How can i ensure that my HTTPS connection to AppManager is secure ?

How can i ensure that my HTTPS connection to AppManager is secure ?

Overview

This article describes configuring a secure connection between Applications Manager server and the browser/client.
Applications Manager can be accessed by any of the following URLs:
  1. For HTTP  -> http://[hostname/ip-address]:[http-port]
  2. For HTTPS -> https://[hostname/ip-address]:[https-port] 
where 9090 and 8443, by default, are the port numbers of HTTP and HTTPS respectively unless changed.
You can verify the ports used in AMServer.properties file (located in <Applications Manager Home>/conf/ directory) under the following keys:
  1. am.webserver.port = [HTTP port number]
  2. am.ssl.port = [HTTPS port number]
Applications Manager comes with a self-signed SSL certificate for HTTPS to work. To apply your own CA signed SSL certificate, see Use your own SSL certificates for the Application Manager.
Note : Below changes are not meant to/does not affect the connection(s) between your Applications Manager and monitoring resources.

HTTP Port settings and options

Running Applications Manager with HTTP enabled may leave your instance exposed to vulnerabilities, such as Man in the middle or DNS Rebinding attacks.
We recommend that you disable HTTP on your instance.

Disable HTTP access

Note: For Applications Manager Plugin users, enable HTTPS in OpManager before disabling HTTP in Applications Manager. For more information, see Enabling HTTPS Configuration in OPM
Steps to disable HTTP port and use only HTTPS port in Applications Manager : 
  1. v15250 or above :
    Can be done directly from Applications Manager web console by enabling below option
    Disable HTTP port in Applications Manager under Admin -> Product Settings -> Security Settings.
  2. v14680 to v15240 :
    Can be done directly from Applications Manager web console by disabling below option
    Enable HTTP port in Applications Manager under Admin -> Global Settings.
  3. v14670 and below, follow the steps given below :
    1. Open server.xml file located under <Applications Manager Home>/working/apache/tomcat/conf/backup/ directory with a text editor.
    2. Search for the key port="WEBSERVER_PORT", comment out the entire <Connector ... /> tag and save the file.
  4. Restart the Applications Manager once for the changes to take effect.
Now, Applications Manager can only be accessed via HTTPS port i.e https://[hostname/ip-address]:[https-port]/

Redirect HTTP to HTTPS

Note: Disabling HTTP port and using only HTTPS port to access Applications Manager is preferred compared to redirecting HTTP traffic to HTTPS.
If the HTTP port is already disabled then no need for HTTP to HTTPS redirection.
Steps to redirect HTTP to HTTPS in Applications Manager : 
  1. For the redirection to work, the HTTP port must not be disabled in the product. 
  2. Check whether the HTTP URL of Applications Manager is accessible using the below URL :
    http://[hostname/ip-address]:[http-port] 
  3. Open web.xml file located under <AppManagerHome>/working/WEB-INF/backup/ directory with a text editor.
  4. Add the following code under the </session-config> tag line.
<security-constraint>
      <web-resource-collection>
            <web-resource-name>ApplicationsManager</web-resource-name>
            <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
</security-constraint>
      5. Save the file and restart the Applications Manager for the changes to take effect.
Now, All HTTP urls of Applications Manager will automatically redirect to HTTPS url.

TLS settings and options

Disable TLSv1 and 1.1

Applications Manager supports TLSv1, TLSv1.1 and TLS v1.2 by default. However, all major browsers have deprecated TLSv1 and TLSv1.1 in their latest versions.
If your browser does not support TLSv1.2, upgrade it and then follow the below steps.
Steps to disable TLSv1 and TLSv1.1 in Applications Manager :
  1. v15250 or above :
    Can be done directly from Applications Manager web console by enabling below option
    Disable TLSv1 and TLSv1.1 protocols for HTTPS port under Admin -> Product Settings -> Security Settings.
  2. v14680 to v15240 :
    Can be done directly from Applications Manager web console by disabling below option
    Enable TLSv1 and TLSv1.1 protocols for HTTPS port under Admin -> Global Settings.
  3. v14670 and below, follow the steps given below :
    1. Open server.xml file located under <Applications Manager Home>/working/apache/tomcat/conf/backup/ directory with a text editor.
    2. Search for the key sslEnabledProtocols and change its value to TLSv1.2 and save the file.
      i.e : sslEnabledProtocols="TLSv1.2" 
  4. Restart Applications Manager for the changes to take effect. 
Now, HTTPS communication of Applications Manager will be done only through TLSv1.2 protocol.

General notes 

  1. If you are manually editing a file always take a backup of that file and use it to replace it back in case of any issues.
  2. Disabling HTTP port is preferred compared to redirecting HTTP traffic to HTTPS.
  3. Check supported TLS protocols and ciphers using nmap in command terminal.
    nmap --script ssl-enum-ciphers -p [https-port] [hostname/ip-address]
  4. Currently, TLSv1.3 is not supported in Applications Manager.

Feel free to contact appmanager-support@manageengine.com in case of further questions.


                    New to ADSelfService Plus?

                      • Related Articles

                      • How to enable HTTPS connection between end user and RUM Agent?

                        By default end user data will be collected and sent via HTTP connection to RUM Agent. To enable HTTPS connection you should have an valid SSL Certificate (keystore file basically), not a self signed certificate. Open the AppServer.properties file ...
                      • AppManager disk is full - I want to clear some space

                        Increased Applications Manager database utilization could have increased the Applications Manager Disk size. To clear some space, follow the steps below: 1. In the <AppManager_Home>\working\heapdump directory, check if any old files are present and ...
                      • How to fix "SSL Connection required, but not supported by server"?

                        Error Message: SSL Connection required, but not supported by server Reason: This error occurs when you are trying to add a server as SSL enabled but the server is not configured to use SSL. Solution: To overcome this issue: Solution 1: Configure SSL ...
                      • How to change AppManager credentials/EUM API Key?

                        How to change AppManager credentials/EUM API Key in console mode or directly from file? For EUM Agent version 18 and above: Go to [EUM_HOME]/conf folder. Open AppServer.xml in a text editor. Remove encryptedKey attribute and add new attribute apikey ...
                      • Basic WMI connection check when unable to add monitor

                        Follow the below steps to check the WMI connection when unable to add the monitor in WMI mode. Supported monitors: Active Directory, Microsoft Dynamics CRM / 356 On Prem, Microsoft Dynamics AX, Microsoft Skype for Business, Network Policy Server, ...