i2b2: Security Baseline



Similar documents
owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

Protect your CollabNet TeamForge site

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and more. Security Review

PassBy[ME] - Bugzilla integration on

Setting Up CAS with Ofbiz 5

Project Management (PM) Cell

Connection Broker Managing User Connections to Workstations, Blades, VDI, and more. Security Review

SecuritySpy Setting Up SecuritySpy Over SSL

HP Cloud Service Automation Deployment Architectures

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

INUVIKA OVD INSTALLING INUVIKA OVD ON RHEL 6

Apache SSL Certificate Deployment Guide

Secure Messaging Server Console... 2

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Enterprise SSL Support

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Securing the OpenAdmin Tool for Informix web server with HTTPS

EQUELLA. Clustering Configuration Guide. Version 6.2

How to setup HTTP & HTTPS Load balancer for Mediator

Citrix Receiver for Mobile Devices Troubleshooting Guide

HP ALM. Software Version: External Authentication Configuration Guide

OnCommand Performance Manager 1.1

OpenPro ERP Software Installation Guide REDHAT LINUX

Managed Devices - Web Browser/HiView

Livezilla How to Install on Shared Hosting By: Jon Manning

esync - Receiving data over HTTPS

RHEV 2.2: REST API INSTALLATION

Clustered Data ONTAP 8.3

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Semantic based Web Application Firewall (SWAF - V 1.6)

To enable https for appliance

Configuring MailArchiva with Insight Server

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Training module 2 Installing VMware View

CORISECIO. Quick Installation Guide Open XML Gateway

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

USER GUIDE. Snow Inventory Client for Unix Version Release date Document date

UFTP AUTHENTICATION SERVICE

Integrating Apache Web Server with Tomcat Application Server

Oracle Virtual Desktop Infrastructure. VDI Demo (Microsoft Remote Desktop Services) for Version 3.2

Red Hat JBoss Core Services Apache HTTP Server 2.4 Apache HTTP Server Installation Guide

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

AmbrosiaMQ-MuleSource ESB Integration

/ Preparing to Manage a VMware Environment Page 1

Centrify Cloud Connector Deployment Guide

Project (Group) Management Installation Guide (Linux) Version 1.3. Copyright 2007 MGH

RoomWizard Synchronization Software Manual Installation Instructions

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

SSL User Authentication with the HTTP Security Server

NUST School of Electrical Engineering and Computer Science KTH Applied Information Security Lab. Installation Manual

UC8XX LCD and Web GUI custom Guide

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Instant Chime for IBM Sametime Installation Guide for Apache Tomcat and Microsoft SQL

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

Hadoop Data Warehouse Manual

GlobalSign Solutions

QUANTIFY INSTALLATION GUIDE

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

HP Business Service Management

Setting Up SSL on IIS6 for MEGA Advisor

Securing Your Apache Web Server With a Thawte Digital Certificate

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

TECHNICAL NOTE Stormshield Network Firewall AUTOMATIC BACKUPS. Document version: 1.0 Reference: snentno_autobackup

e-cert (Server) User Guide For Apache Web Server

Comodo Web Application Firewall Software Version 2.11

AA enabling a closed source legacy application

How to Configure edgebox as a Web Server

No.1 IT Online training institute from Hyderabad URL: sriramtechnologies.com

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

IIS, FTP Server and Windows

WebLogic Server: Installation and Configuration

GroundWork Monitor Open Source Installation Guide

NSi Mobile Installation Guide. Version 6.2

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Migrating LAMP stack from x86 to Power using the Server Consolidation Tool

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Installing and Using the Zimbra Reporting Tool

Aspera Connect User Guide

CN=Monitor Installation and Configuration v2.0

JMETER - MONITOR TEST PLAN

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Parallels Plesk Automation

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

AXIOM 4 AXIOM SERVER GUIDE

Integrating EJBCA and OpenSSO

OS Installation: CentOS 5.8

Control-M for Hadoop. Technical Bulletin.

Implementing a Weblogic Architecture with High Availability

TransNav Management System Documentation. Management Server Guide

JAMF Software Server Installation Guide for Linux. Version 8.6

How to: Install an SSL certificate

Angel Dichev RIG, SAP Labs

Oracle Exam 1z0-102 Oracle Weblogic Server 11g: System Administration I Version: 9.0 [ Total Questions: 111 ]

Oracle. Getting Started with Database Mobile Server (DMS) Release: 11.3

Novell Access Manager

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Use Enterprise SSO as the Credential Server for Protected Sites

Transcription:

i2b2: Security Baseline

Contents Introduction... 3 CentOS Security Configuration... 4 SSL Configuration... 5 Database Configuration Files... 6 Revision History... 11 2

