Skip to Content

Changes for page Security

Last modified by Arthur Heffern on 2021/09/09 20:55
From version 1.1
edited by michelk
on 2021/09/09 18:02
Change comment: Import
To version 6.1
edited by Arthur Heffern
on 2021/09/09 18:55
Change comment: There is no comment for this version

Summary

Details

Page properties
Parent
... ... @@ -1,0 +1,1 @@
1 +xwiki:ISYMDOCS.Home.iSymphony Administrator's Guide
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.michelk
1 +XWiki.arthurh
Tags
... ... @@ -1,0 +1,1 @@
1 +black|white|http|realm|authentication|auth|security|ssl|ip|list
Content
... ... @@ -1,7 +1,5 @@
1 1  **//On this page~://**
2 2  
3 -
4 -
5 5  {{toc/}}
6 6  
7 7  iSymphony opens several ports for communication with the outside world. These ports include the Web Ports used by the server to provide both the Administration and Client web interfaces, the REST API and Voicemail and Recording Agent file servers. The iSymphony server is broken up into several subsections call servlets. Each servlet can have several layers of security activated on them in order to prevent unauthorized access and man in the middle attacks.
... ... @@ -60,7 +60,7 @@
60 60  The following method requires the Oracle JDK.
61 61  )))
62 62  1. (((
63 -Run the following command to create your SSL keystore. (% style="line-height: 1.4285715;" %)Follow the prompts to finish creating the keystore.
61 +Run the following command to create your SSL keystore. (% style="line-height:1.4285715" %)Follow the prompts to finish creating the keystore.
64 64  
65 65  {{code language="bash"}}
66 66  keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>
... ... @@ -82,13 +82,64 @@
82 82  
83 83  The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :
84 84  [[https:~~/~~/docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html>>url:https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html||shape="rect"]]
83 +
84 +
85 +{{warning}}
86 +{{id name="cacerts"/}}
87 +
88 +The password and the default access permission of the cacerts truststore should have changed upon installing the SDK. If this was not done already it should be done __**as the LAST STEP of this process**__.
89 +{{/warning}}
85 85  )))
86 86  
87 -== Enabling And Disabling Security Contexts ==
92 +=== Creating a Keystore with Let's Encrypt ===
88 88  
89 -You can enable and disable entire **Security Contexts** by setting the **enabled** attribute to **true** or **false** in the **SecurityContext** tag. A disabled **Security Context** will apply no restrictions to the servlet despite any of the inner settings.
94 +{{note}}
95 +This section is a work in progress and will be updated.
96 +{{/note}}
90 90  
91 -1. (((
98 +==== Creating a Keystore with The Let's Encrypt module for FreePBX ====
99 +
100 +FreePBX automates the process for obtaining a Let'sEncrypt certificate and utilizes it's own directory structure and file names to place the resulting files (The Certificate, any intermediate Certificate Authority chain and private key) on the filesystem.
101 +
102 +First, we must compile and convert the resulting LE certificate chain and private key to PKCS12 format utilizing the OpenSSL binaries:
103 +
104 +{{code}}
105 +openssl pkcs12 -export -in /etc/asterisk/keys/<HOSTNAME>/fullchain.pem -inkey /etc/asterisk/keys/<HOSTNAME>/private.pem -name isymphony -out isymphony.pkcs12
106 +{{/code}}
107 +
108 +{{note}}
109 +Ensure you change the <HOSTNAME> placeholder above to reference the directory name that was created as part of the FreePBX certificate acquisition process.
110 +{{/note}}
111 +
112 +You can choose the name you would like for the certificate alias and resulting pkcs12 keystore file name (-name and -out parameters). The above is only an example, though works without issue, so feel free to use it if appropriate.
113 +
114 +The OpenSSL command will ask you for a password for the exported keystore. Be sure to set one as it is required and empty string passwords are not valid for this process. For this example, we used the password "isymphony".
115 +
116 +Then, you just import the resulting pkcs12 keystore into a newly created Java Keystore supplying the appropriate parameters and set the destination store password and key password:
117 +
118 +{{code}}
119 +keytool -importkeystore -deststorepass isymphony -destkeypass isymphony -destkeystore isymphony.jks -srckeystore isymphony.pkcs12 -srcstoretype PKCS12 -alias isymphony
120 +{{/code}}
121 +
122 +And your new java keystore will be in the resulting file: ./isymphony.jks file.
123 +
124 +This file should be copied into the top level directory of your **/opt/isymphony3/server/conf** (or appropriate installation directory for iSymphony) directory.
125 +
126 +== Make iSymphony Aware of the SSLKeystore ==
127 +
128 +Modify /opt/isymphony3/server/conf/security.xml to make iSymphony aware of the keystore by modifying the SSLKeystore XML element with the appropriate values:
129 +
130 +{{code}}
131 +<SSLKeystore filename="isymphony.jks" keystorePassword="isymphony" keyPassword="isymphony" certAlias="isymphony" ></SSLKeystore>
132 +{{/code}}
133 +
134 +Then enabling SSL on each context you would like to utilize SSL (More on this below) and restarting the iSymphonyServerV3 service should complete the configuration.
135 +
136 +== Enabling And Disabling Security Context ==
137 +
138 +You can enable and disable entire **Security Contexts** by setting the **enabled** attribute to **true** or **false** in the **SecurityContext** tag in the **/opt/isymphony3/server/conf/security.xml** file. A disabled **Security Context** will apply no restrictions to the servlet despite any of the inner settings.
139 +
140 +(((
92 92  == SSL ==
93 93  )))
94 94  
... ... @@ -98,21 +98,22 @@
98 98  If enabling SSL on the communication_manager servlet and you are using the iSymphony FreePBX module you must modify the module settings to use SSL. See [[doc:FreePBX Module Administration]] for more information.
99 99  {{/info}}
100 100  
101 -1. (((
150 +(((
102 102  == Realm Authentication ==
103 103  )))
104 104  
105 105  You can enable or disable HTTP realm authentication on a specific **Security Context** by setting the **enabled** attribute in the **RealmAuth** tag to **true** or **false**. You can add a new HTTP realm authentication user by adding a **RealmAuthUser** tag to the **RealmAuthUsers**. You can specify the user's credentials by populating the **username** and **password** attributes of the **RealmAuthUser** tag.
106 106  
107 -1. (((
156 +(((
108 108  == IP Access ==
109 109  )))
110 110  
111 111  You can enable IP access on a specific **Security Context** by setting the **enabled** attribute on the **IPAccess** tag to **true** or **false**. The **IPAccess** restriction will allow or deny connections from specific IP addresses based on the contents of the **WhiteList** and **BlackList** in the **IPAccess** tag.
112 112  
113 -1. (((
162 +(((
114 114  === Behavior ===
115 115  )))
165 +
116 116  1. IPs that are specified in the **WhiteList** will always be allowed to access the system unless the IP is specified in the **BlackList** as well.
117 117  1. IPs that are specified in the **BlackList** will never be allowed to access the system.
118 118  1. If no entries are specified in the **WhiteList** or **BlackList** all IPs will have access to the servlet.