|
This appendix describes the security mechanisms used in a Subscriber Edge Services Manager (SESM) deployment. This chapter includes the following topics:
SESM applications inherit the security features of the Java language platform and of the J2EE framework. The following URLs describe security topics related to the Java and J2EE technology:
This section contains the following topics concerning HTTPS:
SESM implements SSL using the Java Secure Sockets Extension (JSSE). For information about JSSE, go to:
The J2EE specifications describe an extension framework for the integration of SSL implementations. For implementations other than JSSE, go to:
The SSL part of HTTPS requires a certificate to generate the encryption key. For the Jetty web server bundled with SESM, the certificate is named keystore and is found in the /etc directory. The keystore file is created by the keytool utility. For detailed instructions on the use of keytool, go to the following URL:
The sample keystore functions for nonproduction deployments. However, you must obtain a site-specific certificate for production deployments from VeriSign, Inc. at:
Though certificates are generally the same in concept, they tend to differ in implementation. Therefore, a degree of certificate manipulation is required to obtain a certificate from a given source to work with a given SSL implementation. For JSSE and the Jetty web server, the required steps are described at:
For other implementations, go to:
The keystore file is a certificate used for secure sockets layer (SSL) encryption. The SSL implementation shipped with SESM is of commercial quality and can use certificates generated by keytool. Keytool resides in the same directory as the JRE.
Caution A keystore is required for deployments that use HTTPS. HTTPS does not function without a valid keystore file. The file included with the installation works, but you should replace it with a keystore valid for your specific deployment. |
Step 1 To remove the secure or standard session option from the NWSP logon page, comment out the HTML in accountLogonBody.jsp.
<%-- Make this page either secure or insecure --%>
<% if (request.isSecure()) { %>
<tr>
<td colspan=2 align=center class="MediumText">
<A HREF="/insecure/home">
<l10n:resource key="standardLoginLabel">Standard</l10n:resource>
</A>
|
<l10n:resource key="secureLoginLabel">Secure</l10n:resource>
</td>
</tr>
<% } else {%>
<tr>
<td colspan=2 align=center class="MediumText">
<l10n:resource key="standardLoginLabel">Standard</l10n:resource>
|
<A HREF="/secure/home">
<l10n:resource key="secureLoginLabel">Secure</l10n:resource>
</A>
</td>
</tr>
<% } %>
Step 2 In the Jetty configuration file, comment out or remove the call that starts the standard HTTP listener.
For example, in nwsp.jetty.xml, surround the Configure tag for the SESMSocketListener for the HTTP port with comment indicators, as shown here:
<!-- (start comment)
<Configure jmxname="org.mortbay.jetty:name=Jetty,Server=0,SESMSocketListener=0">
<Set name="port" type="int"><SystemProperty name="application.portno"
default="8080"/></Set>
<Set name="minThreads" type="int">5</Set>
<Set name="maxThreads" type="int">255</Set>
<Set name="maxIdleTimeMs" type="int">60000</Set>
<Set name="maxReadTimeMs" type="int">60000</Set>
</Configure>
(end comment) -->
Step 3 In the generic start script, remove the information that defines and opens a port for standard HTTP traffic.
The generic script is executed by all of the application-specific startup scripts. In start.sh or start.cmd, change:
MGMTPORTNO=\Qexpr $PORTNO + 100\Q
SSLPORTNO=\Qexpr $PORTNO - 80 + 443\Q
PORTS="$PORTNO $MGMTPORTNO $SSLPORTNO"
to:
MGMTPORTNO=\Qexpr $PORTNO + 100\Q
SSLPORTNO=1234
PORTS="$MGMTPORTNO $SSLPORTNO"
Further down in the script, delete the -Dapplication.portno=$PORTNO argument, shown in bold below:
$JAVA $SERVER -Xms64m -Xmx64m \
-classpath $CLASSPATH \
-Dinstall.root=$INSTALLDIR \
-Djetty.home=$JETTYDIR \
-Dapplication.home=$APPDIR \
-Dapplication.portno=$PORTNO \
-Dapplication.ssl.portno=$SSLPORTNO \
-Dmanagement.portno=$MGMTPORTNO \
$MODE \
$JVMOPTIONS \
com.cisco.sesm.jmx.Main \
$CONFIG_FILES \
Step 4 If you are running a captive portal solution, change the configured redirections to the NWSP application to use the HTTPS protocol and the HTTPS port you defined in the generic startup script.
In the captiveportal.xml file, change the following lines. The port numbers must match the SSL port number defined in the serviceportal configuration (which in the default configuration is nwsp.xml.
<Set name="userRedirectURL">
http://<SystemProperty name="serviceportal.host" default="nwsp"/>:
<SystemProperty name="serviceportal.port" default="8080"/>/home</Set>
<Set name="serviceRedirectDefaultURL">http://nwsp:8080/serviceRedirect</Set>
<Set name="errorURL">
http://<SystemProperty name="serviceportal.host" default="nwsp"/>: <SystemProperty
name="serviceportal.port" default="8080"/>/home</Set>
to
<Set name="userRedirectURL">
https://<SystemProperty name="serviceportal.host "default="nwsp"/>:
<SystemProperty name="serviceportal.port" default="1234"/>/home</Set>
<Set name="serviceRedirectDefaultURL">https://nwsp:1234/serviceRedirect</Set>
<Set name="errorURL">
https://<SystemProperty name="serviceportal.host" default="nwsp"/>: <SystemProperty
name="serviceportal.port" default="1234"/>/home</Set>
Step 5 If you are using the Message Portal application in your captive portal solution, change the configured redirections to NWSP to use the HTTPS protocol and the HTTPS port you defined in the generic startup script.
In messageportal.xml, change the following lines:
<Set name="defaultURL">
http://<SystemProperty name="serviceportal.host" default="nwsp"/>:
<SystemProperty name="serviceportal.port" default="8080"/>/</Set>
to:
<Set name="defaultURL">
https://<SystemProperty name="serviceportal.host" default="nwsp"/>:
<SystemProperty name="serviceportal.port" default="1234"/>/</Set>
Posted: Fri Oct 18 10:03:15 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.