Skip to Content

Changes for page Security

Last modified by Arthur Heffern on 2021/09/09 20:55
From version 2.1
edited by michelk
on 2021/09/09 18:02
Change comment: Import
To version 3.1
edited by michaely
on 2021/09/09 18:02
Change comment: Import

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.michelk
1 +XWiki.michaely
Content
... ... @@ -56,10 +56,10 @@
56 56  If you have SSL enabled on the **client** or **administrator** servlet and you are using a self singed certificate the browser will alert the user that they are accessing an unverified location when the attempt to access the iSymphony Client or Administration Interface. In order to prevent this warning you will need to acquire an SSL certificate from a valid authority that is recognized by the your JRE.
57 57  {{/note}}
58 58  
59 -1. (((
59 +* (((
60 60  The following method requires the Oracle JDK.
61 61  )))
62 -1. (((
62 +* (((
63 63  Run the following command to create your SSL keystore. (% style="line-height: 1.4285715;" %)Follow the prompts to finish creating the keystore.
64 64  
65 65  {{code language="bash"}}
... ... @@ -66,32 +66,12 @@
66 66  keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>
67 67  {{/code}}
68 68  )))
69 -1. (((
70 -Export the generated public key from the keystore by running the following command:
71 71  
72 -{{code}}
73 -keytool -export -keystore <keystore file name from step2> -alias <alias> -file <filename>
74 -{{/code}}
75 -)))
76 -
77 -* (((
78 -Import the public key into the java trust store (cacerts) located in the java home directory:
79 -
80 -{{code}}
81 -keytool -import -alias <alias> -file <file from step 3> -keystore $JAVA_HOME/jre/lib/security/cacerts
82 -{{/code}}
83 -
84 -The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :
85 -[[https:~~/~~/docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html>>url:https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html||shape="rect"]]
86 -)))
87 -
88 88  == Enabling And Disabling Security Contexts ==
89 89  
90 90  You can enable and disable entire **Security Contexts** by setting the **enabled** attribute to **true** or **false** in the **SecurityContext** tag. A disabled **Security Context** will apply no restrictions to the servlet despite any of the inner settings.
91 91  
92 -1. (((
93 93  == SSL ==
94 -)))
95 95  
96 96  You can enable and disable **SSL** communication encryption on a specific **Security Context** by setting the **enabled** attribute in the **SSL** tag to **true** or **false**.
97 97  
... ... @@ -99,26 +99,21 @@
99 99  If enabling SSL on the communication_manager servlet and you are using the iSymphony FreePBX module you must modify the module settings to use SSL. See [[doc:FreePBX Module Administration]] for more information.
100 100  {{/info}}
101 101  
102 -1. (((
103 103  == Realm Authentication ==
104 -)))
105 105  
106 106  You can enable or disable HTTP realm authentication on a specific **Security Context** by setting the **enabled** attribute in the **RealmAuth** tag to **true** or **false**. You can add a new HTTP realm authentication user by adding a **RealmAuthUser** tag to the **RealmAuthUsers**. You can specify the user's credentials by populating the **username** and **password** attributes of the **RealmAuthUser** tag.
107 107  
108 -1. (((
109 109  == IP Access ==
110 -)))
111 111  
112 112  You can enable IP access on a specific **Security Context** by setting the **enabled** attribute on the **IPAccess** tag to **true** or **false**. The **IPAccess** restriction will allow or deny connections from specific IP addresses based on the contents of the **WhiteList** and **BlackList** in the **IPAccess** tag.
113 113  
114 -1. (((
115 115  === Behavior ===
116 -)))
117 -1. IPs that are specified in the **WhiteList** will always be allowed to access the system unless the IP is specified in the **BlackList** as well.
118 -1. IPs that are specified in the **BlackList** will never be allowed to access the system.
119 -1. If no entries are specified in the **WhiteList** or **BlackList** all IPs will have access to the servlet.
120 -1. If entries exist in the **WhiteList** but not in the **BlackList** only the IPs specified in the **WhiteList** will have access to the servlet.
121 121  
92 +* IPs that are specified in the **WhiteList** will always be allowed to access the system unless the IP is specified in the **BlackList** as well.
93 +* IPs that are specified in the **BlackList** will never be allowed to access the system.
94 +* If no entries are specified in the **WhiteList** or **BlackList** all IPs will have access to the servlet.
95 +* If entries exist in the **WhiteList** but not in the **BlackList** only the IPs specified in the **WhiteList** will have access to the servlet.
96 +
122 122  {{info}}
123 123  Both IPv4 and IPv6 IPs can be specified the the IP Access lists.
124 124  {{/info}}