I tried looking for any article mentioning HTTPS but I only get the generic HTTP binding material, no mention of HTTP Secure.
I haven't found much specific tutorial material. The general approach is alluded to here in the InfoCenter The fundamental point being that the ESB is giving access to Web Services and the HTTPS or SSL connectivity is defined largely in the Web Service itself.
It seems like is you search for SSL you get more extensive results, for example here
Another option is to use a web server (with SSL) in front of WAS.
Related
Would like to understand what is the difference between WAF and APIM (Like APIGEE or AZURE APIM).
What are capabilities of WAF and which needs to be choose to protect the backend web application.
Thank you in advance.
Aaditya
WAF protects your backend web server by stopping every request that having malicious values. Malicious requests can be SQL injection, Cross site scripting.
Modern WAF also protects server from blacklisted IPS (tor or bots).
You can also define rules like whitelist IP or regex match for parameters and header.
Regards,
Jaikey sarraf
Google Apigee plateform also has capabilities like whitelisting, security(OAuth, JWT, Basic and key based), CORS header and others.
I think that you should more focus on what kind of architecture you might need in order to support future requirement. As with Apigee, Google has great support for cloud as well(AWS, GCP and Azure) with support to almost all type of language and virtual target backend for complex mesh ups as well.
Apigee provides inbuild support for Analytics and Monetization services as well, which you might want to consider.
Apigee has 24X7 support for all your issue/concern for different level of environments.
TeamCity exposes unsecured XML-RPC entry points, Can someone please guide how to make them secure.
Got an answer from Teamcity support team.
"As XML-RPC uses the HTTP protocol so the easiest option would be to set up TeamCity to use SSL. You can find the documentation for the procedure here:
https://confluence.jetbrains.com/display/TCD10/Using+HTTPS+to+access+TeamCity+server"
Hope it will be helpful for some one.
My application will capture private customer data, requiring secure access for my clients.
Is it possible to use HTTPS/SSL in Wakanda Cloud?
HTTPS/SSL is not a current feature of Wakanda Cloud. However, HTTPS/SSL is a feature of Wakanda Server when you host it yourself.
The Wakanda Cloud Roadmap is on Trello, which lists SSL/HTTPS Support as a proposed feature.
You can vote on proposed features at Trello.
You can also submit additional feature requests at Trello
HTTPS is available in the Wakanda Cloud. I have a medium instance using HTTPS right now.
I am a newbie at play, and I am trying at least to use HTTPS on a login and sign up pages in order to have more security on sensitive user data.
I have a range of questions regarding this:
I have configured my play application to use https on the application.conf file with the https.port property. However in my development environment I cant seem to start the server with https capability unless I use the command: play -Dhttps.port=<port>
Why does this happen? I would think that I could use a dev.conf (right now is the application.conf) file in order to do this. Can't I start the server in dev mode while using this kind of settings specified on the configuration file?
Although I start the server with https capabilities, what is the correct way to use https on play? I already created a java key store that I use, and tried to redirect (from a controller) requests to a https url using redirect(securedIndexCall.absoluteURL(request, secure)). But it does not seem to work at least on my dev enviroment (localhost). The logs specify exceptions like:
java.lang.IllegalArgumentException: empty text
java.lang.IllegalArgumentException: invalid version format: M¥å/=<junk characters continue>
Should I use https on the whole application, or just securing the login and sign up requests is sufficient?
I feel the official documentation provided is rather insufficient and I am at a loss here trying to figure out how I should do this.
Any help would be really appreciated!
I agree with Fernando, I think it's easier to set up a front end web server. In my case I used Lighttpd and it was fairly straightforward to set up. I'd recommend:
Configure Lighttpd as per these instructions (at this stage, don't worry about HTTPS just get HTTP working): http://www.playframework.com/documentation/2.3.x/HTTPServer
Then configure HTTPS in Lighttpd: http://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL. If you intend on buying an SSL certificate then there will be a few more options to set (e.g. intermediate certificate). The following page has more information: http://redmine.lighttpd.net/projects/1/wiki/Docs_SSL
Answers to your main questions:
1) Enabling HTTPS in Play
Yes, you have to explicitly say you want to use HTTPS when starting up
http://www.playframework.com/documentation/2.3.x/ConfiguringHttps
2) The "java.lang.IllegalArgumentException" error message
There might be an issue with the keystore. This SO article seems to discuss in more detail: Play framework 2.2.1 HTTPs fails on connection attempt
3) SSL for login page or whole app
Personally, I would go for the whole app. If you're taking the time to set up HTTPS I think you might as well cover the whole site. I guess there are slight performance overheads in running HTTPS but realistically it's not something you'd notice.
You should use a front end server for HTTPS, and use HTTPS for the whole application.
Please see Setting up a front end HTTP server and see the commented out nginx settings.
I am trying to setup a proxy configuration on a dev 853 domino server, so I can connect to a dev connections server from an XPage (using java).
It's an SSO environment, and both the domino server and connections server are protected by WebSEAL. I want to make server-side calls in java (using the Apache HTTP Client), so my XPages application can make a call across to the Connections server.
I followed some information I found in Niklas Heidloff's Social Enabler documentation: http://www.openntf.org/Projects/pmt.nsf/DA2F4D351A9F15B28625792D002D1F18/%24file/SocialEnabler111006.pdf
and also in here:
http://www.ibm.com/developerworks/lotus/library/inotes-full/index.html
I setup the proxy like this:
Context: /xsp/proxy/BasicProxy/
URL: https://connectionsserver.acompany.com
Actions: GET,HEAD,POST,DELETE,PUT
Cookies: -List of cookies-
Mime-types: *
Headers: User-Agent,Accept*,Content*,Authorization*,Set-Cookie
When I try the call, it gives me the following error:
2/28/13 12:34 PM: Exception Thrown
javax.servlet.ServletException: com.ibm.jsse2.util.g: No trusted certificate found
at com.ibm.domino.servlets.proxy.BasicProxy.throwServletException(BasicProxy.java:765)
at com.ibm.domino.servlets.proxy.BasicProxy.service(BasicProxy.java:357)..
...
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: No trusted certificate found
I thought that passing the cookies across in this way should work (the cookies should work between both the domino-webseal and connections-webseal environments).
The error suggests that I need to import a certificate. I don't have access to the domino server to allow me to import certificates, so before I request that, I wanted to check I wasn't missing something from somewhere else.
Is there something else I am missing? Or any suggestions on doing this a different way?
Thanks,
Pam.
You have to import the certificates if they are not present. That is what the error message is indicating. There is IBM Technote 21588966 describing the necessary steps.
Furthermore (that could become the next showstopper after you sorted out SSL) you have to have a hard look how WebSeal is configured. The challenge here: WebSeal is designed to accommodate any possible backends and it is easy to get it almost working - almost as in: works for direct access via browser but fails on server-2-server or Ajax etc. The super-highly-recommended-ignore-on-your-own-risk setting for Connections/Domino is to use WebSeal's LTPA capabilities and not some ludicrous code injection.
Hth