Secure Nuix Investigate
The following sections describe the methods available to secure Nuix Neo.
Enable Transport Layer Security (TLS)
To ensure that all communications within Nuix Neo are secure, it is recommended that TLS be enabled before using the applications in a production environment. TLS is an encryption protocol intended to keep data secure when transferred over a network. If TLS was not configured during the initial installation of Nuix Neo or its shared services, it can be set up at any time following the steps in this section.
Nuix Neo supports TLS versions 1.2 and 1.3.
Note: TLS must be enabled within Keycloak and the Nuix Gateway service to completely secure Nuix Neo.
TLS can be enabled using two methods:
Providing certificates directly in PEM format
Providing certificates in a secure PKS keystore
Note: Enabling TLS requires a valid certificate signed by a trusted Certificate Authority (CA) to avoid browser warnings.
PEM certificate requirements
Requirements:
All certificates must be PEM encoded with a PKCS8 (PEM) based private key.
Certificate should be issued with a Common Name that matches the FQDN where Nuix Neo is installed.
If using Chrome, the certificate’s Subject Alternative Names (SANs) must also match the FQDN of the host machine.
To apply PEM certificates directly, see the Secure Keycloak and Secure Nuix Gateway sections for instructions.
Generate a PFX keystore
To enable TLS using a more secure method, a PFX keystore, generated from your PEM based certificates, can be used.
Prerequisite: The following procedure uses OpenSSL for keystore generation. Download and install the OpenSSL Binary before proceeding.
Generate a PFX keystore:
Open a command prompt and navigate to a directory where the PFX keystore will be generated.
Enter and run the following command to generate a PFX keystore:
openssl pkcs12 -export -out keystoreName.pfx -inkey C:/path.to.PEM.key -in C:/path.to.PEM.crt -password pass:mypassword
| Parameter |
Description |
| -export -out <keystoreName.pfx> |
Export a PFX keystore with the provided path and file name. |
| -inkey <PEM.key> |
Path to a PEM based private key. |
| -in <PEM.crt> |
Path to a PEM based certificate. |
| -password pass:<mypassword> |
Password to secure the PFX keystore. |
Encrypt the keystore password:
This step is optional, but if not performed, the password used to secure the keystore will be stored in plain text.
Open a command prompt and navigate to the following Nuix Keycloak installation directory:
cd C:\Program Files\Nuix-Shared-Services\Nuix-Keycloak\keycloak\providers
Enter and run the following command to generate an encrypted password for the keystore:
java -jar nuix-keycloak-config.jar <nuix-secret> <keystore password>
| Parameter |
Description |
| <nuix-secret> |
The nuix-secret value is located within the following file. C:\Program Files\Nuix-Shared-Services\Nuix-Keycloak\config\keycloak.conf |
| <keystore password> |
The password defined when generating the PFX keystore. |
Make note of the encrypted password that is returned.
Secure Keycloak
To enable TLS within Keycloak using only PEM based certificates:
Navigate to the following Nuix Keycloak installation directory:
C:\Program Files\Nuix-Shared-Services\Nuix-Keycloak\config
Open the keycloak.conf file in a text editor with elevated privileges.
Locate the following properties and provide the complete path on the local file system to a valid PEM based certificate and key file:
https-certificate-file=
https-certificate-key-file=
Locate the http-enabled property and change its value to false.
Save the file and restart the Nuix Keycloak service.
Update the Keycloak URL within the Nuix Configuration Utility to complete the configuration.
The Nuix Keycloak service is now secured using TLS and is available at the secured host and port that were configured during installation. For example: https://localhost:8443/.
To enable TLS within Keycloak using a PFX keystore:
Navigate to the following Nuix Keycloak installation directory:
C:\Program Files\Nuix-Shared-Services\Nuix-Keycloak\config
Open the keycloak.conf file in a text editor with elevated privileges.
At the bottom of the existing Host Settings, add the following properties and provide the complete path to a PFX keystore and its password:
https-key-store-file=
nuix-secured-https-key-store-password=<encrypted password>
#https-key-store-password=<uncomment if using a plain text password>
Locate the http-enabled property and change its value to false.
Save the file and restart the Nuix Keycloak service.
Update the Keycloak URL within the Nuix Configuration Utility to complete the configuration
Note: If both methods are configured, Keycloak will default to using the PEM files over the keystore.
Update the Keycloak URL within the Nuix Configuration Utility
After enabling TLS, the URL used by the Nuix Configuration Utility to access Keycloak must be updated to reflect the new HTTPS based address.
To update the Keycloak URL:
Navigate to the following Nuix installation directory:
C:\Program Files\Nuix\Nuix-Config\properties
Locate the keyCloakUrl property and update the URL to reflect the new secured instance of Keycloak.
