Brief description

TLS supports many ciphers and some have proven to be no longer secure. Due to the fact that the Dart SDK (the Cisco Kinetic EFM Dart Message Broker, Acuity Brands DGLux5 and Project Builder are built using the Dart programming language) does not support configuration of the default ciphers, their order and the advertised protocol versions of SSL it is recommended the use of a reverse proxy to control the configuration of TLS functionality.

In this configuration, all the Dart Message Broker communications will traverse the nginx reverse proxy. Since Nginx is configurable and acts as a TLS-terminating proxy, this leads to a more hardened security profile for SSL connections.

When you are using IIS 8 as an authenticating reverse proxy in front of the EFM server, the attached configuration needs to be used. It has TLSv1 and TLSv1.1 enabled.

Installation of nginx on Linux

CenOS7

yum install epel-release

yum install nginx

RHEL 7.2

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

yum install epel-release-latest-7.noarch.rpm

Ubuntu 16.04

apt install nginx

Configuration

These are the steps to install ngingx on the same server as the Cisco Kinetic EFM Dart Message Broker and configure it as a TLS terminating reverse proxy.

• Create a new Diffie Hellman parameters file with
  openssl dhparam -out /etc/nginx/dhparam.pem 2048
• Adapt the configuration or save the SSL key (without password) and certificate as
  /etc/ssl/myhost.cert.pem;
  /etc/ssl/myhost.key.pem;
• Adapt the “server_name” parameter in the configuration file
• For Ubuntu
  • Save the adapted configuration below as /etc/nginx/sites-available/efm
  • Create a symbolic link to enable the configuration
    ln -s /etc/nginx/sites-available/efm /etc/nginx/sites-enabled/efm
• For CentOS7 and RHE7
  • Ensure that the default site on HTTP/80 is disabled in /etc/nginx/nginx.conffile by commenting out that server section and ensure that
    include /etc/nginx/conf.d/*.conf;
    is not commented.
  • Create a file /etc/nginx/conf.d/efm.confwith the adapted configuration (see below)

Firewall configuration

To enable access to the nginx server you may have to open port 443 in the firewall.
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

If firewalld on RHEL or CentOS is enabled, open port 443 by enabling that service in the firewall configuraton:

firewall-cmd --add-service https

Hardened nginx configuration if IIS 8 is used as authenticating proxy

map $http_upgrade $connection_upgrade {

  default upgrade;

  ''  '';

}

server {

listen   443;

server_name <your name here>;

server_tokens off;

ssl    on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_dhparam /etc/nginx/dhparam.pem;

add_header X-XSS-Protection "1; mode=block";

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:HIGH:!MEDIUM:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

ssl_certificate    /etc/ssl/myhost.cert.pem;

ssl_certificate_key    /etc/ssl/myhost.key.pem;

access_log /var/log/nginx/nginx.vhost.access.log;

error_log /var/log/nginx/nginx.vhost.error.log;

location / {

        proxy_pass https://127.0.0.1:8443;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_http_version 1.1;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $http_host;

        }

 location /ws {

        proxy_pass https://127.0.0.1:8443;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $connection_upgrade;

}

}