Best Practice - Pentaho and Tomcat Security

Similar documents
IUCLID 5 Guidance and Support

Programming on the Web(CSC309F) Tutorial: Servlets && Tomcat TA:Wael Aboelsaadat

Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration

VMware Identity Manager Administration

How to set up SQL Source Control. The short guide for evaluators

Web Application Report

Installation Guide for contineo

Apache Tomcat Hardening. Tomcat 7.x. Version: Date: 1/11/2014. Classification: Matthias Luft, Florian Grunow, Hendrik Schmidt

EMC Documentum Content Management Interoperability Services

Railo Installation on CentOS Linux 6 Best Practices

How to Make the Client IP Address Available to the Back-end Server

How To Integrate IIS6 and Apache Tomcat

Securing your Apache Tomcat installation. Tim Funk November 2009

Business Intelligence Platform Quick Start Guide

Service Manager and the Heartbleed Vulnerability (CVE )

Advanced Web Security, Lab

ReadyNAS Remote White Paper. NETGEAR May 2010

NUST School of Electrical Engineering and Computer Science KTH Applied Information Security Lab. Installation Manual

Addressing Application Layer Attacks with Mod Security

Usage of Evaluate Client Certificate with SSL support in Mediator and CentraSite

Ipswitch Client Installation Guide

Magento Search Extension TECHNICAL DOCUMENTATION

Oracle Enterprise Manager

Securing Adobe connect Server and CQ Server

Securing REST APIs with SSL/TLS

StreamServe Persuasion SP5 Control Center

Access Gateway Guide Access Manager 4.0 SP1

Sitefinity Security and Best Practices

Table of Contents. Requirements and Options 1. Checklist for Server Installation 5. Checklist for Importing from CyberAudit

HP Software-as-a-Service

Xerox DocuShare Security Features. Security White Paper

JAMF Software Server Installation Guide for Windows. Version 8.6

Oracle Tuxedo Systems and Application Monitor (TSAM)

FileCloud Security FAQ

JAMF Software Server Installation Guide for Linux. Version 8.6

No.1 IT Online training institute from Hyderabad URL: sriramtechnologies.com

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

System Administration Guide

Basic TCP/IP networking knowledge of client/server concepts Basic Linux commands and desktop navigation (if don't know we will cover it )

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Allscripts Mobile Installation Guide for BlackBerry

NS DISCOVER 4.0 ADMINISTRATOR S GUIDE. July, Version 4.0

create-virtual-server creates the named virtual server

Novell Access Manager

Installing BIRT Analytics 4.4

Introduction to FileWave

EMC Clinical Archiving

Web Application Vulnerability Testing with Nessus

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

Configuring CQ Security

Owner of the content within this article is Written by Marc Grote

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

JMETER - MONITOR TEST PLAN

VMware Identity Manager Connector Installation and Configuration

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Using Device Discovery

Web Security School Final Exam

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Last Updated: July STATISTICA Enterprise Server Security

Setup Guide Access Manager 3.2 SP3

Project (Group) Management Installation Guide (Linux) Version 1.3. Copyright 2007 MGH

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Crawl Proxy Installation and Configuration Guide

Application Servers - BEA WebLogic. Installing the Application Server

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Configuring IIS 6 to Load Balance a JBoss 4.2 Adobe LiveCycle Enterprise Suite 2 (ES2) Cluster

Sample. WebCenter Sites. Go-Live Checklist

OMU350 Operations Manager 9.x on UNIX/Linux Advanced Administration

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Deployment Guide: Transparent Mode

RTI v3.3 Lightweight Deep Diagnostics for LoadRunner

StreamServe Persuasion SP5 StreamStudio

Oracle Fusion Middleware. 1 Oracle Team Productivity Center Server System Requirements. 2 Installing the Oracle Team Productivity Center Server

