WebSocket Configuration
From idenprotect Knowledge Base
Revision as of 08:22, 13 August 2021 by GrahamSant (talk | contribs)
Contents
If you have not made any configuration changes yet, please see How to make configuration changes
Introduction
When using the idenprotect Active Directory Agent, you will need to configure the Secure WebSocket connection. This is done in two parts as the idenprotect Active Directory Agent will act as the WebSocket Client and the idenprotect Core Platform will act as the WebSocket Server.
Configuring the WebSocket Server
These properties can be found in:
- WebSocket Configuration section in the idenprotect Core Platform Admin Console Config Tab
- Server file system in
/etc/idenprotect/websocket.properties
Parameter in Config Tab | Parameter in Properties File | Description |
---|---|---|
Active Directory Sync Agent Port
|
ws.adsync.port
|
Port on which to run the WebSocket (default 8444) |
Should Send Settings
|
ws.send.settings
|
Set to true to send out LDAP properties/settings to the Active Directory Sync Client on the connection to the WebSocket |
Enable WebSocket Debug Mode
|
ws.server.debug
|
Set to true to log all of the debug information for each connection/message/disconnection. 'Important this may write to logs sensitive data such as user password' |
Enable Secure WebSocket
|
ws.ssl.enabled
|
Set to true to use a secure WebSocket connection with TLS |
Key Store Path
|
ws.keystore.path
|
/etc/idenprotect/keystore.jks - KeyStore Path for the Secure WebSocket |
Key Store Type
|
ws.keystore.type
|
KeyStore type (default JKS) |
Key Store Password
|
ws.keystore.pass
|
Password for the KeyStore |
Configuring the WebSocket Client
These properties can be found in:
- Server file system in
/etc/idenprotect/adsync/websocket.properties
Parameter in Properties File | Description |
---|---|
adsync.trustStore
|
Location of the Trust Store (For the WebSocket connection to the Server and LDAP if needed) (default = /etc/idenprotect/truststore.jks) |
adsync.trustStoreType
|
Trust store Type (default = JKS) |
adsync.trustStorePassword
|
Trust store Password (default = pass) |
adsync.node.name
|
Active Directory Sync Client Node name (used for the idenprotect Core Platform to determine which idenprotect Active Directory Agent to trigger). See the LDAP Synchronization process on What is the idenprotect Active Directory Agent for more information |
websocket.uri
|
WebSocket Server URI (idenprotect Core Platform WebSocket URI) (default = wss://10.0.57.57:8444/) |
websocket.check.cron
|
WebSocket connection cron to check if we are connected to the WebSocket (default = 0 * * * * * (every minute)) |
Securing the WebSocket Connection
When connecting to the WebSocket, the URI can be in the form of ws:// (insecure) or ws:// (secure). In order to secure the WebSocket Connection, you can follow the below steps: -
- Using a tool like KeyStore Explorer, create a new KeyStore (.jks)
- In this KeyStore, create a new keypair (RSA 2048). You will need to set and remember a password here
- Save the new KeyStore to /etc/idenprotect/adsync.jks (Using the same password for both the keypair and keystore)
- Update the WebSocket Server configuration to point to this KeyStore and add the password you set
- Export a certificate from this KeyStore to /etc/idenprotect/adsync/adsync.cer
- Create a second new KeyStore (.jks)
- Import the certificate you created in the previous step
- Save this truststore to /etc/idenprotect/adsync/adsync.jks (again you will need to set and remember a password here)
- Update the WebSocket Client configuration to point to this KeyStore and add the password you set
- Restart both the idenprotect Core Platform and idenprotect Active Directory applications