Introduction This document outlines the minimal recommended security configurations for i2b2 v1.6 and CentOS. This guide covers security configurations for the CentOS operating system, SSL configuration and procedures to encrypt the database configuration files for i2b2 v1.6. Prior to using this guide, ensure i2b2 v1.6 is running correctly in your environment and CentOS is up to date. This guide is intended for administrators with root privileges in CentOS. All codes presented in this document are prefixed with a # and is intended for CentOS 64 bit. Adjust the code accordingly if you are running CentOS 32 bit. 3

CentOS Security Configuration Firewalls The easiest way to configure the firewall in CentOS is through the GUI. The minimum port that should be open is Secure WWW (HTTPS). SELinux Disable SELinux by opening a terminal and edit the SELinux configuration file /etc/selinux/config. Edit: SELINUX=disabled Restart the server for the changes to take effect. 4

SSL Configuration Apache2 Apache2 is setup as a SSL proxy to JBoss and as a SSL web server for the i2b2 admin and i2b2 webclient. SSL To setup SSL, install mod_ssl and obtain a CA certificate. 1. Install mod_ssl: # yum install mod_ssl 2. Edit the following in /etc/httpd/conf.d/ssl.conf to disable weak encryption: SSLProtocol all +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile <location of your CA cert> SSLCertificateKeyFile <location of your private key> 3. Save the changes. ProxyPass ProxyPass is enabled to provide SSL support to JBoss through Apache2. ProxyPass is enabled in /etc/httpd/conf.d/ssl.conf for SSL connections and is enabled in /etc/httpd/conf.d/proxy_ajp.conf for non SSL connections. For SSL connections, add the following lines to the bottom of /etc/httpd/conf.d/ssl.conf: ProxyPass /i2b2/ ajp://localhost:9009/i2b2/ ProxyPassReverse /i2b2/ ajp://localhost:9009/i2b2 For Non SSL connections, add the following lines to the bottom of /etc/httpd/conf.d/proxy_ajp.conf: ProxyPass /i2b2/ ajp://localhost:9009/i2b2/ ProxyPassReverse /i2b2/ ajp://localhost:9009/i2b2 Restart Apache2 for the changes to take effect (service httpd restart). 5

Database Configuration Files There are several xml files that contain clear text username and passwords for the various i2b2 databases. There are database configuration files in /opt/jboss 4.2.2.GA/server/default/deploy/* ds.xml and Spring Framework files in /opt/jboss 4.2.2.Ga/server/default/conf. Encrypting the Database Configuration Files in * ds.xml The * ds.xml database configuration files will be encrypted using the SecureIdentityLoginModule method. The examples below show configurations for pm ds.xml, ontds.xml, crc ds.xml, crc jms ds.xml, and work ds.xml. 1. Encrypt the database password # cd /opt/jboss-4.2.2.ga # java -classpath lib/jbosscommon.jar:lib/jboss_jmx.jar:server/default/lib/jbosssx.jar:server/default/lib/jbossjca.jar org.jboss.resource.security.secureidentityloginmodule <db_password> 2. This will output the encrypted password. 3. Define the application policy in /opt/jboss 4.2.2.GA/server/default/conf/login config.xml. The following lines are an example of configuring i2b2 with the demo data. Adjust the file accordingly based on your configuration. Add the following to the end of the file, replacing the password with the encrypted password that was obtained in step 2: <application-policy name="encryptedpmbootstrapds"> name="username">i2b2hive</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=pmbootstrapds,service=localtxcm</moduleoption> <application-policy name="encryptedontologybootstrapds"> name="username">i2b2hive</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=ontologybootstrapds,service=localtxcm</m odule-option> <application-policy name="encryptedontologydemods"> 6

name="username">i2b2metadata</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=ontologydemods,service=localtxcm</modul e-option> <application-policy name="encryptedquerytooldemods"> name="username">i2b2demodata</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=querytooldemods,service=localtxcm</mod ule-option> <application-policy name="encrypteddefaultds"> name="username">i2b2hive</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=defaultds,service=localtxcm</moduleoption> <application-policy name="encryptedworkplacebootstrapds"> name="username">i2b2hive</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=workplacebootstrapds,service=localtxcm</ module-option> <application-policy name="encryptedworkplacedemods"> name="username">i2b2workdata</module-option> name="password">encrypted_pw_here</module-option> name="managedconnectionfactoryname">jboss.jca:name=workplacedemods,service=localtxcm</mod ule-option> 7

