About default login security

Build Forge includes login security by default. When a user logs in, the request is redirected to an authentication servlet. The user name and password entered is encrypted for use by the servlet. If the login is successful, the console user interface home is shown. The subsequent session communications between the client and the console might be over http (the default) or over https. Using https requires additional configuration of the system. See Enabling SSL and HTTPS.

During installation, you provide a password for the keystore that is used for encryption. You also have the option of installing a self-signed certificate.

Certificate messages about self-signed certificate

If you have Build Forge install a self-signed certificate, users accessing the system through a security-enabled browser get warning messages about the certificate.

To prevent those warnings, distribute the certificate to users for installation in their browser. The specifics of installing the certificate vary by browser. Consult the browser documentation.

The certificate is located in <bfinstall>/keystore.

Disabling default login security

If login security is disabled, during login, user credentials are communicated to the console in unencrypted clear text. Disabling login security does not affect the use of HTTPS/SSL by the console, if the console is configured to use it.

To disable the authentication servlet, complete the following steps:

  1. Stop Build Forge if it is running.
  2. Edit <bfinstall>/buildforge.conf to specify HTTP and port 8080 in communications with the services layer.
    Change this line:
    services_url https://hostname:8443/jas
    to the following:
    services_url http://hostname:8080/jas
  3. Edit the services layer configuration file to turn off forced SSL. Edit <bfinstall>/Apache/tomcat/webapps/jas/WEB-INF/web.xml. Change the ForceHttps setting to false. If the setting is not in the file, add it as shown in bold.
    <display-name>A Services Layer Bootstrap Servlet</display-name>
    <servlet>
       <servlet-name>ServicesBootstrap</servlet-name>
             <servlet-class>com.buildforge.services.server.web.BootstrapServlet</servlet-class>
          <init-param>
             <param-name>port</param-name>
             <param-value>3966</param-value>
          </init-param>
          <init-param>
             <param-name>sslPort</param-name>
             <param-value>49150</param-value>
          </init-param>
          <init-param>
             <param-name>ForceHttps</param-name>
             <param-value>false</param-value>
          </init-param>
          <load-on-startup>0</load-on-startup>
    </servlet>
  4. Start Build Forge.
Note: If the authentication servlet is disabled, user credentials are communicated in clear text over the network causing a security risk.

Feedback