TLS configuration for EFM
Learn about the properties that you need to set to configure TLS for Edge Flow Manager (EFM).
When TLS is disabled, EFM runs in an unsecured mode where the web endpoints are accessible over HTTP on all network interfaces and clients are not authenticated. When unsecured, all clients are anonymous and have full access to the application. For this reason, insecure mode should only be used for test or development purposes and when EFM is not accessible through the public Internet.
For production environments, security should always be enabled by configuring a TLS context and method of user authentication.
Securing an EFM instance starts with configuring a TLS context, also known as an SSL context. Enabling TLS enforces that all usage of the EFM web application as well as agent communication is authenticated and that the authenticated user or agent is allowed to perform requested actions based on policies.
efm.server.ssl.*prefixed properties in the
efm.server.ssl.enabled=true efm.server.ssl.keyStore=/path/to/keystore.jks efm.server.ssl.keyStoreType=jks efm.server.ssl.keyStorePassword=keyStorePassword efm.server.ssl.keyPassword=keyPassword efm.server.ssl.trustStore=/path/to/truststore.jks efm.server.ssl.trustStoreType=jks efm.server.ssl.trustStorePassword=trustStorePassword efm.server.ssl.clientAuth=WANT
trueto enable TLS and secure EFM.
The file path to the keystore containing the EFM TLS keypair.
pkcs12depending on the format of the keystore. Other formats are not supported.
The passphrase for the keystore.
The passphrase for the key in the keystore.
The file path to the truststore containing the public certificates of the Certificate Authorities (CA) trusted by EFM.
pkcs12depending on the format of the truststore. Other formats are not supported.
The passphrase for the truststore.
WANTto allow MiNiFi agents to authenticate to EFM with TLS client certificates, but allow users to use an alternative form of authentication (such as SSO). If users are also using mutual TLS with client certificates in browsers, then this can be set to
For more information regarding generating keystores and truststores for EFM, see TLS keys and certificates.