Confluence 2.5.6 : Adding SSL for Secure Logins and Page Security
This page last changed on Sep 20, 2007 by jlargman.
This document describes how to configure Confluence to use a HTTPS encrypted secure socket layer for user logins and page data. Unencrypted confidential data within Confluence may be intercepted by an attacker. To secure user logins, you can enable access via HTTPS (HTTP over SSL), and require its use for pages where passwords are sent. In some cases where issue data is sensitive, all pages can be set to be accessed over HTTPS. Enabling SSL access is different for each application server, but specifying which pages to require protection for is generic. This document is specific to Tomcat, the default application server shipped with Confluence. Adding Secure User LoginsAdding HTTPS requires a valid SSL certificate. If you have a Certificate prepared, skip to the 'Modify the <INSTALL>/conf/server.xml File' section. Creating A New SSL CertificateOn Windows, perform the following at the command prompt: "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
Or on other platforms, perform the following at the command prompt: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Some questions will be asked, including a password for the certificate (the default is 'changeit'). Please note down what you choose, as it will be used in the next step. Modify the <INSTALL>/conf/server.xml FileIn the confluence directory, open the conf/server.xml file and insert one of the following just after the closing </Engine> tag:
If you have a Certificate PreparedIf you just created your new Certificate or your existing one is in the default location, skip to the 'Testing SSL' section. By default, Tomcat will look for the certificates in C:\Documents and Settings\\#CURRENT_USER#\.keystore on Windows or ~/.keystore on Unix. If your Certificate is not in this location, you will need to update your <INSTALL>/conf/server.xml file as outlined below, so that Tomcat can find it. Advanced users who require an official CA-issued key pair for their Certificate can find instructions in the Tomcat documentation.
Testing SSLRestart Tomcat and access your instance on https://<MY_BASE_URL>:8443/ Choose Which Pages Require Secure ConnectionAgain open conf/server.xml. Check the value of redirectPort on the http connector. Make sure the redirectPort is set to your SSL port: <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8080" minProcessors="5" maxProcessors="75" enableLookups="false" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="20000" useURIValidationHack="false" URIEncoding="UTF-8"/> For more detailed information on setting up SSL with Tomcat (including additional configuration options), have a look at Tomcat 4 SSL Howto or Tomcat 5.5 SSL Howto. Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080) are still available. Any page served over SSL requires additional processing, so generally, it's preferable to secure only pages with sensitive information, such as login pages. In most situations one wants non-ssl URLs to continue working, with some pages configured to redirect to their HTTPS equivalent. To configure which URLs you want secured, edit the confluence/WEB-INF/web.xml file and add to the end the following declaration: <security-constraint> <web-resource-collection> <web-resource-name>Login and Restricted Space URLs</web-resource-name> <url-pattern>/login.action</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Note that the example above specifies a url-pattern for the login URL /login.action. This means that whenever a user tries to access the unprotected version of the login page, they will be redirected automatically to the secured version of it. If you want to protect individual spaces, there isn't a complete way of doing this at the moment. You can add a pattern like this: <security-constraint> <web-resource-collection> <web-resource-name>Login and Restricted Space URLs</web-resource-name> <url-pattern>/login.action</url-pattern> <url-pattern>/display/SALARIES/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> This will redirect all URL's for page views in the SALARIES space. This does not however, protect pages that are accessed via a URL like /pages/viewpage.action?pageId=123. Confluence generates these types of URL's for pages that have non-ASCII characters in the title. Hence this is not a complete solution. If you want to protect all pages and spaces, use: <security-constraint> <web-resource-collection> <web-resource-name>Restricted URLs</web-resource-name> <url-pattern>*.action</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> Once this change is made, restart Confluence and access http://localhost:8080. You should be redirected to https://localhost:8443/login.action.
Note for users of Confluence versions prior to 2.2You are required to configure a Realm, even though the security-constraint above does not access it. Add this realm tag inside the Engine tag: <Engine ...
<Realm className="org.apache.catalina.realm.MemoryRealm" />
...
</Engine>
|
![]() |
Document generated by Confluence on Oct 10, 2007 18:36 |