Configuring the HTTP Server for the LSR (SSL/TLS Certificate)
Suppose you want to set up a Lua Script Resource on a device that is external to the EMS. To prevent external sources from sniffing packets on your network, it is strongly recommended that you enable SSL/TLS on the HTTP servers on both the EMS and the Lua Script Resource. You can also require a user name and password for both HTTP server to ensure that only authenticated applications can access the LSR model and EMS communication channels.
 |
Always configure a secure HTTP server. Otherwise, the EMS and LSR will log warning messages when any one or more of the following conditions is true:
• SSL is disabled. That is, the ssl property is set to false
• Authentication is disabled.
• Certificate validation is disabled.
• Self-signed certificates are allowed.
For examples of secure configurations for communications between the EMS and the LSR, refer to Setting Up Secure Communications for EMS and LSR. These examples are presented in order of least secure (testing purposes ONLY) to most secure (strongly recommended for production environments).
|
As of release 5.4.0 of the EMS, the Lua Script Resource (LSR) is configured to secure HTTP connections by default.
To load a PEM-encoded certificate for use by the LSR’s HTTP server when TLS is enabled, you need to configure the following properties in your config.lua file:
-- HTTP Server Configuration
--
scripts.script_resource_host = "localhost"
scripts.script_resource_port = "8001"
scripts.script_resource_ssl = "true"
scripts.script_resource_certificate_chain = "/path/to/lsr_http_server_certificate_chain/file"
scripts.script_resource_private_key = "/path/to/private/key"
scripts.script_resource_passphrase = "some_encrypted_passphrase"
scripts.script_resource_authenticate = "true"
scripts.script_resource_userid = "johnsmith"
scripts.script_resource_password = "some_encrypted_password"
scripts.script_resource_enable_csrf_tokens = true
scripts.script_resource_csrf_token_rotation_period = 10
scripts.script_resource_enable_rest_services = false
--
scripts.script_resource_host = "localhost"
scripts.script_resource_port = "8001"
scripts.script_resource_ssl = "true"
scripts.script_resource_certificate_chain = "/path/to/lsr_http_server_certificate_chain/file"
scripts.script_resource_private_key = "/path/to/private/key"
scripts.script_resource_passphrase = "some_encrypted_passphrase"
scripts.script_resource_authenticate = "true"
scripts.script_resource_userid = "johnsmith"
scripts.script_resource_password = "some_encrypted_password"
scripts.script_resource_enable_csrf_tokens = true
scripts.script_resource_csrf_token_rotation_period = 10
scripts.script_resource_enable_rest_services = false
 |
The use of double quotation marks in config.lua is required only for Strings. For numbers and Boolean values, you do not need to use them. The LSR will work if you do use them for Booleans or numbers.
|
The port number is 8001 by default. You can choose whatever port is available for the HTTP server of the LSR.
To encrypt the passphrase and password, refer to Encrypting Application Keys, Passwords, and Passphrases.
The following table lists and briefly describes the properties for the HTTP Server of the LSR:
|
Property
|
Description
|
||
|---|---|---|---|
|
scripts.script_resource_host
|
The host name or IP address of the machine where the LSR is running. The default value is "localhost"
|
||
|
scripts.script_resource_port
|
The number of the port used on the host for communicating with the EMS. The default value is "8001". Choose whichever port is available on the device for the HTTP Server of the LSR.
|
||
|
scripts.script_resource_ssl
|
Whether to use SSL/TLS for communication (Boolean). The default value is "true"
|
||
|
scripts.script_resource_certificate_chain
|
The path to the PEM-encoded certificate file. Use forward slashes when specifying the path, regardless of the operating system of the device.
|
||
|
scripts.script_resource_private_key
|
The path to the private key for the certificate. Use forward slashes when specifying the path, regardless of the operating system of the device..
|
||
|
scripts.script_resource_passphrase
|
The passphrase for the private key and certificate. Enclose the string in double quotation marks. For best security, encrypt the passphrase, as explained in Encrypting Application Keys, Passwords, and Passphrases.
|
||
|
scripts.script_resource_authenticate
|
Whether to authenticate the sender of an incoming request (Boolean). The default value is "true".
|
||
|
scripts.script_resource_userid
|
The user name that will be presented for authentication when attempting to access the LSR..
|
||
|
scripts.script_resource_password
|
The AES encrypted password that the user should present when attempting to access the LSR. For information about encryption, refer to Encrypting Application Keys, Passwords, and Passphrases.
|
||
|
scripts.script_resource_enable_csrf_tokens = true
|
Flag that enables (true) or disables (false) the use of CSRF tokens for REST APIs with the LSR. By default, use of CSRF tokens is enabled. Refer to CSRF Token Support.
|
||
|
scripts.script_resource_csrf_token_rotation_period = 10
|
The number of minutes between changes to the CSRF token for a given session. The default value is 10 minutes.
|
||
|
scripts.script_resource_enable_rest_services = false
|
Flag that enables (true) or disables (false) the use of REST services with the LSR. By default, use of REST services is disabled.
|