Configuring SSL/TLS for Dispatcher Paragon Management Service
New installations of the Dispatcher Paragon solution have the secured connection (HTTPS) to the web interface enabled by default. Unique certificates are generated during the installation process and they are used to establish this HTTPS communication.
Updating the existing Dispatcher Paragon solution does not enforce the automatic redirection to HTTPS. Also, HTTPS communication is not enabled by default either (for updates). Any certificates issued by the customer are preserved. In order to ensure both encrypted and authenticated connection in such cases, you need to use a certificate trusted in your environment.
This guide will help you with the configuration of HTTPS connection to the Dispatcher Paragon Management Service, using a CA-signed certificate.
CA-signed certificate requirements
The certificate must be signed by a certification authority trusted in your environment.
Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names, and IP addresses) used for connection to the respective Management Server.
For importing the key/certificate you need it in an appropriate format depending on SSL/TLS implementation used:
For JSSEImplementation (default) - a single PKCS12 (.p12 or .pfx) or JKS file containing the private key and the whole certificate chain
For OpenSSLImplementation - two separate PEM files, one containing the private key (usually with .key extension) and one with the whole certificate chain (usually with .crt or .cer extension).
The certificate file needs to contain all certificates in the chain in a specified order. The first certificate is the Management's one. Each following certificate belongs to the authority which signed the previous certificate directly. The last one belongs to the Root CA.
In case your key/certificate is in a different format than specified, convert it following the guide in Conversions between different keystores and certificate types.
In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter (steps 1 - 3) in System communication hardening and make sure your certificate file contains all certificates in the chain in the correct order.
Configuring Management Service to use HTTPS
In case the Management Server cluster is used, the following steps have to be performed on every node of the Management Server cluster.
Based on the certificates that are intended to use (PKCS12, JKS, PEM) , the configuration options differ. For better clarity of the configuration see section Example of HTTPS configurations for Tomcat below.
Choose SSL/TLS implementation based on the certificate format that you are going to use:
Java standard implementation - JSSEImplementation (PKCS12 or JKS)
<Connector SSLEnabled="true"URIEncoding="UTF-8"acceptCount="100"disableUploadTimeout="true"enableLookups="false"maxHttpHeaderSize="8192"maxThreads="200"minSpareThreads="25"port="443"protocol="org.apache.coyote.http11.Http11Nio2Protocol"scheme="https"secure="true"sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">OpenSSL implementation - openssl.OpenSSLImplementation (PEM)
<Connector SSLEnabled="true"URIEncoding="UTF-8"acceptCount="100"disableUploadTimeout="true"enableLookups="false"maxHttpHeaderSize="8192"maxThreads="200"minSpareThreads="25"port="443"protocol="org.apache.coyote.http11.Http11Nio2Protocol"scheme="https"secure="true"sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
Stop Dispatcher Paragon Management Service service on the server.
Copy the certificate files to the server installed by the Management Server. (e.g. to <install_dir>\Management\tomcat\conf\ folder)
Set following attributes in <install_dir>\Management\tomcat\conf\server.xml file based on used SSL implementation:
PKCS12<CertificatecertificateKeystoreFile="absolute/path/to/keystore.p12"certificateKeystorePassword="keystore password"/>JKS<CertificatecertificateKeyAlias="safeqtomcat"certificateKeyPassword="39nrqoge332fgomeer3405"certificateKeystoreFile="../conf/ssl-keystore"certificateKeystorePassword="39nrqoge332fgomeer3405"certificateKeystoreType="JKS"/>PEM<CertificatecertificateFile="absolute/path/to/your/dispatcherparagoncertificate.crt"certificateKeyFile="absolute/path/to/your/dispatcherparagoncertificate.key"certificateKeyPassword="key protecting password"/>If your certificate private key is protected with an additional password use certificateKeyPassword the configuration property
If you have a CA certificate use the following attribute certificateChainFile = "absolute/path/to/your/ca.crt"
To enable automatic redirection from HTTP (port 80) to HTTPS (port 443), edit <install_dir>\Management\tomcat\conf\web.xml and uncomment the <security-constraint> configuration by removing the first and last line in the example below (<!-- Uncomment this to enable https only -->):
<!-- Uncomment this to enable https only<security-constraint><web-resource-collection><web-resource-name>Secured</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint>-->Start the Dispatcher Paragon Management Service service on the server.