For example: keyCloakUrl=https://localhost:8080/realms/nuix
Save and restart all installed Nuix Neo services.
The Nuix Keycloak service is now secured using TLS and is available at the secured host and port that were configured during installation.
Secure Nuix Gateway
Before enabling TLS for the Nuix Gateway, ensure that your Nuix Keycloak instance is configured with Valid redirect URIs that correspond to the secured hosts and ports being used by Nuix Neo. See the Keycloak Define valid redirect URIs configuration section within the Nuix Neo Installation Guide for details on this process.
To enable TLS within the Nuix Gateway using only PEM based certificates:
Navigate to the following Nuix installation directory:
C:\Program Files\Nuix\Nuix-Config\properties\gateway
Open the application.properties file in a text editor with elevated privileges.
Locate the following properties and provide the complete path on the local file system to a valid PEM based certificate and key file:
server.ssl.certificate=
server.ssl.certificate-private-key=
Locate the server.ssl.enabled property and change its value to true.
Save the file and restart the Nuix Gateway service.
The Nuix Gateway and all services that operate behind it are now secured using TLS. Nuix services are now available at the secured host and port that were configured during installation. For example: https://localhost:8999/.
To enable TLS within the Nuix Gateway using a PFX keystore:
Navigate to the following Nuix installation directory:
C:\Program Files\Nuix\Nuix-Config\properties\gateway
Open the application.properties file in a text editor with elevated privileges.
Locate and update the SSL settings to match the following properties:
server.ssl.enabled=true
server.ssl.keyStoreType=PKCS12
server.ssl.keystore=<path/to/keystore.pfx>
server.ssl.keyStorePassword=<plain text password>
server.ssl.keyAlias=1
server.ssl.enabledProtocols=TLSv1.2,TLSv1.3
Provide the complete path to a PFX keystore and its password.
Note: The server.ssl.keyStorePassword is encrypted automatically when Nuix Configuration Utility and Nuix Gateway services are restarted. See Dynamic encryption for more information.
Ensure that the server.ssl.enabled property is set to true.
Save the file and restart the Nuix Gateway service.
The Nuix Gateway and all services that operate behind it are now secured using TLS. Nuix services are now available at the secured host and port that were configured during installation.
For example: https://localhost:8999/.
Secure Microsoft Office Online Server (Nuix Investigate)
If a Microsoft Office Online Server (MOOS) is provisioned in the environment to enable the Near Native Viewer feature, you can secure communication between Nuix Neo and the MSOOS by using TLS.
Note: See the Nuix Investigate MSOOS Quick Start Guide to install a Microsoft Office Online Server, configure the Near Native viewer, and Configure TLS for MSOOS.
Before you begin
Restricting HTTPS traffic to TLS v1.3 currently breaks the MSOOS integration for Near Native Viewer.
To enable TLS protocol version 1.2 or 1.3 and verify that the Office Online Server (OOS) is compliant:
Update the cacerts by performing the following:
cd to C:\Program Files\Common Files\i4j_jres\<latest JRE version number>
Add: .\bin\keytool.exe -import -trustcacerts -file <path\MSOOSCertName> -alias MSOFFICE -keystore .\lib\security\cacerts -noprompt -storepass changeit
Note: You can enable TLS v1.3 in conjunction with TLS v1.2.
To secure Microsoft Office Online Server:
For a fresh install, the keystore generates when the application first starts.
To update the keystore location:
Find your keystore file location.
Windows: C:/ProgramData/Nuix/.keystore
Linux: /opt/Nuix/.keystore
Perform the following keytool command on each instance in the Nuix Investigate cluster:
keytool -import -storepass changeit -alias moos_trust -keystore <keystore file location> -file moos.cer
You should only use a valid SSL certificate from a trusted certificate authority when enabling TLS. If necessary, you can apply a self-signed certificate, but only for testing purposes. For information on generating a certificate for testing purposes, see Generate a self-signed certificate.
Note: The certificate you apply to the MOOS must be issued with a Common Name that matches the external URL of the computer hosting the Office Online Server.
Import the certificate to Nuix Investigate
After applying a certificate to the MOOS, you must also import the same certificate to the Java Runtime Environment (JRE) keystore used by Nuix Investigate to ensure that the two applications can communicate.
To import the certificate:
Open a command prompt with administrative privileges on the computer where Nuix Investigate is installed.
Navigate to the location where Java is installed.
Windows: C:\Program Files\Common Files\i4j_jres\<latest JRE version number>
Linux: /usr/lib/jvm/adoptopenjdk-11-hotspot-jre-amd64/
Run the command to import the MSOOS certificate into the JVM truststore, as follows:
Windows: .\bin\keytool.exe -import -trustcacerts -file < MSOOS cert path > -alias MSOOS -keystore .\lib\security\cacerts -storepass changeit -noprompt
Linux: ./bin/keytool -import -trustcacerts -file < MSOOS cert path > -alias MSOOS -keystore lib/security/cacerts -storepass changeit -noprompt
Replace <MSOOS cert path> with the location of the certificate used on the MOOS.
