Configuring SSL/TLS for Management web interface

By default, Dispatcher Paragon Management uses certificate distributed with Dispatcher Paragon to provide encrypted communication with the web interface. In order to ensure both encrypted and authenticated connection, you need to use certificate trusted in your environment.

This guide will help you with the configuration of the secured connection (HTTPS) to the Dispatcher Paragon Management web interface, using a CA-signed certificate.

CA-signed certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the respective Management server.

  • For importing the key/certificate you need it in an appropriate format - two separate PEM files, one containing the private key (usually with .key extension) and one with the whole certificate chain (usually with .crt extension).

  • The certificate file needs to contain all certificates in the chain in a specified order. The first certificate is the Management's one. Each following certificate belongs to the authority which signed the previous certificate directly. The last one belongs to the Root CA.

  • The private key needs to be protected by a password.

In case your key/certificate is in a different format than specified, convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter (steps 1 - 3) in System communication hardening and make sure your certificate file contains all certificates in the chain in the correct order.

Configuring Dispatcher Paragon Management to use secure communication channel

In case the Management Server cluster is used, the following steps have to be performed on every node of the Management Server cluster.

  1. Stop Dispatcher Paragon Management Service service on Dispatcher Paragon server.

  2. Copy your key and certificate files to the server where the Dispatcher Paragon Management is installed.

  3. Set following attributes in <management_folder>\tomcat\conf\server.xml file (usually C:\DispatcherParagon\Management\tomcat\conf\server.xml):

    certificateFile = "absolute/path/to/your/dispatcherparagoncertificate.crt"
    certificateChainFile = "absolute/path/to/your/dispatcherparagoncertificate.crt"
    certificateKeyFile = "absolute/path/to/your/dispatcherparagoncertificate.key"
    certificateKeyPassword = "key protecting password"

  4. If you wish to enable automatic redirection from unsecured connection (HTTP port 80) to the secured connection (HTTPS port 443), edit <management_folder>\tomcat\conf\web.xml and append these lines before the </web-app> tag:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Automatic SLL Forwarding</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>

  5. Start the Dispatcher Paragon Management Service service on Dispatcher Paragon server.

  6. Verify that Dispatcher Paragon Management web interface is functional and uses your own certificate (open https://<dispatcher_paragon_server_IP> in browser, click on the lock and View certificate button). In case you enabled the automatic redirection to HTTPS, opening the http://<dispatcher_paragon_server_IP> address will be automatically redirected to https protocol.

Example of Tomcat HTTPS configuration

The configuration is stored in <management_folder>\tomcat\conf\server.xml (usually C:\DispatcherParagon\Management\tomcat\server.xml).

Keep HTTP non-SSL port (default 80) as the first in XML. Installer requires HTTP port to be the first in definition. HTTPS should be the second one.

<Connector port="80"
protocol="HTTP/1.1"
redirectPort="443"
connectionTimeout="20000" />
 
<Connector port="443"
protocol="HTTP/1.1"
maxHttpHeaderSize="8192"
maxThreads="200"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
URIEncoding="UTF-8"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig certificateVerification="none"
protocols="TLSv1.2,TLSv1.3"
ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256">
<Certificate certificateFile="${catalina.home}/conf/dispatcherparagoncertificate.crt"
certificateChainFile="${catalina.home}/conf/dispatcherparagoncertificate.crt"
certificateKeyFile="${catalina.home}/conf/dispatcherparagoncertificate.key"
certificateKeyPassword="*****" />
</SSLHostConfig>
</Connector>

The default, pre-installed private key is stored in <management_folder>\tomcat\conf\safeq-tomcat.key file. The private key is protected by password specified in the configuration file with certificateKeyPassword attribute.

The pre-installed certificate is stored in <management_folder>\tomcat\conf\safeq-tomcat.crt file.

As a default, TLSv1.2 and TLSv1.3 are the only SSL/TLS protocol versions supported. Please note, that there are issues when lower versions are configured at the same time as TLSv1.3. If you need to support lower versions for the compatibility reasons, TLSv1.3 must be removed. You will also need to update the list of supported cipher suites to add the ones compatible with the required version.