This topic describes how to configure AIE to run all webapps within the AIE web container with SSL enabled, for encrypting all traffic to and from AIE webapps.
Once the AIE web interface is configured for SSL access, you must use "https://" as the URL prefix when navigating to the administration URL (For example, https://localhost:17000/).
View incoming links.
Configure the Jetty Instance Within AIE
Because they both communicate on the WEBB_APPS_PORT, the default behavior of configuring SSL in the Jetty instance is to enable SSL for AIE and Web services.
AIE uses an embedded Jetty instance to provide HTTPS encryption for the AIE Administrator. By default, AIE is configured to use the same keystore that is used to secure transport endpoints. If you want to use your own keystore and certificates, please refer to the instructions on Using a Custom Certificate.
- Copy jetty.xml and attivio.ks from <install_dir>\conf\ into the <project_dir>\resources directory.
Locate the block below in the <project_dir>\resources\jetty.xml file:
- Remove the comments from the 10 lines starting with <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">.
- Comment out the <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> line.
Uncomment the block below:
- Put your keystore file (ex: attivio.ks) into your <project_dir>\resources directory. If using the default Attivio keystore, just copy <install_dir>\conf\attivio.ks into <project_dir>\resources.
- Deploy your changes.
- If 'deploy' doesn't restart AIE automatically, then restart AIE manually, and connect to the AIE Administrator on https://<host>:<baseport>.
The altered configuration should look something like this:
TLS/SSL Protocol Support
The Attivio Platform's Java 8 VM supports the SSLv3.0, TLSv1, TLSv1.1, and TLSv1.2 protocols for HTTPS. Attivio's default
jetty.xml configuration contains an
excludeProtocols list with an entry for the SSLv3.0 protocol; this ensures that HTTPS connection attempts made using this protocol will be rejected (to prevent so-called POODLE attacks). You can modify the default
excludeProtocols list if you want to exclude additional HTTPS protocols, or replace it with an
includeProtocols list if you only want Attivio to support a specific set of protocols.
Excluding (Blacklisting) TLS/SSL Protocols
To exclude other protocols beside SSLv3.0, edit the
jetty.xml configuration file. Find the
name="excludeProtocols" and add a new
Item entry in its child
Array for each protocol you want excluded.
For example, this configuration should reject HTTPS connection attempts made with either the SSLv3.0 or TLSv1 protocols:
Including (Whitelisting) TLS/SSL Protocols
If you prefer to configure an inclusion list (whitelist) of protocols, change
name="includeProtocols" in the
Set element. Each
Item in the child
Array now represents an allowed HTTPS protocol; Attivio will reject connection attempts made with any protocol not listed here.
For example, this configuration should reject HTTPS connection attempts made with any protocol except TLSv1.2: