Application Server Security
Jetty
By default, the Central Server runs a Jetty process which hosts all of the RTView servets and accepts HTTP client requests on port 10070. The Data Server runs a Jetty process that hosts all of the RTView servets and accepts HTTP client requests on port xx70 (3270 default). You can optionally configure Jetty to use HTTPS instead of HTTP. This will require you to provide a certificate for your domain. Once you have a certificate, do the following in the Configuration Application in the Data Server tab:
| 1. | Turn on the Use Https toggle. |
| 2. | Set the Keystore File to the keystore file name (including the path) that contains the certificate for your domain. |
| 3. | Optionally enter the Keystore Password and Key Manager Password if they are required for your keystore. |
| 4. | Save your configuration and restart the data server. |
The Configuration Application and HTML UI use HTTP authentication and require the following roles which are preconfigured. You can modify the user names and passwords (but not the roles) in RTVAPM_HOME/common/lib/ext/jetty/rtvadmin-users.xml. The required roles are:
| • | rtvadmin |
| • | rtvuser |
| • | rtvalertmgr |
Jetty does not limit the number of failed login attempts which leaves it open to brute force attacks. If this is a concern, you should deploy with Tomcat or another application server.
Disabling Jetty
You can optionally disable Jetty in the Data Server when using Tomcat or another Application Server. To disable Jetty, you must access the Configuration Application from Tomcat or another Application Server. In the Configuration Application, go to the Data Server tab and do the following:
| 1. | Turn off the HTML Server Enabled toggle. |
| 2. | Save your configuration and restart. |
Apache Tomcat
You can optionally use Tomcat or another application server in addition to or instead of the Jetty process that comes with RTView.
To deploy your servlets to your application server, go into the projects/rtview-server directory and run update_wars.bat or update_wars.sh. Copy all of the generated war files to the webapps directory in your application server.
RTViewCentral includes a Tomcat installation that is preconfigured with necessary servlets for the Central Server. This Tomcat can also be used to host the servets from the RTView DataServers. By default, Tomcat is not executed in the startup scripts. To enable Tomcat, edit the start and stop scripts in the bin directory and uncomment the Tomcat sections.
Tomcat and most other Application Servers can be configured for HTTPS. This will require you to provide a certificate for your domain. Follow the application server documentation for enabling HTTPS. Additionally, Tomcat access filters can be configured to restrict access according to the remote client host or address. Tomcat also has a feature named LockOut Realm to protect against brute force login attacks. After five successive login attempts for a given username with invalid password, then all logins for that username are rejected for the next five minutes. The LockOut Realm parameters are configurable. See Tomcat documentation for more information.
You will need to add the following roles to your Application Server for use with the Configuration Application and HTML UI authentication. For Tomcat, users and roles are defined in conf\tomcat-users.xml:
| • | rtvadmin |
| • | rtvuser |
| • | rtvalertmgr |
Encrypting Keystore File Password in Tomcat
When configuring Tomcat to support HTTPS (SSL) connections, the keystore file password must be entered in Tomcat's conf/server.xml file in plain text. In cases where that is problematic, RTView provides an option for password encoding.
To use this feature:
| 1. | Open a console window to <installation_dir>/rtvapm and execute: |
Linux:
. ./rtvapm_init.sh
Windows:
rtvapm_init.bat
| 2. | Generate an encoded version of the keystore file password, by entering the following |
encode_string encoder2 plain_text_password
where plain_text_password is the actual password. The output will be:
encrypted value: <encoded_password>
| 3. | In Apache Tomcat's conf/server.xml, change the https (SSL) Connector's protocol parameter from this: |
protocol="org.apache.coyote.http11.Http11NioProtocol"
to this:
protocol="com.sl.tomcat.RtvHttp11NioProtocol"
And change the certificateKeystorePassword from this:
certificateKeystorePassword="plain_text_password"
to this:
certificateKeystorePassword="encoded_password"
where encoded_password was obtained in step 2.
| 4. | Restart tomcat. |