Enhancing web security by deprecating HTTP-only connections (port 80) to the FusionReactor licensing server
In a continuous effort to enhance security and compliance, we have decided to deprecate the usage of HTTP-only connections (port 80), which can be used for licensing the FusionReactor agent, effective from August 1, 2023.
For most FusionReactor users, no action will be required. HTTPS connections to licensing will, by default, be used by the FusionReactor agent. FusionReactor agents behind secured firewalls or running older JVM versions may find HTTPS licensing connections are not currently possible.
We have chosen to take a proactive step of deprecating HTTP-only connections to align with SOC 2 compliance standards, ensuring robust protection for our valued customers and their data.
This blog post will explore the reasons behind this change, its implications, and how you can smoothly transition to a more secure environment.
How to check whether you are using HTTP-only connections to licensing
Licensing for the FusionReactor agent defaults to using HTTPS on port 443, with the option to fall back to HTTP-only requests on port 80. It is possible that you may be unintentionally using port 80 for licensing.
To confirm whether you are using HTTPS or HTTP-only connections for licensing, you can inspect the HTTP log of the instance by going to http://{hostname}:{port}/fusionreactor/findex.htm?p=logs&log=HTTP or by going to FusionReactor (top left) > logs and selecting the HTTP log.
If HTTPS connections are working correctly, you should see a log similar to the one below:
--- Beginning Of File --- 2023-07-13 13:32:23.635 INFO [0] [POST] https://api.fusionreactor.io/licensing-api/ 2023-07-13 13:32:24.205 INFO [0] Request complete, response code 'HTTP/1.1 200 OK', content-length '874', duration '0.570391's 2023-07-13 13:32:27.082 INFO [1] [POST] https://api.fusionreactor.io/chat/v1/ 2023-07-13 13:32:27.265 INFO [1] Request complete, response code 'HTTP/1.1 200 OK', content-length '1471', duration '0.183492's 2023-07-13 13:33:24.248 INFO [2] [POST] https://api.fusionreactor.io/licensing-api/ 2023-07-13 13:33:24.515 INFO [2] Request complete, response code 'HTTP/1.1 200 OK', content-length '874', duration '0.266840's
Understanding SOC 2 compliance
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It focuses on the security, availability, processing integrity, confidentiality, and customer data privacy within cloud-based service providers. Achieving SOC 2 compliance demonstrates a commitment to maintaining high-security standards and safeguards customers’ interests.
The deprecation of HTTP-only connections
Port 80 is commonly used for unencrypted HTTP-only traffic. By deprecating this port, FusionReactor aims to align with SOC 2 requirements by promoting the use of secure communication protocols, such as HTTPS. The deprecation of port 80 helps mitigate the risk of unauthorized access, data interception, and potential security breaches.
Moving forward, using HTTPS ensures encrypted data transmission and protects sensitive information from malicious actors.
Preparing for the transition
If you are using HTTP-only connections (port 80) to license FusionReactor, please see the options below to ensure a smooth transition to HTTPS connections (port 443) and uninterrupted product use.
Check firewall permissions
Review your firewall settings to ensure the new environment allows incoming and outgoing traffic on the secure 443 port for FusionReactor. Adjust your firewall rules to permit the necessary traffic to and from FusionReactor on port 443.
Learn more: Firewall settings
Utilize the proxy settings within FusionReactor
FusionReactor provides proxy settings that allow you to configure it to work through a proxy server.
Identify the proxy server details and configure FusionReactor accordingly, ensuring that it can communicate with the necessary endpoints and services.
Update your Java version
Upgrade your Java version to a newer version with the included security patches so it supports encryption with port 443.
Ensure that the new Java version is properly installed and configured on your system.
Configure your Java truststore
When your new environment utilizes SSL/TLS certificates for secure communication, you will need to update your Java truststore.
1 – Identify the Java installation: Determine the location of your Java installation. The exact steps may vary depending on your operating system.
2 – Locate the Java truststore file: In most Java installations, the truststore file is named “cacerts” and is located in the “lib/security” directory of the Java installation.
For example, on windows:
C:\Program Files\Java\jdk1.8.0_XXX\jre\lib\security\cacerts
on linux:
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
3 – Backup the existing truststore: It’s always a good idea to create a backup of the truststore before making any changes. Copy the “cacerts” file to a safe location as a backup.
4 – Obtain the SSL certificate: Get the SSL certificate for FusionReactor. You can typically obtain the certificate by exporting it from your web browser.
5 – Add the SSL certificate to the truststore: Use the keytool utility provided with Java to import the SSL certificate into the truststore. Open a command prompt or terminal and run the following command:
keytool -import -trustcacerts -keystore <path_to_trust_store> -alias <alias_name> -file <path_to_certificate>
5.1 – Replace <path_to_trust_store> with the path to the truststore file identified in step 2: Choose a unique <alias_name> to identify the certificate within the truststore. Replace <path_to_certificate> with the path to the SSL certificate file.
For example:
keytool -import -trustcacerts -keystore "C:\Program Files\Java\jdk1.8.0_XXX\jre\lib\security\cacerts" -alias mycert -file "C:\path\to\certificate.crt"
You will be prompted to enter the truststore password, which is usually “changeit” by default.
5.2 – Verify the certificate addition: You can use the keytool command to view the contents of the truststore and verify that the certificate has been added:
keytool -list -keystore <path_to_trust_store>
5.3 – Replace <path_to_trust_store> with the path to the truststore file.
6 Restart the Java applications: If any Java applications were running while you updated the truststore, you need to restart them for the changes to take effect.
Need further assistance?
Reach out in the chat bubble or contact support.