Skip to main content
Skip table of contents

Hardening the UI Access

Web Server Certificate (SSL)

The platform is shipped with a self-signed certificate, TLS v1.2.

Certificate Requirements

  • A Java Keystore (JKS) contains a public certificate and its private key.

  • The JKS must have a store password and a key password.

  • The JKS name must match the "Certificate Path" setting within the platform's web console settings.

Applying the Certificate

  1. Place your custom keystore.jks file in the <ZigiOps>\conf folder.

  2. Update the platform's web console settings with the certificate's details.

    • Certificate Path - this is the certificate's file location, for example, conf/keystore.jks.

    • Certificate Key Password - this is the certificate's key password.

    • Certificate Key Manager Password - this is the certificate's key manager password.

  3. Restart the platform's service.

  4. Close all opened browser sessions to the platform's web console.

Listener Certificate (SSL)

The platform is shipped with a self-signed listener certificate, TLS v1.2.

Certificate Requirements

  • A Java Keystore (JKS) containing both a public certificate and its private key.

  • The JKS must have a store password and a key password.

  • The JKS name must match the "Certificate Path" setting within the platform's listener settings.

Applying the Certificate

  1. Place your custom keystore.jks file in the <ZigiOps>\conf folder.

  2. Update the platform's listener settings with the listener certificate's details.

    • Certificate Path - this is the listener certificate's file location, for example, conf/keystore.jks.

    • Certificate Key Password - this is the listener certificate's key password.

    • Certificate Key Manager Password - this is the listener certificate's key manager password.

  3. Restart the platform's service.

  4. Close all opened browser sessions to the platform's web console.

If you're already using a custom web server certificate in the <ZigiOps>\conf\keystore.jks file, you should add the listener certificate within the same <ZigiOps>\conf\keystore.jks file and vice versa.

IP Whitelist

The platform supports whitelisting by IP address. This is an optional addition to the hardening process to prevent unwanted access to the ZigiOps UI by only allowing addresses to log in.

How to configure and enable IP Whitelist

The IP whitelisting is disabled by default. Follow the steps below to configure and enable it.

  1. Open the <ZigiOps>\conf\config.properties file in any text editor.

  2. Add the below properties on a new line at the end of the file.

    CODE
    zigiwave.mfa.enabled=true
    zigiwave.mfa.allowed.ips=localhost, <IP-1>, <IP-2>, <IP-n>
  3. Save the changes and restart the ZigiOps service.

IP Whitelist Parameters Summary

Note that the parameters are not present in the config.properties file by default, but they are applied with some default values.

Parameter

Details

Possible Value(s)

zigiwave.mfa.enabled

The property that controls if the MFA will be enabled or not.

true/false

zigiwave.mfa.allowed.ips

This list of addresses allowed to log in to the ZigiOps UI. The value should be comma-separated, e.g., localhost, 10.1.1.1, 10.1.1.2 .. etc.

localhost/<IP>

How to disable IP Whitelist

Follow the steps below to disable the whitelisting by IP.

  1. Open the <ZigiOps>\conf\config.properties file in any text editor.

  2. Set the zigiwave.mfa.enabled parameter to false.

  3. Save the changes and restart the ZigiOps service.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.