forked from SeleniumHQ/selenium
/
security.txt
88 lines (71 loc) · 2.58 KB
/
security.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
Selenium Grid by default communicates over HTTP. This is fine for a lot
of use cases, especially if everything is contained within the firewall
and against test sites with testing data. However, if your server is
exposed to the Internet or is being used in environments with production
data (or that which has PII) then you should secure it.
Standalone
In order to run the server using HTTPS instead of HTTP you need to start
it with the `--https-private-key` and `--https-certificate` flags to
provide it the certificate and private key (as a PKCS8 file).
```
java -jar selenium.jar \
hub \
--https-private-key /path/to/key.pkcs8 \
--https-certificate /path/to/cert.pem
```
Distributed
Alternatively, if you are starting things individually you would also
specify https when telling where to find things.
```
java -jar selenium.jar \
sessions \
--https-private-key /path/to/key.pkcs8 \
--https-certificate /path/to/cert.pem
```
```
java -jar selenium.jar \
distributor \
--https-private-key /path/to/key.pkcs8 \
--https-certificate /path/to/cert.pem \
-s https://sessions.grid.com:5556
```
```
java -jar selenium.jar \
router \
--https-private-key /path/to/key.pkcs8 \
--https-certificate /path/to/cert.pem \
-s https://sessions.grid.com:5556 \
-d https://distributor.grid.com:5553 \
```
Certificates
The Selenium Grid will not operate with self-signed certificates, as a
result you will need to have some provisioned to you from a Certificate
Authority of some sort. For experimentation purposes you can use MiniCA to
create and sign your certificates.
```
minica --domains sessions.grid.com,distributor.grid.com,router.grid.com
```
This will create minica.pem and minica.key in the current directory as well as
cert.pem and key.pem in a directory `sessions.grid.com` which will have both
distributor.grid.com and router.grid.com as alternative names. Because Selenium
Grid requires the key to be in PKCS8, you have to convert it.
```
openssl pkcs8 \
-in sessions.grid.com/key.pem \
-topk8 \
-out sessions.grid.com/key.pkcs8 \
-nocrypt
```
And since we are using a non-standard CA, we have to teach Java about it. To do that
you add it to the cacert truststore which is by default, $JAVA_HOME/jre/lib/security/cacerts
```
sudo keytool \
-import \
-file /path/to/minica.pem \
-alias minica \
-keystore $JAVA_HOME/jre/lib/security/cacerts \
-storepass changeit \
-cacerts
```
More information can be found at:
* MiniCA: https://github.com/jsha/minica