Versions Compared

Version Old Version 3 New Version 4
Changes made by

Uffe Svensson

Uffe Svensson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Öppna Portecle och välj File -> “Open Keystore file…”. Öppna befintligt nyckelförråd, D:\program\weave_2.6\jetty_base\etc\jetty.jks

  2. Skriv in lösenord för nyckelförrådet (som angavs i punkt 4 under Skapa nytt nyckelförråd)

  3. Välj Tools -> “Import Key Pair…“

    image-20240828-094522.png

  4. Välj det konverterade certifikatet (som angavs i punkt 8 i Konvertera certifikatet) och ange lösenordet (punkt 7 i Konvertera certifikatet).

  5. Välj OK när dialogrutan öppnas.

    image-20240828-095012.png

  6. Välj en lämplig alias för lättare igenkänning.

    image-20240828-095318.png

  7. Välj nytt lösenord och bekräfta det för certifikatet som importerats och välj OK. Lösenordet behövs vid eventuell export från nyckelförrådet till annat format. Behövs inte i denna process.

  8. Välj File -> “Save Keystore” för att spara nyckelförrådet.

  9. Det nya certifikatet har lagts till och nyckelförrådet uppdaterats. Weave måste startas om för att förändringen ska börja gälla.

...

Note

Notera att om lösenorden ändrats för nyckelförrådet eller certifikatet måste korresponderande lösenord i ssl.ini uppdateras.

Konfigurera SSL i Weave

CSSL-konfigurationen för Weave hanteras under katalogen D:\developmentprogram\weave\installation\_2.6.9\jetty\lib>..\..\jre\bin\java.exe -cp jetty-util-9.4.38.v20210224.jar org.eclipse.jetty.util.security.Password secretPasswordstart.ini_base. Konfiguraionen sker i följande filer:

  • etc/jetty.xml

  • start.d/https.ini

  • start.d/ssl.ini

Info

Exempel på ovan filer finns i slutet av dokumentet

jetty.xml

Filen finns från början och behöver enbart ändras vid initial uppsättning av SSL/TLS. Det är i huvudsak två delar som ändras:

  1. Specificera securePort under httpConfig som bestämmer vilken port som https ska publiceras på. Standard för https är 443.

  2. Lägga till SecuredRedirectHandler som per automatik omdirigerar http-trafik till https. http://interngis.nacka.se blir https://interngis.nacka.se

https.ini

Aktiverar modulen för https

ssl.ini

Huvudsaklig konfiguration av SSL och koppling till certifikat. De huvudsakliga konfigurationsobjekten är:

  • jetty.ssl.port refererar till vilken port som https ska publiceras på.

  • jetty.sslContext.keyStorePath och jetty.sslContext.trustStorePath hänvisar till key- och truststore (jetty.jks) där certifikatet är placerat, relativt katalogen jetty_base.

  • För jetty.sslContext.keyStorePassword, jetty.sslContext.keyManagerPassword, jetty.sslContext.trustStorePassword fylls lösenord i för åtkomst till key- och truststore och certifikat.

Notera att lösenord för key store och trust store kan sättas med obfuscation (OBF).

För att konvertera lösenord till OBF kan följande kommando köras från D:\program\weave_2.6\jetty\lib\

..\..\jre\bin\java.exe -cp jetty-util-9.4.38.v20210224.jar org.eclipse.jetty.util.security.Password <lösenord>

Exempel

jetty.xml - Konfigurerad med securePort 443 samt omdirigering av http-trafik till https

Code Block
languagexml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<!-- =============================================================== -->
<!-- Documentation of this file format can be found at:              -->
<!-- https://www.eclipse.org/jetty/documentation/current/            -->
<!--                                                                 -->
<!-- Additional configuration files are available in $JETTY_HOME/etc -->
<!-- and can be mixed in. See start.ini file for the default         -->
<!-- configuration files.                                            -->
<!--                                                                 -->
<!-- For a description of the configuration mechanism, see the       -->
<!-- output of:                                                      -->
<!--   java -jar start.jar -?                                        -->
<!-- =============================================================== -->

<!-- =============================================================== -->
<!-- Configure a Jetty Server instance with an ID "Server"           -->
<!-- Other configuration files may also configure the "Server"       -->
<!-- ID, in which case they are adding configuration to the same     -->
<!-- instance.  If other configuration have a different ID, they     -->
<!-- will create and configure another instance of Jetty.            -->
<!-- Consult the javadoc of o.e.j.server.Server for all              -->
<!-- configuration that may be set here.                             -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <Arg name="threadpool"><Ref refid="threadPool"/></Arg>

    <Call name="addBean">
      <Arg><Ref refid="byteBufferPool"/></Arg>
    </Call>

    <!-- =========================================================== -->
    <!-- Add shared Scheduler instance                               -->
    <!-- =========================================================== -->
    <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.util.thread.ScheduledExecutorScheduler">
          <Arg name="name"><Property name="jetty.scheduler.name"/></Arg>
          <Arg name="daemon" type="boolean"><Property name="jetty.scheduler.daemon" default="false" /></Arg>
          <Arg name="threads" type="int"><Property name="jetty.scheduler.threads" default="-1" /></Arg>
        </New>
      </Arg>
    </Call>