4. Replace the username and password in each * ds.xml file with the <security domain> created in the login conf.xml. <!-- ########################################################################## # pm-ds.xml ############################################################################--> <datasources> <jndi-name>pmbootstrapds</jndi-name> <security-domain>encryptedpmbootstrapds</security-domain> </datasources> <!-- ########################################################################## # ont-ds.xml ############################################################################--> <datasources> <jndi-name>ontologybootstrapds</jndi-name> <security-domain>encryptedontologybootstrapds</security-domain> <!-- sample oracle project data source --> <jndi-name>ontologydemods</jndi-name> <security-domain>encryptedontologydemods</security-domain> </datasources> <!-- ########################################################################## # crc-ds.xml ############################################################################--> <datasources> <jndi-name>querytooldemods</jndi-name> <security-domain>encryptedquerytooldemods</security-domain> <idle-timeout-minutes>1</idle-timeout-minutes> <exception-sorter-classname>org.jboss.resource.adapter.jdbc.vendor.oracleexceptionsorter</exception-sorter-class-name> <metadata> <type-mapping>oracle9i</type-mapping> </metadata> </datasources> <!-- ########################################################################## 8

# crc-jms-ds.xml ############################################################################--> <datasources> <jndi-name>defaultds</jndi-name> <security-domain>encrypteddefaultds</security-domain> <idle-timeout-minutes>1</idle-timeout-minutes> <exception-sorter-classname>org.jboss.resource.adapter.jdbc.vendor.oracleexceptionsorter</exception-sorter-class-name> <metadata> <type-mapping>oracle9i</type-mapping> </metadata> </datasources> <!-- ########################################################################## # work-ds.xml ############################################################################--> <datasources> <jndi-name>workplacebootstrapds</jndi-name> <security-domain>encryptedworkplacebootstrapds</security-domain> <idle-timeout-minutes>1</idle-timeout-minutes> <exception-sorter-classname>org.jboss.resource.adapter.jdbc.vendor.oracleexceptionsorter</exception-sorter-class-name> <metadata> <type-mapping>oracle9i</type-mapping> </metadata> <jndi-name>workplacedemods</jndi-name> <security-domain>encryptedworkplacedemods</security-domain> <idle-timeout-minutes>1</idle-timeout-minutes> <exception-sorter-classname>org.jboss.resource.adapter.jdbc.vendor.oracleexceptionsorter</exception-sorter-class-name> <metadata> <type-mapping>oracle9i</type-mapping> </metadata> </datasources> 5. Restart JBoss for the changes to take effect and ensure you have no errors. 9

Encrypting the Database Configuration Files in the Spring Framework There are a few Spring bean configuration files that contain database usernames and passwords that will need to be encrypted using Jasypt. Jasypt is an open source product called Java Simplified Encryption (JASYPT) which allows decryption of encrypted text at run time. Jasypt is used to encrypt the username/password of the Hive database located in the following Spring configuration files: Directory $JBOSS_HOME/server/default/conf/crcapp/CRCApplicationContext.xml $JBOSS_HOME/server/default/conf/crcloader/CRCLoaderApplicationContext.xml Bean ID CRCDataSourceLookup LoaderLookupDS 1. Download Jasypt from www.jasypt.org. 2. Unzip Jasypt: # unzip jasypt-1.7-dist.zip 3. Change to the location where Jasypt was unzipped. # cd jasypt-1.7/bin 4. Use Jasypt encryption tool to encrypt your database password. #./encrypt.sh input= db_password algorithm=pbewithmd5andtripledes password=encryption_password 5. Jasypt will then output the encrypted password (+Sy2mi3vh/sDHWeFiHeqxSo3eewSY0XZ is the output in our example). 6. Move your credentials into a properties file. In this example, it is named jasypt.properties. datasource.username=i2b2hive datasource.password=enc(+sy2mi3vh/sdhwefiheqxso3eewsy0xz) 7. Edit $JBOSS_HOME/server/default/conf/crcapp/CRCApplicationContext.xml as below: <bean id="propertyplaceholderconfigurer" class="org.jasypt.spring.properties.encryptablepropertyplaceholderconfigurer"> <constructor-arg ref="configurationencryptor" /> <property name="location" value="jasypt.properties" /> </bean> <bean id="configurationencryptor" class="org.jasypt.encryption.pbe.standardpbestringencryptor"> <property name="config" ref="environmentvariablesconfiguration" /> </bean> <bean id="environmentvariablesconfiguration" class="org.jasypt.encryption.pbe.config.environmentstringpbeconfig"> <property name="algorithm" value="pbewithmd5anddes" /> <property name="passwordenvname" value="pbe_password" /> <property name="password" value="encryption_password" /> </bean> <bean id="crcdatasourcelookup" class="org.apache.commons.dbcp.basicdatasource" destroymethod="close"> <property name="driverclassname" value="oracle.jdbc.driver.oracledriver"/> <property name="url" value="jdbc:oracle:thin:@localhost:1521:xe"/> 10

</bean> <property name="username" value="${datasource.username}"/> <property name="password" value="${datasource.password}"/> 8. Repeat this process for LoaderLookupDS and any additional Spring configuration files. 9. Restart JBoss for your changes to take affect. Revision History Identify document changes Ver Date Author Initial Document V1.0 4 28 11 J. Phan Minor Updates V1.1 10 7 11 J. Phan 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information