Setting Up One Search

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

MIGS Payment Client Installation Guide. EGate User Manual

Important Release Information and Technical and Deployment Support Notes

Project Management (PM) Cell

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

VMware vcenter Log Insight Security Guide

Security Guide Release 7.3

Introduction to the Mobile Access Gateway

Struts 2 - Practical examples

Symantec LiveUpdate Administrator. Getting Started Guide

Filr 2.0 Administration Guide. April 2016

OWASP Top Ten Tools and Tactics

Web Application Security Assessment and Vulnerability Mitigation Tests

Oracle WebLogic Server 11g Administration

ICONICS Using the Azure Cloud Connector

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Technical White Paper - JBoss Security

Funambol Exchange Connector v6.5 Installation Guide

CHAPTER 7 SSL CONFIGURATION AND TESTING

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Certified Secure Web Application Security Test Checklist

CORISECIO. Quick Installation Guide Open XML Gateway

Transcription:

Best Practice - Pentaho and Tomcat Security

This page has intentionally been left blank.

Contents Overview... 1 Pentaho and Apache Tomcat... 2 Securing Tomcat... 2 Remove Unused Connectors... 2 Remove Unwanted and Default Applications... 2 Remove Server Banner and X-Powered-By... 3 Serve Content on the Desired Interfaces... 3 Add Secure flag for Cookies... 3 Make sure Cookies are HttpOnly... 3 Setup Access Logging... 4 Run Tomcat on a Non-Privileged Account... 4 Change the Default SHUTDOWN Command and Port... 4 Replace the Default Error Pages... 4 Remove Pentaho Demo and Sample Content... 5 Create Secure Passwords... 5 Linux only: Use a SandBoxed Root for Tomcat User... 5 Reduce Session Timeouts in web.xml File... 5 Remove Unused Endpoints from web.xml File... 6 Conclusion... 7 Best Practice Check List... 8

This page has intentionally been left blank.

Overview We have collected a set of best practice recommendations for you to leverage when using Pentaho with Tomcat as your web application server. Keep these Pentaho Architecture principles in mind while you are working through this document: 1. Architecture is important, above all else. 2. Platforms are always evolving: sometimes you will have to think creatively. Some of the things discussed here include securing Tomcat by removing unused connectors and default applications, securing cookies, changing the default shutdown command and port, and setting up access logging. The intention of this document is to speak about topics generally; however, these are the specific versions covered here: Software Version Pentaho 6.0, 6.1 Apache Tomcat 7.0, 8.0 PENTAHO 1

Pentaho and Apache Tomcat The Pentaho platform is a collection of web applications deployed within Java application servers. As of Pentaho version 6.1, Pentaho supports Tomcat 7.0, Tomcat 8.0, and JBoss EAP 6.4 application servers. The tuning and configuration of the application server can impact the performance and security of solutions deployed on the Pentaho platform. This guide presents best practices for configuring Apache Tomcat to host a Pentaho solution. The suggestions contained within are general concepts and techniques. They are guidelines and may not apply exactly to every solution. If possible, we recommend using the most recent version of Tomcat that Pentaho supports. Before implementing any of the suggestions within this document, make sure to create a backup of the Tomcat configuration files. These are typically found in $tomcat/conf directory. This guide assumes the reader has a working understanding of Tomcat and its configuration files. In particular, an understanding of the $tomcat/conf/server.xml is required, with $tomcat representing the location of your Tomcat install. The Apache Tomcat documentation has more information on configuring Tomcat. Securing Tomcat The default Tomcat configuration is not optimized for production usage. There are ways to make Tomcat more secure for your production environment. The suggestions below are gathered from research and from working with customers over the years. Additional information on securing Tomcat, including SSL information, can be found in the Security Considerations of the Tomcat documentation and in the article on enabling SSL in the BA Server in the Pentaho Documentation. Remove Unused Connectors A Connector defines how client applications access content from Tomcat. As covered in a later section on performance guidelines, Tomcat supports different types of connectors. A single server instance can support multiple connectors. Any unused connections should be removed from the $tomcat/server.xml. Remove Unwanted and Default Applications Some versions of Tomcat ship with sample and administrative applications deployed. Evaluate each of the default Tomcat applications as to their suitability for your deployment. Tomcat suggests removing the applications that are not in use reduce the risk from undiscovered vulnerabilities within those applications. Pentaho does not rely on or require any of these applications and they can be removed without impacting Pentaho. PENTAHO 2