    <!-- =========================================================== -->
    <!-- Http Configuration.                                         -->
    <!-- This is a common configuration instance used by all         -->
    <!-- connectors that can carry HTTP semantics (HTTP, HTTPS, etc.)-->
    <!-- It configures the non wire protocol aspects of the HTTP     -->
    <!-- semantic.                                                   -->
    <!--                                                             -->
    <!-- This configuration is only defined here and is used by      -->
    <!-- reference from other XML files such as jetty-http.xml,      -->
    <!-- jetty-https.xml and other configuration files which         -->
    <!-- instantiate the connectors.                                 -->
    <!--                                                             -->
    <!-- Consult the javadoc of o.e.j.server.HttpConfiguration       -->
    <!-- for all configuration that may be set here.                 -->
    <!-- =========================================================== -->
    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
      <Set name="secureScheme"><Property name="jetty.httpConfig.secureScheme" default="https" /></Set>
      <Set name="securePort"><Property name="jetty.httpConfig.securePort" deprecated="jetty.secure.port" default="443" /></Set>
      <Set name="outputBufferSize"><Property name="jetty.httpConfig.outputBufferSize" deprecated="jetty.output.buffer.size" default="32768" /></Set>
      <Set name="outputAggregationSize"><Property name="jetty.httpConfig.outputAggregationSize" deprecated="jetty.output.aggregation.size" default="8192" /></Set>
      <Set name="requestHeaderSize"><Property name="jetty.httpConfig.requestHeaderSize" deprecated="jetty.request.header.size" default="8192" /></Set>
      <Set name="responseHeaderSize"><Property name="jetty.httpConfig.responseHeaderSize" deprecated="jetty.response.header.size" default="8192" /></Set>
      <Set name="sendServerVersion"><Property name="jetty.httpConfig.sendServerVersion" deprecated="jetty.send.server.version" default="false" /></Set>
      <Set name="sendDateHeader"><Property name="jetty.httpConfig.sendDateHeader" deprecated="jetty.send.date.header" default="false" /></Set>
      <Set name="headerCacheSize"><Property name="jetty.httpConfig.headerCacheSize" default="4096" /></Set>
      <Set name="delayDispatchUntilContent"><Property name="jetty.httpConfig.delayDispatchUntilContent" deprecated="jetty.delayDispatchUntilContent" default="true"/></Set>
      <Set name="maxErrorDispatches"><Property name="jetty.httpConfig.maxErrorDispatches" default="10"/></Set>
      <Set name="blockingTimeout"><Property deprecated="jetty.httpConfig.blockingTimeout" name="jetty.httpConfig.blockingTimeout.DEPRECATED" default="-1"/></Set>
      <Set name="persistentConnectionsEnabled"><Property name="jetty.httpConfig.persistentConnectionsEnabled" default="true"/></Set>
      <Set name="requestCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.requestCookieCompliance" deprecated="jetty.httpConfig.cookieCompliance" default="RFC6265"/></Arg></Call></Set>
      <Set name="responseCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.responseCookieCompliance" default="RFC6265"/></Arg></Call></Set>
      <Set name="multiPartFormDataCompliance"><Call class="org.eclipse.jetty.server.MultiPartFormDataCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.multiPartFormDataCompliance" default="RFC7578"/></Arg></Call></Set>
      <Set name="relativeRedirectAllowed"><Property name="jetty.httpConfig.relativeRedirectAllowed" default="false"/></Set>
      <Call name="addCustomizer">
        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
      </Call>
      <!--<Call name="addCustomizer">
			  <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer" /></Arg>
		</Call>-->
    </New>

    <!-- =========================================================== -->
    <!-- Set the default handler structure for the Server            -->
    <!-- A handler collection is used to pass received requests to   -->
    <!-- both the ContextHandlerCollection, which selects the next   -->
    <!-- handler by context path and virtual host, and the           -->
    <!-- DefaultHandler, which handles any requests not handled by   -->
    <!-- the context handlers.                                       -->
    <!-- Other handlers may be added to the "Handlers" collection,   -->
    <!-- for example the jetty-requestlog.xml file adds the          -->
    <!-- RequestLogHandler after the default handler                 -->
    <!-- =========================================================== -->
    <Set name="handler">
      <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
        <Set name="handlers">
         <Array type="org.eclipse.jetty.server.Handler">
          <Item>
             <New id="SecuredRedirectHandler" class="org.eclipse.jetty.server.handler.SecuredRedirectHandler"/>
           </Item>
           <Item>
             <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
           </Item>
           <Item>
             <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"/>
           </Item>
         </Array>
        </Set>
      </New>
    </Set>

