Overview
This topic describes how to configure AIE to run all webapps within the AIE web container with SSL enabled, for encrypting all traffic to and from AIE webapps.
Once the AIE web interface is configured for SSL access, you must use "https://" as the URL prefix when navigating to the administration URL (For example, https://localhost:17000/).
View incoming links.
Configure the Jetty Instance Within AIE
Because they both communicate on the WEBB_APPS_PORT, the default behavior of configuring SSL in the Jetty instance is to enable SSL for AIE and Web services.
AIE uses an embedded Jetty instance to provide HTTPS encryption for the AIE Administrator. By default, AIE is configured to use the same keystore that is used to secure transport endpoints. If you want to use your own keystore and certificates, please refer to the instructions on Using a Custom Certificate.
- Copy jetty.xml and attivio.ks from <install_dir>\conf\ into the <project_dir>\resources directory.
Locate the block below in the <project_dir>\resources\jetty.xml file:
<project_dir>\resources\jetty.xml<Call name="addConnector"> <Arg> <!-- UNCOMMENT THE NEXT 10 LINES FOR SSL SUPPORT (SSLv3 is excluded to prevent POODLE attacks) --> <!-- <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <New class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> </New> </Arg> --> <!-- COMMENT OUT OR REMOVE THE NEXT LINE FOR SSL SUPPORT --> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <Set name="port"><Property name="jettyPort" default="8080"/></Set> <Set name="maxIdleTime">30000</Set> <Set name="Acceptors">2</Set> <Set name="statsOn">false</Set> <Set name="lowResourcesConnections">5000</Set> <Set name="lowResourcesMaxIdleTime">5000</Set> <!-- UNCOMMENT THE SECTION BELOW FOR FOR SSL SUPPORT --> <!-- <Set name="keystore"><SystemProperty name="attivio.project" default="." />\resources\attivio.ks</Set> <Set name="password">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> <Set name="keyPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> <Set name="truststore"><SystemProperty name="attivio.project" default="." />\resources\attivio.ks</Set> <Set name="trustPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> --> </New> </Arg> </Call>- Remove the comments from the 10 lines starting with <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">.
- Comment out the <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> line.
Uncomment the block below:
<project_dir>\resources\jetty.xml<!-- UNCOMMENT THE SECTION BELOW FOR FOR SSL SUPPORT --> <!-- <Set name="keystore"><SystemProperty name="attivio.project" default="." />\resources\attivio.ks</Set> <Set name="password">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> <Set name="keyPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> <Set name="truststore"><SystemProperty name="attivio.project" default="." />\resources/attivio.ks</Set> <Set name="trustPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set> -->
- Put your keystore file (ex: attivio.ks) into your <project_dir>\resources directory. If using the default Attivio keystore, just copy <install_dir>\conf\attivio.ks into <project_dir>\resources.
- Deploy your changes.
- If 'deploy' doesn't restart AIE automatically, then restart AIE manually, and connect to the AIE Administrator on https://<host>:<baseport>.
Altered Configuration
The altered configuration should look something like this:
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
<Set name="port"><Property name="jettyPort" default="8080"/></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="lowResourcesConnections">5000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
<Set name="keystore"><SystemProperty name="attivio.project" default="." />\resources\attivio.ks</Set>
<Set name="password">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set>
<Set name="keyPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set>
<Set name="truststore"><SystemProperty name="attivio.project" default="." />\resources\attivio.ks</Set>
<Set name="trustPassword">OBF:1u9d1wui1zel1unz1zep1wtw1ua5</Set>
</New>
TLS/SSL Protocol Support
The Attivio Platform's Java 8 VM supports the SSLv3.0, TLSv1, TLSv1.1, and TLSv1.2 protocols for HTTPS. Attivio's default jetty.xml configuration contains an excludeProtocols list with an entry for the SSLv3.0 protocol; this ensures that HTTPS connection attempts made using this protocol will be rejected (to prevent so-called POODLE attacks). You can modify the default excludeProtocols list if you want to exclude additional HTTPS protocols, or replace it with an includeProtocols list if you only want Attivio to support a specific set of protocols.
Excluding (Blacklisting) TLS/SSL Protocols
To exclude other protocols beside SSLv3.0, edit the jetty.xml configuration file. Find the Set with name="excludeProtocols" and add a new Item entry in its child Array for each protocol you want excluded.
For example, this configuration should reject HTTPS connection attempts made with either the SSLv3.0 or TLSv1 protocols:
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>TLSv1.1</Item>
</Array>
</Set>
Including (Whitelisting) TLS/SSL Protocols
If you prefer to configure an inclusion list (whitelist) of protocols, change name="excludeProtocols" to name="includeProtocols" in the Set element. Each Item in the child Array now represents an allowed HTTPS protocol; Attivio will reject connection attempts made with any protocol not listed here.
For example, this configuration should reject HTTPS connection attempts made with any protocol except TLSv1.2:
<Set name="includeProtocols">
<Array type="java.lang.String">
<Item>TLSv1.2</Item>
</Array>
</Set>