Web Server: OpenSSL Cipher Suite

From Resin 4.0 Wiki

(Difference between revisions)
Jump to: navigation, search
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Health}} {{Cookbook}}
+
{{WebServer}} {{Cookbook}} {{Security}} {{Config}}
  
== Monitoring Application Server Health Through Statistical Analysis of JMX Attributes ==
+
Modifying OpenSSL to specify allowed cipher suites and protocols can be done in the Resin application server configuration file, resin.xml, in the <openssl> block.
  
Resin's health system provides many useful tools to monitor, report, and alert on the health of your application server.  Monitoring of all the typical metrics such as high cpu, low memory, deadlocked threads, etc, is pre-configured for you in health.xml.  We also include appropriately conservative remediation actions in health.xml, such as triggering thread dumps, heap dumps, and restarts when necessary.  It's up to you to tweak these settings to increase or decrease the aggressiveness of the health system as you see appropriate.
+
=== conf/resin.xml ===
  
'''''Resin goes beyond typical metrics monitoring by looking for anomalies in JMX attributes.'''''
+
<pre>
 +
<resin xmlns="http://caucho.com/ns/resin">
 +
...
 +
<cluster id="web-tier">
 +
<server id="...">
  
Any numeric attribute of any MBean in JMX can be configured as ''Meter'' in Resin, which then enables:
+
<http port="443">
 +
  ...
 +
  <openssl>
 +
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
 +
    <certificate-file>keys/your_domain.crt</certificate-file>       
 +
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
 +
    <password>test123</password>
 +
    <cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
 +
    <protocol>-all +sslv3 +tlsv1</protocol> 
 +
  </openssl>
 +
</http>
  
* Persistent historical tracking
+
</server>
* Visual graphing in resin-admin
+
* Visual graphing in PDF reports
+
* Cluster wide reporting
+
* Health monitoring
+
* Anomaly analysis and logging
+
* Triggering health actions (heap dump, thread dump, restart, etc)
+
  
=== Creating a Meter ===
+
...
 +
</pre>
  
Meters are typically configured in health.xml as a child of <resin>.  health.xml includes quite a few pre-configured meters you can use as examples in addition to the examples below.
+
Typically this is required for website PCI compliance.
  
<health:JmxMeter>
+
Refer to the [http://caucho.com/resin-4.0/admin/security-ssl.xtp Resin SSL documentation] for more information.
  <name>JVM|Thread|JVM Blocked Count</name>
+
  <objectName>resin:type=JvmThreads</objectName>
+
  <attribute>BlockedCount</attribute>
+
</health:JmxMeter>
+
 
+
In this example we've created a meter on the attribute BlockedCount on the MBean resin:type=JvmThreads.  This is an important attribute to track, since it reports blocked threads, which can indicate a serious issue when the value increases significantly.
+
 
+
We also provide JMXDeltaMeter, which reports the difference between the current and previous attribute values. 
+
 
+
<health:JmxDeltaMeter>
+
  <name>JVM|Compilation|Compilation Time</name>
+
  <objectName>java.lang:type=Compilation</objectName>
+
  <attribute>TotalCompilationTime</attribute>
+
</health:JmxDeltaMeter>
+
 
+
Above, a delta meter is created for compilation time, another important metric to monitor.
+
 
+
=== Analyzing a Meter ===
+
 
+
Meters alone are useful for manual inspection in resin-admin since every meter can be graphed.  However Resin provides an extremely useful automatic analysis tool called AnomalyAnalyzer.  AnomalyAnalyzer looks at the current meter value, checking for deviations from the average value.  So unusual changes like a spike in blocked threads can be detected
+
 
+
<health:AnomalyAnalyzer>
+
  <meter>JVM|Thread|JVM Blocked Count</meter>
+
  <health-event>caucho.thread.anomaly.jvm-blocked</health-event>
+
</health:AnomalyAnalyzer>
+
 
+
In this example we've created an AnomalyAnalyzer on the blocked thread meter we created above, and assigned it to the health event "caucho.thread.anomaly.jvm-blocked".  The health-event attribute is optional.  Without a health-event, an anomaly analyzer alone will log anomalies it detects to the resin log at WARNING level.  These will also show up in PDF reports, and shown below.
+
 
+
(pdf screenshot)
+
 
+
=== Reacting to Anomalies ===
+
 
+
Resin's health system provides a set of remediation actions that you can configure to automatically execute in reaction to an anomaly.  The <health-event> attribute we configured above allows us to tie health actions to a detected anomaly, as shown below:
+
 
+
<health:DumpThreads>
+
  <health:IfHealthEvent regexp="caucho.thread"/>
+
  <health:IfNotRecent time="15m"/>
+
</health:DumpThreads>
+
 
+
In this example we've created a DumpThreads action with 2 conditions.  The first condition, IfHealthEvent, tells the action to execute only if the health event starts with "caucho.thread".  The send condition, IfNotRecent, prevents the action from executing more than once every 15 minutes. 
+
 
+
Here is the full example:
+
 
+
<resin xmlns="http://caucho.com/ns/resin"
+
            xmlns:resin="urn:java:com.caucho.resin"
+
            xmlns:health="urn:java:com.caucho.health"
+
            xmlns:ee="urn:java:ee">
+
 
+
  <health:JmxMeter>
+
    <name>JVM|Thread|JVM Blocked Count</name>
+
    <objectName>resin:type=JvmThreads</objectName>
+
    <attribute>BlockedCount</attribute>
+
  </health:JmxMeter>
+
 
+
  <health:AnomalyAnalyzer>
+
    <meter>JVM|Thread|JVM Blocked Count</meter>
+
    <health-event>caucho.thread.anomaly.jvm-blocked</health-event>
+
  </health:AnomalyAnalyzer>
+
 
+
  <health:DumpThreads>
+
    <health:IfHealthEvent regexp="caucho.thread"/>
+
    <health:IfNotRecent time="15m"/>
+
  </health:DumpThreads>
+
 
+
</resin>
+

Latest revision as of 00:00, 28 January 2012

Web-48.pngCookbook-48.pngPadlock-48.pngGears-48.png

Modifying OpenSSL to specify allowed cipher suites and protocols can be done in the Resin application server configuration file, resin.xml, in the <openssl> block.

conf/resin.xml

<resin xmlns="http://caucho.com/ns/resin">
...
<cluster id="web-tier">
<server id="...">

<http port="443">
  ...
  <openssl>
    <certificate-key-file>keys/your_domain.key</certificate-key-file>
    <certificate-file>keys/your_domain.crt</certificate-file>        
    <certificate-chain-file>keys/chain.txt</certificate-chain-file>
    <password>test123</password>
    <cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
    <protocol>-all +sslv3 +tlsv1</protocol>   
  </openssl>
</http>

</server>

...

Typically this is required for website PCI compliance.

Refer to the Resin SSL documentation for more information.

Personal tools
TOOLBOX
LANGUAGES