Application Server Security
Apache Tomcat
To deploy your servlets to Tomcat or another application server, go into the projects/rtview-server directory and run update_wars.bat or update_wars.sh. Copy all of the generated war files to the webapps directory in your application server.
RTViewCentral includes a Tomcat installation, running on port 8068, that is preconfigured with necessary servlets for the Central Server. This Tomcat can also be used to host the servets from the RTView DataServers.
Tomcat and most other Application Servers can be configured for HTTPS. This will require you to provide a certificate for your domain. Follow the application server documentation for enabling HTTPS. Additionally, Tomcat access filters can be configured to restrict access according to the remote client host or address. Tomcat also has a feature named LockOut Realm to protect against brute force login attacks. After five successive login attempts for a given username with invalid password, then all logins for that username are rejected for the next five minutes. The LockOut Realm parameters are configurable. See Tomcat documentation for more information.
You will need to add the following roles to your Application Server for use with the Configuration Application and HTML UI authentication. For Tomcat, users and roles are defined in conf\tomcat-users.xml:
| • | rtvadmin |
| • | rtvuser |
| • | rtvalertmgr |
Encrypting Keystore File Password in Tomcat
When configuring Tomcat to support HTTPS (SSL) connections, the keystore file password must be entered in Tomcat's conf/server.xml file in plain text. In cases where that is problematic, RTView provides an option for password encoding.
To use this feature:
| 1. | Open a console window to <installation_dir>/rtvapm and execute: |
Linux:
. ./rtvapm_init.sh
Windows:
rtvapm_init.bat
| 2. | Generate an encoded version of the keystore file password, by entering the following |
encode_string encoder2 plain_text_password
where plain_text_password is the actual password. The output will be:
encrypted value: <encoded_password>
| 3. | In Apache Tomcat's conf/server.xml, change the https (SSL) Connector's protocol parameter from this: |
protocol="org.apache.coyote.http11.Http11NioProtocol"
to this:
protocol="com.sl.tomcat.RtvHttp11NioProtocol"
And change the certificateKeystorePassword from this:
certificateKeystorePassword="plain_text_password"
to this:
certificateKeystorePassword="encoded_password"
where encoded_password was obtained in step 2.
| 4. | Restart tomcat. |
Jetty
The Data Server, by default, runs a Jetty process that hosts all of the RTView servets and accepts HTTP client requests on port xx70 (3270 default).
The Central Server can run a Jetty process which hosts all of the RTView servets and accepts HTTP client requests on port 10070. This is disabled by default.
Enabling
To enable Jetty in Central Server, you must access the Configuration Application from Tomcat or another Application Server. In the Configuration Application, go to the Central Data Server tab and do the following:
| 1. | Turn on the HTML Server Enabled toggle. |
| 2. | Save your configuration and restart. |
Disabling
To disable Jetty in a Data Server, you must access its Configuration Application from Tomcat or another Application Server, after copying its servlet files to that Application Server. In the Configuration Application, go to the Data Server tab and do the following:
| 1. | Turn off the HTML Server Enabled toggle. |
| 2. | Save your configuration and restart. |
HTTPS
You can optionally configure Jetty to use HTTPS instead of HTTP. This will require you to provide a certificate for your domain. Once you have a certificate, do the following in the Configuration Application in the Central Data Server or Data Server tab:
| 1. | Turn on the Use Https toggle. |
| 2. | Set the Keystore File to the keystore file name (including the path) that contains the certificate for your domain. |
| 3. | Optionally enter the Keystore Password and Key Manager Password if they are required for your keystore. |
| 4. | Save your configuration and restart the data server. |
The Configuration Application and HTML UI use HTTP authentication and require the following roles which are preconfigured. You can modify the user names and passwords (but not the roles) in RTVAPM_HOME/common/lib/ext/jetty/rtvadmin-users.xml. The required roles are:
| • | rtvadmin |
| • | rtvuser |
| • | rtvalertmgr |
Warning! Jetty does not limit the number of failed login attempts which leaves it open to brute force attacks. If this is a concern, you should deploy with Tomcat or another application server.