How can I ensure that my HTTPS connection to Applications Manager is secure?

How can I ensure that my HTTPS connection to Applications Manager is secure?

Overview

This article describes configuring a secure connection between Applications Manager server and the browser/client.
Applications Manager can be accessed by any of the following URLs:
  1. For HTTP  -> http://[hostname/ip-address]:[http-port]
  2. For HTTPS -> https://[hostname/ip-address]:[https-port] 
where 9090 and 8443, by default, are the port numbers of HTTP and HTTPS respectively unless changed.
You can verify the ports used in AMServer.properties file (located in <Applications Manager Home>/conf/ directory) under the following keys:
  1. am.webserver.port = [HTTP port number]
  2. am.ssl.port = [HTTPS port number]
Applications Manager comes with a self-signed SSL certificate for HTTPS to work. To apply your own CA signed SSL certificate, see Use your own SSL certificates for the Application Manager.
Note : Below changes are not meant to/does not affect the connection(s) between your Applications Manager and monitoring resources.

HTTP Port settings and options

Running Applications Manager with HTTP enabled may leave your instance exposed to vulnerabilities, such as Man in the middle or DNS Rebinding attacks.
We recommend that you disable HTTP on your instance.

Disable HTTP access

Note: For Applications Manager Plugin users, enable HTTPS in OpManager before disabling HTTP in Applications Manager. For more information, see Enabling HTTPS Configuration in OPM
Steps to disable HTTP port and use only HTTPS port in Applications Manager : 
  1. v15250 or above :
    Can be done directly from Applications Manager web console by enabling below option
    Disable HTTP port in Applications Manager under Admin -> Product Settings -> Security Settings.
  2. v14680 to v15240 :
    Can be done directly from Applications Manager web console by disabling below option
    Enable HTTP port in Applications Manager under Admin -> Global Settings.
  3. v14670 and below, follow the steps given below :
    1. Open server.xml file located under <Applications Manager Home>/working/apache/tomcat/conf/backup/ directory with a text editor.
    2. Search for the key port="WEBSERVER_PORT", comment out the entire <Connector ... /> tag and save the file.
  4. Restart the Applications Manager once for the changes to take effect.
Now, Applications Manager can only be accessed via HTTPS port i.e https://[hostname/ip-address]:[https-port]/

Redirect HTTP to HTTPS

Note: Disabling HTTP port and using only HTTPS port to access Applications Manager is preferred compared to redirecting HTTP traffic to HTTPS.
If the HTTP port is already disabled then no need for HTTP to HTTPS redirection.
Steps to redirect HTTP to HTTPS in Applications Manager : 
  1. For the redirection to work, the HTTP port must not be disabled in the product. 
  2. Check whether the HTTP URL of Applications Manager is accessible using the below URL :
    http://[hostname/ip-address]:[http-port] 
  3. Open web.xml file located under <AppManagerHome>/working/WEB-INF/backup/ directory with a text editor.
  4. Add the following code under the </session-config> tag line.
<security-constraint>
      <web-resource-collection>
            <web-resource-name>ApplicationsManager</web-resource-name>
            <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
</security-constraint>
      5. Save the file and restart the Applications Manager for the changes to take effect.
Now, All HTTP urls of Applications Manager will automatically redirect to HTTPS url.

TLS settings and options

Disable TLSv1 and 1.1

Applications Manager supports TLSv1, TLSv1.1 and TLS v1.2 by default. However, all major browsers have deprecated TLSv1 and TLSv1.1 in their latest versions.
If your browser does not support TLSv1.2, upgrade it and then follow the below steps.
Steps to disable TLSv1 and TLSv1.1 in Applications Manager :
  1. v15250 or above :
    Can be done directly from Applications Manager web console by enabling below option
    Disable TLSv1 and TLSv1.1 protocols for HTTPS port under Admin -> Product Settings -> Security Settings.
  2. v14680 to v15240 :
    Can be done directly from Applications Manager web console by disabling below option
    Enable TLSv1 and TLSv1.1 protocols for HTTPS port under Admin -> Global Settings.
  3. v14670 and below, follow the steps given below :
    1. Open server.xml file located under <Applications Manager Home>/working/apache/tomcat/conf/backup/ directory with a text editor.
    2. Search for the key sslEnabledProtocols and change its value to TLSv1.2 and save the file.
      i.e : sslEnabledProtocols="TLSv1.2" 
  4. Restart Applications Manager for the changes to take effect. 
Now, HTTPS communication of Applications Manager will be done only through TLSv1.2 protocol.

General notes 

  1. If you are manually editing a file always take a backup of that file and use it to replace it back in case of any issues.
  2. Disabling HTTP port is preferred compared to redirecting HTTP traffic to HTTPS.
  3. Check supported TLS protocols and ciphers using nmap in command terminal.
    nmap --script ssl-enum-ciphers -p [https-port] [hostname/ip-address]
  4. Currently, TLSv1.3 is not supported in Applications Manager.

Feel free to contact appmanager-support@manageengine.com in case of further questions.


          • Related Articles

          • Authentication Methods in Applications Manager

            Authentication involves validating an incoming user to facilitate the access to a specific resource. There are various authentication methods that you can use - based on the requirements and usage. In recent times, numerous organizations are ...
          • Maintenance of Applications Manager

            Applications Manager with MySQL database Open services.msc, stop “ManageEngine Applications Manager” service or via command prompt with administrator permission. If using command prompt, navigate to <Applications Manager Home> directory and execute ...
          • Enabling Kerberos Authentication for SQL Server in Applications Manager

            I. How to implement Kerberos Authentication for Applications Manager's MS SQL Back-End Database?            1. Stop Applications Manager service. Open AppManager Home directory in command prompt and run the below commands one by one.             If ...
          • Applications Manager DB Maintenance for PGSQL Backend

            Windows Installations Note: Please take complete db backup using the <AppManager Home>\bin\BackupPGSQLDB.bat (or BackupPGSQLDB.sh) script without fail before following the below steps: Open services.msc, stop “ManageEngine Applications ...
          • Users are not getting synced from OpManager to Applications Manager

            Troubleshooting Steps: Step 1 -  User name, Domain Name are case-sensitive. Ask them to check whether they are try to login using correct case. Step 2 - Check the version of OpManager. If it is 11600, get the output of the following queries from ...