Hardening the UI Access
Web Server Certificate (SSL)
The platform is shipped with a self-signed certificate, TLS v1.2
.
Certificate Requirements
A Java Keystore (JKS) contains a public certificate and its private key.
The JKS must have a store password and a key password.
The JKS name must match the "Certificate Path" setting within the platform's web console settings.
Applying the Certificate
Place your custom
keystore.jks
file in the<ZigiOps>\conf
folder.Update the platform's web console settings with the certificate's details.
Certificate Path - this is the certificate's file location, for example,
conf/keystore.jks
.Certificate Key Password - this is the certificate's key password.
Certificate Key Manager Password - this is the certificate's key manager password.
Restart the platform's service.
Close all opened browser sessions to the platform's web console.
Listener Certificate (SSL)
The platform is shipped with a self-signed listener certificate, TLS v1.2
.
Certificate Requirements
A Java Keystore (JKS) containing both a public certificate and its private key.
The JKS must have a store password and a key password.
The JKS name must match the "Certificate Path" setting within the platform's listener settings.
Applying the Certificate
Place your custom
keystore.jks
file in the<ZigiOps>\conf
folder.Update the platform's listener settings with the listener certificate's details.
Certificate Path - this is the listener certificate's file location, for example,
conf/keystore.jks
.Certificate Key Password - this is the listener certificate's key password.
Certificate Key Manager Password - this is the listener certificate's key manager password.
Restart the platform's service.
Close all opened browser sessions to the platform's web console.
If you're already using a custom web server certificate in the <ZigiOps>\conf\keystore.jks
file, you should add the listener certificate within the same <ZigiOps>\conf\keystore.jks
file and vice versa.
IP Whitelist
The platform supports whitelisting by IP address. This is an optional addition to the hardening process to prevent unwanted access to the ZigiOps UI by only allowing addresses to log in.
How to configure and enable IP Whitelist
The IP whitelisting is disabled by default. Follow the steps below to configure and enable it.
Open the <ZigiOps>\conf\config.properties file in any text editor.
Add the below properties on a new line at the end of the file.
CODEzigiwave.mfa.enabled=true zigiwave.mfa.allowed.ips=localhost, <IP-1>, <IP-2>, <IP-n>
Save the changes and restart the ZigiOps service.
IP Whitelist Parameters Summary
Note that the parameters are not present in the config.properties file by default, but they are applied with some default values.
Parameter | Details | Possible Value(s) |
---|---|---|
zigiwave.mfa.enabled | The property that controls if the MFA will be enabled or not. | true/false |
zigiwave.mfa.allowed.ips | This list of addresses allowed to log in to the ZigiOps UI. The value should be comma-separated, e.g., localhost, 10.1.1.1, 10.1.1.2 .. etc. | localhost/<IP> |
How to disable IP Whitelist
Follow the steps below to disable the whitelisting by IP.
Open the
<ZigiOps>\conf\config.properties
file in any text editor.Set the
zigiwave.mfa.enabled
parameter tofalse
.Save the changes and restart the ZigiOps service.