Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-5660

Update "Configuring Crowd to Work with SSL" documentation

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Documentation
    • Labels:
      None
    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      Problem

      Configuring Crowd to Work with SSL needs a bit of a sprucing up.

      Example connector out of date

      The example connector (which most customers use by default) is missing many of the configuration that is included in the default 8095 connector included in Crowd. This can lead to issues that result in a support ticket.

      There is not section on adding a redirect

      Confluence includes a section on adding a security constraint to automatically redirect traffic from http to https, this is missing in the Crowd documentation. While it's possible to figure out how to add this by reviewing other Atlassian product documentation (or Tomcat documentation), it's easy to miss all of the areas in which you need to add the security constraint (as Crowd has 4 webapps, vs 1 for Confluence).

      There is no step to update the base url

      Updating the base url is an important step that is easy to forget, the documentation should include it.

      Recommendation

      Update the example connector to include all settings from the 8095 default connector:

      <Connector acceptCount="100"
                         connectionTimeout="20000"
                         disableUploadTimeout="true"
                         enableLookups="false"
                         maxHttpHeaderSize="8192"
                         maxThreads="150"
                         minSpareThreads="25"
                         useBodyEncodingForURI="true"
                         URIEncoding="UTF-8"
                         compression="on"
                         sendReasonPhrase="true"
                         compressableMimeType="text/html,text/xml,application/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
                         port="8443"
                         protocol="org.apache.coyote.http11.Http11Protocol"
                         SSLEnabled="true" 
                         scheme="https" 
                         secure="true"
                         clientAuth="false" 
                         sslProtocol="TLS"
                         sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                         keystoreFile="${user.home}/.keystore" 
                         keystorePass="changeit"
                         keyAlias="tomcat"
                         keyPass="changeit" />
      

      Add a section detailing how to implement https redirect

      Edit these files:

      • ${CROWD_DIR}/apache-tomcat/webapps/ROOT/WEB-INF/web.xml
      • ${CROWD_DIR}/crowd-webapp/WEB-INF/web.xml
      • ${CROWD_DIR}/crowd-openidclient-webapp/WEB-INF/web.xml
      • ${CROWD_DIR}/crowd-openidserver-webapp/WEB-INF/web.xml

      Add the following at the end of the file before the </web-app> tag:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>Restricted URLs</web-resource-name>
       <url-pattern>/</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
      </security-constraint>
      

      Add a section that details how to update the base url:

      1. In your browser, go to > General
      2. Change the Base URL field from http to https
      3. Save

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            sbrannen@atlassian.com Branno
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: