Adding an HTTPS listener
Activating HTTPS listener (Lobster Integration and Admin Console)
The following XML fragment is used to add an HTTPS listener (HTTPS connector) in configuration file ./etc/hub.xml (Lobster Integration) or ./etc/admin.xml (Admin Console) to the current HTTP server for incoming, SSL-secured requests. Notice the different values of refid for Lobster Integration and the Admin Console.
For new installations (not updates) from version 4.6.9, the file ./etc/hub.xml only applies to Lobster Integration communication (e.g. HTTP and AS2) and the file ./etc/admin.xml applies to the Admin Console and the Lobster Integration GUI.
Previously, the file ./etc/hub.xml applied to Lobster Integration communication and the Lobster Integration GUI and file ./etc/admin.xml only applied to the Admin Console.
You need a TLS-compatible local certificate (set checkboxes Signing, Encryption, TLS Server, Signing/encryption must be supported) in Lobster Integration and specify the certificate ID or the Common Name (CN) (instead of YourCertificateCommonName) of this certificate in parameter <Set name="serverCertSubjectName">. The preferred variant is the one shown in the code with ksnote:mycertificate, where mycertificate is the value you entered in your certificate's "Note" field. The reason is that the certificate ID changes when your certificate expires and the same common names may occur multiple times. So you avoid possible name conflicts and changes to the configuration file. However, make sure you have unique values in the "Note" field. Note: If the specified certificate is not found, the first usable certificate that is found is used.
An HTTP listener and an HTTPS listener can run in parallel.
If the changes are not automatically applied after 15 minutes, a restart of the Integration Server is necessary.
<!-- SSL support by authentication service, preferred method --><!-- =========================================================== --><!-- Add a HTTPS Connector. --><!-- Configure an o.e.j.server.ServerConnector with connection --><!-- factories for TLS (aka SSL) and HTTP to provide HTTPS. --><!-- All accepted TLS connections are wired to a HTTP connection.--><!-- --><!-- Consult the javadoc of o.e.j.server.ServerConnector, --><!-- o.e.j.server.SslConnectionFactory and --><!-- o.e.j.server.HttpConnectionFactory for all configuration --><!-- that may be set here. --><!-- =========================================================== --><Call id="httpsConnector" name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"> <!-- Use "MainServer" for Lobster Integration and "AdminServer" for Admin Console --> <Ref refid="MainServer" /> </Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="next">http/1.1</Arg> <Arg name="sslContextFactory"> <New class="com.ebd.hub.server.http.jetty.AuthServiceSSLContextFactory"> <!-- <Set name="serverCertSubjectName">*CN=YourCertificateCommonName*</Set> --> <!-- <Set name="serverCertSubjectName">certid:1574423144929056</Set> --> <Set name="serverCertSubjectName">ksnote:mycertificate</Set> <Call name="addExcludeCipherSuites"> <Arg> <Array type="String"> <Item>.*NULL.*</Item> <Item>.*RC4.*</Item> <Item>.*MD5.*</Item> <Item>.*DES.*</Item> <Item>.*DSS.*</Item> </Array> </Arg> </Call> <Call name="addExcludeProtocols"> <Arg> <Array type="java.lang.String"> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> </Array> </Arg> </Call> <Set name="renegotiationAllowed">FALSE</Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>TLS_DHE_RSA.*</Item> <Item>TLS_ECDHE.*</Item> </Array> </Set> </New> </Arg> </New> </Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"> <Ref refid="sslHttpConfig" /> </Arg> </New> </Item> </Array> </Arg> <!-- Use 9443 for Lobster Integration GUI and Admin Console --> <Set name="port">443</Set> <Set name="idleTimeout">180000</Set> </New> </Arg></Call>Forcing HTTPS for Admin Console
To force an HTTPS login for the Admin Console, the following two entries must be edited. Important note: Since those settings modify the links on the Integration Server main page (Lobster Integration, Web Monitor, Portal, Admin Console), you then also have to activate the HTTPS listener in the configuration file ./etc/hub.xml and not only in ./etc/admin.xml (see above). The direct HTTP links will still work though. If you use port 9443 (like here) for the Admin Console and not port 9000, the link on page ./webapps/root/index.html may have to be adjusted manually (f or new installations (not updates) from version 4.6.9 it is ./etc/admin/webapps/root/index.html). The direct HTTPS link to the Admin Console will work anyway.
Configuration file ./etc/startup.xml
<!-- admin console: use SSL & port --><Call name="setAdminUrlParams"><Arg type="boolean">true</Arg><Arg type="int">9443</Arg></Call>Configuration file ./etc/webdefault.xml
<!-- redirect to https --><security-constraint> <web-resource-collection> <web-resource-name>Everything</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint>Activating HTTPS listener (DMZ server)
To enable HTTPS on the DMZ server, perform the same steps in configuration file ./etc/hub.xml as described above, but in the file on the DMZ server. The certificate to be specified there is also one from the inner system (Lobster Integration).
Let's Encrypt (automatic certificate handling)
See section Let's Encrypt/ACME/Certbot (receiving and renewing certificates from Certificate Authority free of charge and automatically).