What's the motivation? Jetty as built via OpenNMS does not have a configurable cipher suite or at least an obvious and/or intuitive method that wouldn't necessitate web crawling. Weak ciphers create noise on a Nessus scan listing it as a medium-level vulnerability. I found (2) how-tos on the OpenNMS wiki and both of them entailed using Jetty with AJP support. I wanted something simpler.
1. Edit /etc/opennms/opennms.properties and uncomment this line:
opennms.web.base-url = https://%x%c/
Restart OpenNMS
2. Install mod_proxy for Apache2 and add module:
$ a2enmod proxy
Beware that the default Debian proxy configuration disallows all proxy access. My installation required me to loosen it up a bit.
Edit "/etc/apache2/mods-available/proxy.conf", get rid of "Deny from all" and add:
Allow from 127.0.0.1/8 192.168.90.0/24
3. Add the virtual host entry for OpenNMS on Apache. Edit "/etc/apache2/sites-available/default-ssl" and add:
ProxyPass http://127.0.0.1:8980/opennms
ProxyPassReverse http://127.0.0.1:8980/opennms
Done. Everything works fine. Nessus is happy. Deployment secure.
 
 

1 comment:
There's a bug report for the problem of the OpenNMS embedded JettyServer not exposing cipher configuration:
http://bugzilla.opennms.org/show_bug.cgi?id=3307
This issue should be fixed before the next releases (stable / 1.6.6 and unstable / 1.7.7). Glad to see that you've found a workaround in the meantime.
Post a Comment