup
# Create a backup of the original configuration file cp etc/jetty-ssl.xml etc/jetty-ssl.xml.original
Disable SSLv3 protocol (to prevent POODLE attack)
This has already been configured in:
<Set name="ExcludeProtocols"> <Array type="String"> <Item>SSLv3</Item> </Array> </Set>
Exclude insecure cipher suites
To exclude insecure cipher suites you need to specify them:
<Set name="ExcludeCipherSuites"> <Array type="String"> <Item>.*RC4.*</Item> <Item>.*DES.*</Item> <Item>SSL_RSA_WITH_NULL_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item> <Item>SSL_RSA_WITH_IDEA_CBC_SHA</Item> <Item>SSL_FORTEZZA_KEA_WITH_NULL_SHA</Item> <Item>SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>SSL_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> </Array> </Set>
Set the secure flag for cookies
Mark cookies as Secure and HTTP-Only where appropriate to minimize the impact of cross-site scripting attacks. This flag is set automatically.
Disable TLS renegotiation
TLS renegotiation should be disabled to prevent an attack based on this feature:
<Set name="renegotiationAllowed">FALSE</Set>
You should also create a change log:
#Create a log of changes made diff -e etc/jetty-ssl.xml.original etc/jetty-ssl.xml > changes.jetty-ssl.xml
Disable HTTP connections
current
Datameer installation directory, remove the module that accepts HTTP connections from Jetty startup configuration:# --------------------------------------- # Module: http # --module=http ### HTTP Connector Configuration ## HTTP port to listen on # jetty.port=8080 ## HTTP idle timeout in milliseconds # http.timeout=30000
Custom Certificates
To use a custom certificate follow the instructions under Import Custom SSL Certificates.
Caveats
According to w3.org doc ports below 1024 are privileged on Linux. Only root
can bind to such ports. Otherwise, the embedded Jetty web service fails to start.
dmlog ... ==> logs/<date>.stderrout.log <== WARN:oejuc.AbstractLifeCycle:main: FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Keine Berechtigung ... java.lang.reflect.InvocationTargetException ... WARN o.e.j.u.component.AbstractLifeCycle - FAILED ServerConnector {SSL-http/1.1}{0.0.0.0:443}: java.net.SocketException: Permission denied
You can either use ports >1024 or run under the root account (not recommended). If it is necessary to use ports <1024, use port forwarding or other configurations.
Port forwarding
ifconfig eth0 Link encap:Ethernet Hardware Adresse <mac> ... iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443 sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1