Defining the web server settings

The Web server settings page allows you to configure and manage the following settings:

  • Server
  • Proxy
  • Ports
  • Email
  • Logging
  • Allowlist

Related topics

Configuring-proxy-settings

Defining-port-settings

Defining-email-notification

Viewing-web-server-logs

Defining-the-allowlist

Server

In the Server tab, configure the following Server connection and Server protocol settings established during installation.

  1. Customize your CES installation by specifying the required Server name to identify your CES installation. 
    On applying the changes, this name appears in the CES header bar.

    Important

    The alphanumeric Server name field has a character limit of 100 characters, and only allows you to enter A-Z and 0-9. Clicking Apply and restart server restarts the server.

  2. You can choose to manually restart the web server by clicking Restart server. The user interface displays a confirmation message and also returns you to the same page after the restart.

  3. In the Server protocols pane, use the toggle switch to Enable HTTP or Enable HTTPS or enable both protocols, and specify the relevant HTTP Port or HTTPS Port established for the respective protocol.

    Important

    BMC recommends the use of HTTPS so that data transfer is secure.

  4. If you want to enforce using CES only on the HTTPS port, you must set the Server protocol to Enable HTTPS, configure the relevant details, and click Apply. The CES server restarts. When the UI is available again, the Enable Strict HTTPS (HTTP Strict Transport Security) toggle switch appears. Enable the toggle switch to use CES only on the HTTPS port.

    Info

    HTTP Strict Transport Security (HSTS) is a web policy designed to protect visitors by ensuring that their browsers only contact the web server via HTTPS after initial contact. HSTS accomplishes this by adding the domain to a list that the user's browser keeps internally. Once the domain is added, the browser will enforce HTTPS only on behalf of the web server until it expires after 7 days and will attempt to make any user requested HTTP calls as HTTPS.

    Limitations and consequences:

    Enabling HSTS may prevent some forms of SSL Stripping and Session Hijacking attacks, but comes at the cost of possible future use of HTTP. The web server has no control over the browser's list of domains that requested HSTS to be enabled. Because of this, the web server cannot remove its domain if HSTS is no longer desired. Before enabling HSTS, become familiar with the process of turning it off and weigh its practicality with your organization's needs.

  5. (If the Server protocol is Enable HTTPS) Configure the following details in the Server certificate for Java KeyStore pane.
    1. Select the relevant Type, and enter platform-specific values in the subsequent fields:

      • (For Windows or Linux) If Type is Java KeyStore, enter the Location of the Java keystore file (.jks) and the Java keystore Password

        When using CES on Windows or Linux, the Type field with options does not explicitly appear on the UI, and you need to enter only the TrustStore Location on the server and TrustStore Password.



      • (For USS only) If Type is Keyring or Keyring with Hardware CCA, enter the relevant Keyring username and Keyring name.
        If the Keyring CCA server certificate feature does not work as expected, ensure that you are using the Java version J17.0_64.v11 or later. If required, update the Java version in the CESEMN file. 

        Update the java.security file for Java. This file is a part of JDK and is located in the conf/security directory of the JDK installation. Update the file with the following providers:

        security.provider.1=IBMJCEHYB
        security.provider.2=IBMJCECCA
        security.provider.3=OpenJCEPl
        security.provider.4=IBMZSecur
        security.provider.5=SUN
        security.provider.6=SunRsaSig
        security.provider.7=SunEC
        security.provider.8=SunJSSE
        security.provider.9=SunJCE
        security.provider.10=SunJGSS
        security.provider.11=SunSASL

        After making these changes, restart the CES service. 

    2. Enter the Certificate alias to identify the certificate.
  2. (If the Server protocol is Enable HTTPS) Configure the following details in the Client workstation certificate authentication pane.
    1. Select the relevant Type of certificate authentication.

    2. (If the Client certificate alias is TrustStore or Java KeyStore) Use the Require client authentication toggle switch to enforce client authentication.

      Important

      Make sure that you have a valid certificate on your browser or your smart card device. CES supports certificate files that are in the .pfx format only.

    3. (If the Client certificate alias is TrustStore) Select the relevant Type, and enter platform-specific values in the subsequent fields:
      • (For Windows or Linux) If Type is TrustStore, enter the Location of the TrustStore on the server and the keystore Password. The TrustStore can be the same as the Java KeyStore.

      • (For USS only) If Type is Keyring or Keyring with Hardware CCA, enter the relevant Keyring username and Keyring name. The TrustStore can be the same as the provided Keyring or Keyring with Hardware CCA type.

        Important

        When using CES on Windows or Linux, the Type field with options does not explicitly appear on the UI, and you need to enter only the TrustStore Location on the server and TrustStore Password.

  3. Click Apply and restart server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*