Remove Server Banner and X-Powered-By Tomcat communicates largely through the HTTP protocol. Browser tools like FireBug or slightly web-savvy developers can analyze the HTTP communication to learn details about the server. The server banner and X-Powered-By are HTTP headers that will identify the server product used and may lead to information leakage vulnerabilities. The server banner can be set to an empty string or some other text to obscure the server application used. The server banner is specified in the Server attribute of the connectors configured to provide access to Tomcat. Turning off the X-Powered-By header is done by setting the xpoweredby attribute to false. The Connector settings for a server are contained in the $tomcat/conf/server.xml. This example sets the server banner to an empty string: <Connector port="8080" protocol="http/1.1" connectiontimeout="20000" server="" xpoweredby= false redirectport="8443" /> Serve Content on the Desired Interfaces By default, Tomcat will serve content on all IP addresses configured on the server. To serve content only on a particular address or set of addresses, set the address attribute on the Connector. Add Secure flag for Cookies The default way that Tomcat manages user sessions is via cookies. It is possible for web user sessions to be stolen or manipulated. Using secure cookies can add an additional layer of protection. The connectors are specified in the $tomcat/conf/server.xml. <Connector port="8080" protocol="http/1.1" connectiontimeout="20000" Server="" secure="true" redirectport="8443" /> Make sure Cookies are HttpOnly Some browsers allow client side scripting to access cookies. Using the HttpOnly setting adds a layer of protection for cookies. Enable HttpOnly for Pentaho and other applications by adding a context for Pentaho in the $tomcat/conf/context.xml file. On Tomcat 7, this setting defaults to true. However, setting it assures the added security layer is in place. PENTAHO 3

<Context usehttponly="true">...</context> Setup Access Logging One of the common requests is to understand who is accessing Pentaho. This can be done using the auditing functionality within Pentaho. However, it can also be done through Tomcat itself. Tomcat includes the ability to log access and track additional information about the user. Examine the additional detail available through Tomcat s AccessLogValve and decide if the additional logging is useful. Run Tomcat on a Non-Privileged Account As a general practice, services should run with the least amount of permission necessary. Use a separate non-privileged user for Tomcat to protect other services from running in case of any security hole. Change the Default SHUTDOWN Command and Port Tomcat is configured to listen on a configured report for a specified command, as a method of shutting down the service. The default port and command will be widely known, allowing anyone who can access the server and port to shut down the service. Change this port and the command to guard against such attacks. The example below from an updated $tomcat/conf/server.xml sets the shutdown port to 8999 and the command to SOMECOMMAND : <Server port="8999" shutdown="somecommand"> Replace the Default Error Pages Errors can always happen even in the best solutions. Tomcat provides default error pages for errors such as attempting to access an unknown URI. These default error pages contain details about the Tomcat server and version. Change these pages to protect the information about the server. This requires a little web development to create the custom error pages. The Tomcat Wiki has more information on configuring the custom error pages. PENTAHO 4