Restart the Nuix Investigate service for the changes to take effect.
Import Nuix Investigate certificate to MSOOS
After completing the TLS configuration of the MSOOS, the certificate used to secure Nuix Investigate must be imported to the root trust store of the MSOOS host computer to ensure that the two applications can communicate.
To import the certificate:
Copy the certificate used by Nuix Investigate onto the MSOOS host computer.
Open a command prompt on the MSOOS host and enter the following command:
Import-Certificate -FilePath <Path\NUIXCertName>.crt -CertStoreLocation Cert:\LocalMachine\Root
Replace <Path\NuixCertName> with the location and name of the certificate used to secure the Nuix Gateway.
SSL configuration of the Microsoft Office Online Server is now complete and all communication between the two applications is secure.
Warning: The Nuix Gateway service must be secured using a valid TLS certificate from a trusted provider. If you apply the default self-signed certificate available in the Nuix Configuration Utility for testing, then the Near Native Viewer functionality becomes unavailable.
Dynamic encryption
Nuix services provide dynamic encryption of sensitive configuration properties at startup. The following system properties, commonly configured during installation, are encrypted automatically when each Nuix service is started:
spring.datasource.password
licensing.securePassword
server.ssl.keyStorePassword
If values for these properties are updated using the Nuix Configuration Utility, the new values will be re-encrypted after the affected Nuix service is restarted.
The ability to encrypt user provided secrets dynamically is also available. Custom user-defined properties that are added and saved to any Nuix service application.properties file can be dynamically encrypted after restarting the service.
To encrypt a user defined property/secret:
Navigate to the directory where Nuix Service application.property files are installed.
Default: <root-installation-directory>\Nuix\Web Platform\Nuix-Config\Properties
Locate and open an application.property file for a Nuix service.
Use the following syntax to add one or more property/secret pairs to be encrypted:
Note: To include two or more properties, append .x to each nuix.encrypted.properties instance where x is a unique integer value.
nuix.encrypted.properties.1=userdefined.property.1
nuix.encrypted.properties.2=userdefined.property.2
userdefined.property.1=secret1
userdefined.property.2=secret2
Restart Nuix-Config, Nuix-Gateway, and any other service, if any, that was modified.
All plain text secrets defined for each user defined property are now encrypted.
userdefined.property.1={cipher}78129902b0f8ec3ec979ef3e96dacb73f458641ebde0f55451c0ab70877915da
userdefined.property.2={cipher}d3a2f5bed017f6d888c05a6b11903dc6d4a44b2caced1df7434d89f952fed548
Note: Secrets that have been dynamically encrypted are prepended with a {cipher} indicator.
Content Security Policy (CSP)
Nuix Neo includes Content Security Policy (CSP) support which protects against Cross-Site Scripting and data injection attacks by restricting access to content that users can load. Nuix provides default CSP settings, however, additional policy directives may be required. To define CSP directives, modify the Nuix Gateway Content Security Policy property within the Nuix Configuration Utility.
Important: CSP configuration is required if the Nuix Investigate Near Native viewer URL or Map tile server URL properties are configured within the Nuix Configuration Utility.
See Mozilla's Content-Security-Policy reference or other online sources to learn more about configuring Content Security Policy directives.
Nuix also recommends using a CSP validator to ensure proper syntax and formatting is used. Validators can easily be found online.
To modify Content Security Policy settings:
Access the Nuix Configuration Utility.
Select Gateway from the service selector menu, then locate the Content Security Policy property.
Update the property using valid policy directives, ensuring to close each block with a semicolon.
Note: If configured, the following Nuix Investigate properties should be defined as follows:
- Add mapTileServerUrl value to connect-src
- Add nearNativeServerUrl value to frame-src
For example:
default-src 'self'; script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://maps.google.com blob:; connect-src 'self' https://maps.googleapis.com https://<mapTileServerUrl>; frame-src 'self' https://<nearNativeServerUrl>; style-src 'self' 'unsafe-inline' https://maps.google.com https://fonts.googleapis.com; img-src 'self' https://maps.google.com https://maps.gstatic.com data:; font-src 'self' https://fonts.gstatic.com;
Click Save Configuration to finalize any changes made.
After saving a configuration change, the service affected by the change must be restarted. See Service status for instructions on performing this task within the Nuix Configuration Utility.
After configuring CSP, the Near native viewer and maps analytic should function as expected within Nuix Investigate. If those features appear blank or display a Content Blocked error message, review the CSP directives that you defined to ensure that all directives, URLs, and formatting are correct.