    <!-- =========================================================== -->
    <!-- extra server options                                        -->
    <!-- =========================================================== -->
    <Set name="stopAtShutdown"><Property name="jetty.server.stopAtShutdown" default="true"/></Set>
    <Set name="stopTimeout"><Property name="jetty.server.stopTimeout" default="5000"/></Set>
    <Set name="dumpAfterStart"><Property name="jetty.server.dumpAfterStart" deprecated="jetty.dump.start" default="false"/></Set>
    <Set name="dumpBeforeStop"><Property name="jetty.server.dumpBeforeStop" deprecated="jetty.dump.stop" default="false"/></Set>

</Configure>

https.ini - Aktivering av https-modul

Code Block
# --------------------------------------- 
# Module: sslhttps
# Settings located in jetty_bacebase/start.d/https.ini
# --------------------------------------- 
--module=https

ssl.ini - Konfiguration för SSL på port 443 samt hänvisning till nyckförråd etc/jetty.jks

Code Block
### TLS(SSL) Connector Configuration

# --------------------------------------- 
# Module: httpsssl
# Settings located in jetty_bacebase/start.d/httpsssl.ini
# --------------------------------------- 
--module=https

https.ini

Code Block
### TLS(SSL) Connector Configuration---- 
--module=ssl

## Connector host/address to bind to
# jetty.ssl.host=0.0.0.0

## Connector port to listen on
jetty.ssl.port=8443443

## Connector idle timeout in milliseconds
# jetty.ssl.idleTimeout=30000

## Number of acceptors (-1 picks default based on number of cores)
# jetty.ssl.acceptors=-1

## Number of selectors (-1 picks default based on number of cores)
# jetty.ssl.selectors=-1

## ServerSocketChannel backlog (0 picks platform default)
# jetty.ssl.acceptQueueSize=0

## Thread priority delta to give to acceptor threads
# jetty.ssl.acceptorPriorityDelta=0

## The requested maximum length of the queue of incoming connections.
# jetty.ssl.acceptQueueSize=0

## Enable/disable the SO_REUSEADDR socket option.
# jetty.ssl.reuseAddress=true

## Enable/disable TCP_NODELAY on accepted sockets.
# jetty.ssl.acceptedTcpNoDelay=true

## The SO_RCVBUF option to set on accepted sockets. A value of -1 indicates that it is left to its default value.
# jetty.ssl.acceptedReceiveBufferSize=-1

## The SO_SNDBUF option to set on accepted sockets. A value of -1 indicates that it is left to its default value.
# jetty.ssl.acceptedSendBufferSize=-1

## Connect Timeout in milliseconds
# jetty.ssl.connectTimeout=15000

## Whether SNI is required for all secure connections. Rejections are in TLS handshakes.
# jetty.sslContext.sniRequired=false

## Whether SNI is required for all secure connections. Rejections are in HTTP 400 response.
# jetty.ssl.sniRequired=false

## Whether request host names are checked to match any SNI names
# jetty.ssl.sniHostCheck=true

## max age in seconds for a Strict-Transport-Security response header (default -1)
# jetty.ssl.stsMaxAgeSeconds=31536000

## include subdomain property in any Strict-Transport-Security header (default false)
# jetty.ssl.stsIncludeSubdomains=true

### SslContextFactory Configuration
## Note that OBF passwords are not secure, just protected from casual observation
## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html

## The Endpoint Identification Algorithm
## Same as javax.net.ssl.SSLParameters#setEndpointIdentificationAlgorithm(String)
#jetty.sslContext.endpointIdentificationAlgorithm=

## SSL JSSE Provider
# jetty.sslContext.provider=

## Keystore file path (relative to $jetty.base)
jetty.sslContext.keyStorePath=etc/jetty.jks

## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=etc/jetty.jks

## Keystore password
jetty.sslContext.keyStorePassword=OBF:abcde1ytaU12luU0wh11vgfU0k2sU0mo31ytc

## Keystore type and provider
# jetty.sslContext.keyStoreType=JKS
# jetty.sslContext.keyStoreProvider=

## KeyManager password
jetty.sslContext.keyManagerPassword=OBF:abcde1ytaU12luU0wh11vgfU0k2sU0mo31ytc

## Truststore password
jetty.sslContext.trustStorePassword=OBF:abcde1ytaU12luU0wh11vgfU0k2sU0mo31ytc

## Truststore type and provider
# jetty.sslContext.trustStoreType=JKS
# jetty.sslContext.trustStoreProvider=

## whether client certificate authentication is required
# jetty.sslContext.needClientAuth=false

## Whether client certificate authentication is desired
# jetty.sslContext.wantClientAuth=false

## Whether cipher order is significant (since java 8 only)
# jetty.sslContext.useCipherSuitesOrder=true

## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites

## Set the size of the SslSession cache
# jetty.sslContext.sslSessionCacheSize=-1

## Set the timeout (in seconds) of the SslSession cache timeout
# jetty.sslContext.sslSessionTimeout=-1

## Allow SSL renegotiation
# jetty.sslContext.renegotiationAllowed=true
# jetty.sslContext.renegotiationLimit=5

jetty.xml

Code Block
languagexml
<Item>
  <New id="SecuredRedirectHandler" class="org.eclipse.jetty.server.handler.SecuredRedirectHandler"/>
</Item>