New installations of the YSoft SafeQ solution have the secured connection (HTTPS) with the web interface and corresponding automatic redirection enabled by default. Unique certificates are generated during the installation process and they are used to establish this HTTPS communication.

Updating the existing YSoft SafeQ solution does not enforce the automatic redirection to HTTPS. Also, HTTPS communication is not enabled by default either (for updates). Any certificates issued by the customer are preserved. In order to ensure both encrypted and authenticated connection in such cases, you need to use a certificate trusted in your environment.

This guide will help you with the configuration of HTTPS connection to the YSoft SafeQ Management Service, using a CA-signed certificate.

Choosing SSL/TLS implementation

YSoft SafeQ Management Service can use two different SSL/TLS implementations:

Java standard implementation (org.apache.tomcat.util.net.jsse.JSSEImplementation) - enabled by default
OpenSSL implementation (org.apache.tomcat.util.net.openssl.OpenSSLImplementation)

Based on an SSL/TLS implementation used, some of the configuration options and certificate requirements may differ. You can change to the OpenSSL implementation by changing the sslImplementationName attribute in the configuration file (see section Example of Tomcat HTTPS configurations below).

CA-signed certificate requirements

The certificate must be signed by a certification authority trusted in your environment.
Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names, and IP addresses) used for connection to the respective Management Server.
For importing the key/certificate you need it in an appropriate format depending on SSL/TLS implementation used:
- For JSSEImplementation (default) - a single PKCS12 or JKS file containing the private key and the whole certificate chain
- For OpenSSLImplementation - two separate PEM files, one containing the private key (usually with .key extension) and one with the whole certificate chain (usually with .crt extension).
The certificate file needs to contain all certificates in the chain in a specified order. The first certificate is the Management's one. Each following certificate belongs to the authority which signed the previous certificate directly. The last one belongs to the Root CA.

In case your key/certificate is in a different format than specified, convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter (steps 1 - 3) in System communication hardening and make sure your certificate file contains all certificates in the chain in the correct order.

Configuring Management Service to use a secure communication channel

In case the Management Server cluster is used, the following steps have to be performed on every node of the Management Server cluster.

Stop YSoft SafeQ Management Service service on the server.
Copy your key and certificate files to the server where the Management Server is installed.
Set following attributes in <install_dir>\Management\tomcat\conf\server.xml file based on used SSL implementation:
Configuration for JSSEImplementation
certificateKeystoreFile="absolute/path/to/keystore.p12"
certificateKeystorePassword="keystore password"
Configuration for OpenSSL implementation
certificateFile = "absolute/path/to/your/safeqcertificate.crt"
certificateChainFile = "absolute/path/to/your/safeqcertificate.crt"
certificateKeyFile = "absolute/path/to/your/safeqcertificate.key"
certificateKeyPassword = "key protecting password"
If you protect your certificate private key with additional password encryption (using certificateKeyPassword configuration property), make sure it has the same value as certificateKeystorePassword.
If you wish to enable automatic redirection from unsecured connection (HTTP port 80) to the secured connection (HTTPS port 443), edit <install_dir>\Management\tomcat\conf\web.xml and uncomment these lines before the </web-app> tag:

Start the YSoft SafeQ Management Service service on the server.
Verify that the management interface is functional and uses your own certificate (open https://<safeq_server_IP> in the browser, click on the lock and View certificate button). In case you enabled the automatic redirection to HTTPS, opening the http://<safeq_server_IP> address will be automatically redirected to https protocol.

Closed ports

AJP port for integration with existing tomcat is disabled by

AJP port

<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--<Connector port="8009"
protocol="AJP/1.3"
redirectPort="443"
address="10.0.124.173"
/>-->

Example of Tomcat HTTPS configurations

The configuration is stored in <install_dir>\Management\tomcat\conf\server.xml.

Keep HTTP non-SSL port (default 80) as the first in XML. The installer requires HTTP port to be the first in the definition. HTTPS should be the second one.

Configuration with JSSEImplementation of SSL/TLS

Example configuration with JSSEImplementation

<Connector port="80"
protocol="HTTP/1.1"
redirectPort="443"
connectionTimeout="20000" />
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxHttpHeaderSize="8192"
maxThreads="200"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
URIEncoding="UTF-8"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig certificateVerification="none"
protocols="TLSv1.2,TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateKeystoreFile="absolute/path/to/keystore.p12"
certificateKeystorePassword="keystore password"/>
</SSLHostConfig>
</Connector>

As a default, TLSv1.2 and TLSv1.3 are the only SSL/TLS protocol versions supported. Please note, that there are issues when lower versions are configured at the same time as TLSv1.3. If you need to support lower versions for compatibility reasons, TLSv1.3 must be removed. You will also need to update the list of supported cipher suites to add the ones compatible with the required version.

Configuration with OpenSSLImplementation of SSL/TLS

Example configuration with OpenSSL implementation

<Connector port="80"
protocol="HTTP/1.1"
redirectPort="443"
connectionTimeout="20000" />
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxHttpHeaderSize="8192"
maxThreads="200"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
URIEncoding="UTF-8"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig certificateVerification="none"
protocols="TLSv1.2,TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateFile = "absolute/path/to/your/safeqcertificate.crt"
certificateKeyFile = "absolute/path/to/your/safeqcertificate.key"
certificateKeyPassword = "key protecting password"/>
</SSLHostConfig>
</Connector>

Default key and certificate

The default, pre-installed private key is stored in <install_dir>\Management\tomcat\conf\safeq-tomcat.key file.

The pre-installed certificate is stored in <install_dir>\Management\tomcat\conf\safeq-tomcat.crt file.