Pega 6.1 sp2 method to enable ssl > TLSv1 on prsysmgmt
I have been asked to enable SSL > TLSv1 on the prsysmgmt interface on my Pega 6.1 sp2 application. I am curious if this interface is capable of this or if anyone has already accomplished this and what method they used.
Thank you,
Ray
Accenture Federal
US
===Keystore===
Generate and populate keystore
======
===IPtables===
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
======
===server.xml===
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" connectionTimeout="20000" redirectPort="8443" />
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/<unit>.keystore" keystorePass="*******" sslProtocol = "TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_RC4_128_SHA" />
======
===web.xml ===
<security-constraint>
<web-resource-collection>
<web-resource-name>PRBasic</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
===Keystore===
Generate and populate keystore
======
===IPtables===
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
======
===server.xml===
<!-- A HTTP/1.1 Connector on port 8080 -->
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" connectionTimeout="20000" redirectPort="8443" />
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/<unit>.keystore" keystorePass="*******" sslProtocol = "TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_RC4_128_SHA" />
======
===web.xml ===
<security-constraint>
<web-resource-collection>
<web-resource-name>PRBasic</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
======
So from what i have done this will encrypt everything from /prweb/* the context root on and does not encrypt /admin-console /prsysmgmt and the like's.
If i am missing something or this is not best practice please let me know.
I thought you were talking about enabling TLSv1 for /prsysmgmt application so that when user accesses it using https://<host>:<port>/prsysmgmt the interaction between the browser and prsysmgmt application is encrypted using TLSv1.
prsysmgmt application interacts with PRPC application using JMX mostly except for when downloading certain data upon user request using DiagnosticData servlet.
So, if you want to secure the communication between prsysmgmt and prweb and only makes sense when using remote JMX connection, you'll have to enable tls at the JMX layer and also secure only /prweb/DiagnosticData servlet.
Accenture Federal
US
using https://<host>:<port>/prsysmgmt the interaction between the browser and prsysmgmt application is encrypted using TLSv1. That is what im trying to do. What documentation is out there that would define what I should do to make this happen?
Okay. Is prsysmgmt deployed on a separate JVM? If yes, follow the same steps as what you described earlier and don't even have to narrow the communication down to a specific app. Although your steps to restrict communication to a specific app are also correct. Make sure to modify web.xml of prsysmgmt.war/ear and the context root to secure would be /prsysmgmt and not /prweb.
Accenture Federal
US
no prsysmgmt.war is being deployed with the same jvm as prpc*.ear. prsysmgmt is in the deploy directory
/<unit>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy
so i have modified the web xml with the mentioned changes and it did not secure either of the web url's currenly i have /* in my web.xml and the only thing that is encrypted is the pega interface.
Hi Ray,
The SSL connector you added provides SSL connectivity. Can you connect directly using https?
The changes you made to web.xml force a redirect from HTTP to HTTPS. If you want prsysmgmt to be redirected to SSL, you need to add the web.xml changes to $CATALINA_HOME/webapps/prsysmgmt/WEB-INF/web.xml. Before you try to get the redirect working, you need to make sure SSL is working.
Hope this helps.
Accenture Federal
US
Richard,
I can connect directly to https. Following the before mentioned guidance, I have tried to add the same settings into the prsysmgmt web.xml and it fails to start the prsysmgmt application.
Accenture Federal
US
2015-10-02 09:10:37,818 11247 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main:) Error installing to Parse: name=vfsfile:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/ state=PreParse mode=Manual requiredState=Parse
org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfszip:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/prsysmgmt.war/
at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:362)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:322)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:294)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:234)
at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:179)
at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1454)
at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1172)
2015-10-02 09:10:37,818 11247 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main:) Error installing to Parse: name=vfsfile:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/ state=PreParse mode=Manual requiredState=Parse
org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfszip:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/prsysmgmt.war/
at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:362)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:322)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:294)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:234)
at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:179)
at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1454)
at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1172)
at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1225)
at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1113)
at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)
at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)
at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)
at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:826)
at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:556)
at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:789)
at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:699)
at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)
at org.jboss.system.server.profileservice.repository.ProfileDeployAction.install(ProfileDeployAction.java:70)
at org.jboss.system.server.profileservice.repository.AbstractProfileAction.install(AbstractProfileAction.java:53)
at org.jboss.system.server.profileservice.repository.AbstractProfileService.install(AbstractProfileService.java:403)
at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)
at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)
at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)
at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:778)
at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:543)
at org.jboss.system.server.profileservice.repository.AbstractProfileService.registerProfile(AbstractProfileService.java:308)
at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:256)
at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:461)
at org.jboss.Main.boot(Main.java:228)
at org.jboss.Main$1.run(Main.java:578)
at java.lang.Thread.run(Thread.java:744)
Caused by: org.jboss.xb.binding.JBossXBException: Failed to parse source: The content of element type "web-app" must match "(icon?,display-name?,description?,distributable?,context-param*,filter*,filter-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security-constraint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)". @ vfszip:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/prsysmgmt.war/WEB-INF/web.xml[103,11]
at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:203)
at org.jboss.xb.binding.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:168)
at org.jboss.xb.util.JBossXBHelper.parse(JBossXBHelper.java:189)
at org.jboss.xb.util.JBossXBHelper.parse(JBossXBHelper.java:166)
at org.jboss.deployers.vfs.spi.deployer.SchemaResolverDeployer.parse(SchemaResolverDeployer.java:137)
at org.jboss.deployers.vfs.spi.deployer.SchemaResolverDeployer.parse(SchemaResolverDeployer.java:121)
at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parseAndInit(AbstractVFSParsingDeployer.java:304)
at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parseAndInit(AbstractVFSParsingDeployer.java:286)
at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parse(AbstractVFSParsingDeployer.java:203)
at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:348)
... 34 more
Caused by: org.xml.sax.SAXException: The content of element type "web-app" must match "(icon?,display-name?,description?,distributable?,context-param*,filter*,filter-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security-constraint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)". @ vfszip:/<org>/jboss/jboss-eap-5.1/jboss-as/server/pega/deploy/prsysmgmt_jboss.ear/prsysmgmt.war/WEB-INF/web.xml[103,11]
at org.jboss.xb.binding.parser.sax.SaxJBossXBParser$MetaDataErrorHandler.error(SaxJBossXBParser.java:426)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown Source)
at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanEndElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:199)
... 43 more
There seems to be a problem with the structure of web.xml. You should place the security constraints after the last instance of the these tags:
icon?,display-name?,description?,distributable?,context-param*,filter*,filter-mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref* and then: security-constraint*
You could try putting your security constraint before the closing </web-app> tag at the bottom of web.xml to make it easy.