Remove Pentaho Demo and Sample Content Pentaho provides sample content, a data source, and a sample repository for evaluation and testing purposes only. Demo and sample content should be removed before moving to development or production environments. The Remove Sample Data from the BA Server section in the Pentaho Documentation has more information and instructions on removing the demo content and sample data. Create Secure Passwords Since Tomcat uses XML for defining connections, the password for these connections could potentially be exposed as plain text. Use the password utility located in context.xml or server.xml to create secure passwords. Our best practice document on Securing Connection Passwords for the Pentaho Business Analytics Suite contains more information about securing your passwords. Set Up a User Repository Default Pentaho Security is designed for small- and medium-sized environments and does not scale well to enterprise production environments. Users and roles should be set up in a user repository that has policies regarding password length, strength, and longevity, such as Active Directory. Linux only: Use a SandBoxed Root for Tomcat User Directory traverse attacks can occur if you are running Tomcat in a Linux environment and do not change root. Change your Tomcat root user to create a chroot jail to prevent directory traverse attacks. Reduce Session Timeouts in web.xml File Longer timeout sessions can increase the risk of unauthorized access. Reduce the session timeout for Tomcat in the web.xml file. <session-config> <session-timeout>120</session-timeout> </session-config> PENTAHO 5

Remove Unused Endpoints from web.xml File There are some endpoints in the Tomcat web.xml file that may pose a security risk. They should either be commented out or deleted. This list contains recommendations on handling them on a case-by-case basis. 1. ProxyTrustingFilter/ProxyTrustingServlet These are only needed during Migrator/Import/Export. Comment out these endpoints until you need to do some kind of migration/import/export. After finishing your task, make sure to comment them out again. 2. ViewAction/ServiceAction Previously used to invoke action sequences (.xaction). These are no longer relevant, but could possibly present a vulnerability. Delete the ViewAction and ServiceAction endpoints. 3. Xmla Used for XMLA (XML for Analysis). If you re not using XMLA (XML for Analysis) on the server, you should comment out the endpoint. 4. GenericServlet This end point has been deprecated. The GenericServlet endpoint should be commented out. 5. DebugHome Used for debugging Mantle. Comment out the DebugHome endpoint on any production system. 6. Carte Used for Carte operations. Comment out this endpoint if you are using only a Penatho BA Server. 7. AuditReport / AuditReportList These are deprecated entry points. Delete the ViewAction and ServiceAction endpoints. 8. UserService Tells the caller how many active HTTP Sessions there are. An administrator can make use of this, but they may want to add it to the applicationcontext-spring-security.xml and lock it down. 9. Diagnostics Uses for server diagnostics. This should be disabled unless someone is trying to get server diagnostics. 10. UploadService / PluggableUploadFileServlet Comment out these two endpoints. Verify that PME and PRD still publish after commenting these out. 11. GetResource / GetImage These servlets serve up files from the pentaho-solutions folder directly back to the browser. Can be commented out without any real impact on the server unless using C*Tools in a specific way, or PRD is configured in a very specific way, such as to load images from a solution on the server. PENTAHO 6

Conclusion The guidelines presented in this document are generic in that they were not written with any particular solution in mind. They are considered guidelines and a starting point. These guidelines must be tested and validated within development or QA before being placed into production. PENTAHO 7

Best Practice Check List This checklist is designed for you to use while you are thinking about how to secure and tune the performance of Tomcat. The Pentaho Enterprise Architecture Group is here to help you with any questions that arise during your implementation. Name of the Project Date of the Review Name of the Reviewer Considerations/Think About: Response COMMENTS, WHY? Have you removed unused connectors? YES NO Have you removed unwanted and default applications? Did you remove the server banner and X- Powered-By? Have you set up content to serve on the desired interfaces? YES YES YES NO NO NO Added a Secure flag for Cookies? YES NO Made sure cookies are HttpOnly? YES NO Setup Access Logging? YES NO Are you running Tomcat on a Non-Privileged Account? Did you change the default shutdown command and Port? YES YES NO NO Have you replaced the default error pages? YES NO Did you remove Pentaho sample content? YES NO Did you create secure passwords? YES NO Linux: set up a chroot for Tomcat user? YES NO Did you reduce Tomcat session timeouts? YES NO Have you removed unused endpoints? YES NO If you are using this best practices document, we would be happy if you would leave us a comment or suggestion to let us know what you think! This will help us learn about who is using our best practices, and also give us some insight as to what you find helpful about them. As always, if you have a more information or a solution that would enhance this document, we would love to hear about that, too. PENTAHO 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information