Verify that the management interface is functional and uses your own certificate (open https://<dispatcher_paragon_server_IP> in the browser, click on the lock and View certificate button). In case you enabled the automatic redirection to HTTPS, opening the http://<dispatcher_paragon_server_IP> address will be automatically redirected to HTTPS protocol.
Example of HTTPS configurations for Tomcat
The configuration is stored in <install_dir>\Management\tomcat\conf\server.xml.
Keep HTTP non-SSL port (default 80) as the first in XML. The installer requires HTTP port to be the first in the definition. HTTPS should be the second one.
Due to security demands, TLSv1.2 and TLSv1.3 are the only SSL/TLS protocol versions enabled by default. If you need to support lower versions for compatibility reasons, TLSv1.3 must be removed from the configuration. You will also need to update the list of supported cipher suites to match the required TLS version.
Configuration for JSSEImplementation
<Connector connectionTimeout="20000"port="80"protocol="HTTP/1.1"redirectPort="443" /><Connector SSLEnabled="true"URIEncoding="UTF-8"acceptCount="100"disableUploadTimeout="true"enableLookups="false"maxHttpHeaderSize="8192"maxThreads="200"minSpareThreads="25"port="443"protocol="org.apache.coyote.http11.Http11Nio2Protocol"scheme="https"secure="true"sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"><UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"readTimeout="30000" /><SSLHostConfig certificateVerification="none"ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"protocols="TLSv1.2,TLSv1.3"><Certificate certificateKeyAlias="safeqtomcat"certificateKeyPassword="39nrqoge332fgomeer3405"certificateKeystoreFile="../conf/ssl-keystore"certificateKeystorePassword="39nrqoge332fgomeer3405"certificateKeystoreType="JKS" /></SSLHostConfig></Connector><Connector port="80"protocol="HTTP/1.1"redirectPort="443"connectionTimeout="20000" /><Connector port="443"protocol="org.apache.coyote.http11.Http11Nio2Protocol"sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"maxHttpHeaderSize="8192"maxThreads="200"minSpareThreads="25"enableLookups="false"disableUploadTimeout="true"acceptCount="100"URIEncoding="UTF-8"scheme="https"secure="true"SSLEnabled="true"><SSLHostConfig certificateVerification="none"protocols="TLSv1.2,TLSv1.3"ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"><Certificate certificateKeystoreFile="absolute/path/to/keystore.p12"certificateKeystorePassword="keystore password"/></SSLHostConfig></Connector>Configuration for OpenSSLImplementation
<Connector port="80"protocol="HTTP/1.1"redirectPort="443"connectionTimeout="20000" /><Connector port="443"protocol="org.apache.coyote.http11.Http11Nio2Protocol"sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"maxHttpHeaderSize="8192"maxThreads="200"minSpareThreads="25"enableLookups="false"disableUploadTimeout="true"acceptCount="100"URIEncoding="UTF-8"scheme="https"secure="true"SSLEnabled="true"><SSLHostConfig certificateVerification="none"protocols="TLSv1.2,TLSv1.3"ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"><Certificate certificateFile = "absolute/path/to/your/dispatcherparagoncertificate.crt"certificateKeyFile = "absolute/path/to/your/dispatcherparagoncertificate.key"certificateKeyPassword = "key protecting password"/></SSLHostConfig></Connector>Default key and certificate
The default, pre-installed security certificate is stored in <install_dir>\Management\tomcat\conf\ssl-keystore file
Closed ports
AJP port for integration with existing Tomcat, some is disabled by
<!-- Define an AJP 1.3 Connector on port 8009 --><!--<Connector port="8009"protocol="AJP/1.3"redirectPort="443"address="10.0.124.173"/>-->