Skip to Content

Changes for page Security

Last modified by Arthur Heffern on 2021/09/09 20:55
From version 6.1
edited by Arthur Heffern
on 2021/09/09 18:55
Change comment: There is no comment for this version
To version 5.1
edited by Arthur Heffern
on 2021/09/09 18:02
Change comment: Import

Summary

Details

Page properties
Parent
... ... @@ -1,1 +1,1 @@
1 -xwiki:ISYMDOCS.Home.iSymphony Administrator's Guide
1 +iSymphony Administrator's Guide
Content
... ... @@ -1,5 +1,7 @@
1 1  **//On this page~://**
2 2  
3 +
4 +
3 3  {{toc/}}
4 4  
5 5  iSymphony opens several ports for communication with the outside world. These ports include the Web Ports used by the server to provide both the Administration and Client web interfaces, the REST API and Voicemail and Recording Agent file servers. The iSymphony server is broken up into several subsections call servlets. Each servlet can have several layers of security activated on them in order to prevent unauthorized access and man in the middle attacks.
... ... @@ -58,7 +58,7 @@
58 58  The following method requires the Oracle JDK.
59 59  )))
60 60  1. (((
61 -Run the following command to create your SSL keystore. (% style="line-height:1.4285715" %)Follow the prompts to finish creating the keystore.
63 +Run the following command to create your SSL keystore. (% style="line-height: 1.4285715;" %)Follow the prompts to finish creating the keystore.
62 62  
63 63  {{code language="bash"}}
64 64  keytool -keystore <filename> -alias <alias> -genkey -keyalg RSA -validity <number of days cert is valid>
... ... @@ -81,6 +81,7 @@
81 81  The default password for the cacerts truststore is: "changeit". For more information on the keytool please see the Oracle documentation :
82 82  [[https:~~/~~/docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html>>url:https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html||shape="rect"]]
83 83  
86 +
84 84  
85 85  {{warning}}
86 86  {{id name="cacerts"/}}
... ... @@ -128,7 +128,7 @@
128 128  Modify /opt/isymphony3/server/conf/security.xml to make iSymphony aware of the keystore by modifying the SSLKeystore XML element with the appropriate values:
129 129  
130 130  {{code}}
131 -<SSLKeystore filename="isymphony.jks" keystorePassword="isymphony" keyPassword="isymphony" certAlias="isymphony" ></SSLKeystore>
134 +<SSLKeystore filename="isymphony.jks" keystorePassword="isymphony" keyPassword="isymphony" certAlias="isymphony" />
132 132  {{/code}}
133 133  
134 134  Then enabling SSL on each context you would like to utilize SSL (More on this below) and restarting the iSymphonyServerV3 service should complete the configuration.
... ... @@ -137,7 +137,7 @@
137 137  
138 138  You can enable and disable entire **Security Contexts** by setting the **enabled** attribute to **true** or **false** in the **SecurityContext** tag in the **/opt/isymphony3/server/conf/security.xml** file. A disabled **Security Context** will apply no restrictions to the servlet despite any of the inner settings.
139 139  
140 -(((
143 +1. (((
141 141  == SSL ==
142 142  )))
143 143  
... ... @@ -147,22 +147,21 @@
147 147  If enabling SSL on the communication_manager servlet and you are using the iSymphony FreePBX module you must modify the module settings to use SSL. See [[doc:FreePBX Module Administration]] for more information.
148 148  {{/info}}
149 149  
150 -(((
153 +1. (((
151 151  == Realm Authentication ==
152 152  )))
153 153  
154 154  You can enable or disable HTTP realm authentication on a specific **Security Context** by setting the **enabled** attribute in the **RealmAuth** tag to **true** or **false**. You can add a new HTTP realm authentication user by adding a **RealmAuthUser** tag to the **RealmAuthUsers**. You can specify the user's credentials by populating the **username** and **password** attributes of the **RealmAuthUser** tag.
155 155  
156 -(((
159 +1. (((
157 157  == IP Access ==
158 158  )))
159 159  
160 160  You can enable IP access on a specific **Security Context** by setting the **enabled** attribute on the **IPAccess** tag to **true** or **false**. The **IPAccess** restriction will allow or deny connections from specific IP addresses based on the contents of the **WhiteList** and **BlackList** in the **IPAccess** tag.
161 161  
162 -(((
165 +1. (((
163 163  === Behavior ===
164 164  )))
165 -
166 166  1. IPs that are specified in the **WhiteList** will always be allowed to access the system unless the IP is specified in the **BlackList** as well.
167 167  1. IPs that are specified in the **BlackList** will never be allowed to access the system.
168 168  1. If no entries are specified in the **WhiteList** or **BlackList** all IPs will have access to the servlet.