Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

This article describes the available connectors in Nexus Timestamp Server and how to define them. TLS is used in Nexus Timestamp Server, but in the examples below, SSL is used.

Normally, Nexus Timestamp Server has multiple network ports open for communicating with users and other systems. The configuration entities that define what ports to listen to are called connectors. There are different connector types targeting different network security requirements. Normally there is (at least) one for plain HTTP and one for HTTPS.

 Define plain connector

A plain connector creates a simple HTTP endpoint. The only required extra parameter is port.

  1. In the timestamp.properties configuration file, add this:

    Example: Plain connector
    connector.0.name=localhost
connector.0.port=8879
 Define TLS connector

The TLS connector type creates HTTPS connections including server authentication and will communicate through an encrypted tunnel.

To create an TLS endpoint, you need a keystore containing the server key. A connector will automatically be used for TLS if the TLS subkey exists.

keystore.pin is used to unlock the keystore and keyStorePassword is used for accessing the keys.

Three different key formats are accepted: PKCS#12, PKCS#11 and JKS. See Manage keystores in Nexus Timestamp Server for more details on keystores.

  1. To configure the TLS connector using PKCS#12, enter this in timestamp.properties:

    Example: Configure TLS connector using PKCS#12
    connector.1.name=localhost
connector.1.port=8443
connector.1.ssl.keystore=${config}/keys/sslDemo.p12
connector.1.ssl.keystore.pin=1234
connector.1.ssl.keyStorePassword=1234
 Define TLS connector with client authentication

TLS can be used to authenticate the user, this is called TLS client authentication. To be able to use the TLS client authentication method, a connector configured to manage client authentication is required.

  1. To enable a connector to manage TLS with client authentication, configure a regular TLS connector, see above.
  2. Point out a truststore. See Manage truststores in Nexus Timestamp Server for information on how to create a truststore.

  3. To configure the TLS connector with client authentication enabled, enter this in timestamp.properties:

    Example: TLS connector with client authentication enabled
    connector.2.name=localhost
connector.2.port=8886
connector.2.ssl.keystore=${config}/keys/sslDemo.p12
connector.2.ssl.keystore.pin=1234
connector.2.ssl.keyStorePassword=1234
connector.2.ssl.needClientAuth=true
connector.2.ssl.truststore=${config}/certs

The needClientAuth and wantClientAuth parameters are used to define if client authentication is required or if it shall be optional. If those parameters are not set, the web application can control if and when to authenticate the user, which is the case for the TLS client authentication method.

An example of how to use the Nexus Timestamp Client to send an TLS request to a connector with client authentication enabled can be found in Use Nexus Timestamp Server test client.

 Define TLS connector with key from PKCS#11

  1. To configure the TLS connector, if the private key resides inside a PKCS#11 token, enter this in timestamp.properties:

    Example: TLS connector with key from PKCS#11
    connector.3.name=localhost
connector.3.port=8887
connector.3.ssl.keystore=${config}/keys/cs_pkcs11_R2.dll
connector.3.ssl.keystore.pin=1234
# tokenlabel is the label name of the token that will be used
connector.3.ssl.keystore.tokenlabel=tsa_keys
# certAlias is mapped to the CKA_LABEL of the certificate and key
connector.3.ssl.certAlias=tsa-cert
connector.3.ssl.keyStorePassword=1234
connector.3.ssl.needClientAuth=true
connector.3.ssl.truststore=${config}/certs
 Exclude protocols or cipher suites

You can configure the protocols or cipher suites used. Note that the default configuration is completely overridden if an exclude is configured.

  1. To exclude protocols or cipher suites, enter this in timestamp.properties:

    Example: Exclude protocols or cipher suites
    # Default excluded protocols:
connector.3.ssl.excludeProtocols.1=SSL
connector.3.ssl.excludeProtocols.2=SSLv2
connector.3.ssl.excludeProtocols.3=SSLv2Hello
connector.3.ssl.excludeProtocols.4=SSLv3
# Default excluded cipher suites: (Regular expressions or full names supported)
connector.3.ssl.excludeCipherSuites.1=^.*_(MD5|SHA|SHA1)$

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions