8.8 Security

Quick Overview

Starting with v2.0.6, there is a new settings page that allows users to configure all security aspects of the product.

The old procedure is still supported and details can be found here.

Step by step guide

  1. Navigate to Settings → Security.

    images/download/attachments/5742456/SecurityPage.PNG

  2. It is necessary to create an SSL/TLS certificate before activating HTTPS so please navigate to the Manage Certificates tab and click ADD CERTIFICATE.
    A panel will open to the side prompting for the required input. Fill out the required fields and click ADD.
    Note: Please refer to Information regarding certificates in order to obtain a certificate and certificate key.

    images/download/attachments/5742456/CreateCertificate.PNG

  3. The newly created certificate should now appear in the available certificates list.

    images/download/attachments/5742456/ListCertificates.PNG

  4. Navigate back to the Configure tab and observe that it is now possible to enable HTTPS.

    images/download/attachments/5742456/EnableSecurity.PNG

  5. Fill the desired settings in the configuration window. Note that you can find more information about each field below.

    The table below describes in detail each setting:

    Name

    Description

    Host

    DNS name or IP Address of the machine running the MetaDefender Vault server.
    A DNS name will cause the server to listen on all network interfaces.
    An IP address will bind the server to that particular value.

    Note: this value is also used to generate links in email notifications.

    Port

    The port used to listen for connections.

    Certificate

    Name of the certificate created on step 2.

    TLS version

    TLS protocol version to use.
    By default TLSv1.2 and TLSv1.3 will be enabled if the operating system allows it.
    Connections with clients, that do not support at least one of the configured TLS versions, will fail

  6. Click UPDATE and wait to be redirected to the new URL.

Enforcing TLS version

If you're upgrading from a previous version or deliberately leave all TLS options unchecked that will instruct Vault to default to the following:

  • for outbound connections (i.e requests made by Vault) will use the operating system default TLS protocol

  • for inbound web requests Vault's web server (NGINX) will default to TLS v1.2 or TLS v1.3

If you wish to enforce a particular TLS version please select only that option. Note that in order to enforce v1.3 your system needs to be up-to-date and have at least .NET Framework 4.8 installed.