uniface lectures webinar - application & infrastructure security - hardening tomcat

Application & Infrastructure Security

Hardening Tomcat

Jason Huggins

Director, Global Delivery

Agenda

Introduction

Tomcat hardening

Closing remarks

So, why are we here?

Security

CIA triad

Risk Avoidance vs Risk ManagementCost

Impact

Recovery

Usability

Acceptance

“I don’t need to worry…”...it’s an internal application

…our team would never

…we’ve never had a attack

…we’re not that interesting to hackers

…our data is public record

…I’m not doing web, I’m okay

…my password is strong

…it is too complicated

“…everyone needs to worry”

Accidental hacker

Cyber criminals

Not just a privacy issue

Increasingly connected, integrated and exposed

Desktop, web, mobile, {x} as a service

Developers must be aware

Only as strong as…

the weakest link

These alone are not the solution

This Photo by Unknown Author is licensed under CC BY-NC-SA

This Photo by Unknown Author is licensed under CC BY-NC-ND

Firewall

Antivirus

The “IT infrastructure” guy

Automatic updates

Not just applicable to web applications

Uniface Web Application Server

(WASV)

Desktop

API

Mobile

Web

HTTPHTTPSSOAPREST

Web

USP, DSP

Desktop

HTML container

Mobile

Hybrid, Web

API

SOAP, REST, UHTTP

Tomcat Hardening

What is hardening?

Enhancing the security

Closing loopholes

Turning off developer/debug options

Removing non-essential objects

Not volunteering information

Patching

A ‘process’ not just an ‘event’

Technical Architecture

Desktop

API

Mobile

Webe

Uniface Virtual

Machine

Server - Tomcate

ServiceEngine - Catalina

eHost

eContext

Servlet - WRDServlet - WRD*

Servlet - WRDServlet – SRD*

Port (8009)<> Connector (AJP) <> Valve

Port (443) <> Connector (HTTPS) <> Valve

Port (80)<> Connector (HTTP) <> Valve UVM Connector

* WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher

SSL

SSL

Asymmetric Encryption

Public & Private Keys

Transport Layer Security (TLS)

Secure Sockets Layer (SSL)

Tomcat – Add Certificates / Keys

Create a key storekeytool -genkey -alias foo -keystore truststore.jks

keytool -delete -alias foo -keystore truststore.jks

Add CA certkeytool -import -alias root -keystore truststore.jks -trustcacerts -file CA.cer

Add PKCS12 SSL key pairkeytool -importkeystore -destkeystore truststore.jks -srckeystore tomcat.p12 -srcstoretype

PKCS12

Note: The certificate key and keystore passwords need to match

Tomcat – Configure SSL connectorserver.xml – Uncomment the SSL connector

Add keystoreFile and keystorePass attributes

<Connector port="443“ protocol="org.apache.coyote.http11.Http11NioProtocol“

maxThreads="150“SSLEnabled="true" scheme="https" secure="true“clientAuth="false"

keystoreFile="truststore.jks“ keystorePass=“letmein“ sslProtocol="TLS" />

Set the recommended SSL ciphers

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_EC

DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES

_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,T

LS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_

WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S

HA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WI

TH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T

LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WIT

H_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"

server.xml

Harden the defaults

Remove default applications

‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’

Switch off the shutdown port

<Server port="-1" shutdown="SHUTDOWN">

Do not volunteer information

<Connector Server=" " port="443“ ……..

Prevent malicious deployments

<Host name="localhost" appBase="webapps“

unpackWARs="false" autoDeploy="false">

Harden the defaults (2)

Remove unused connectors e.g the AJP1.3

<!--Connector port="8009" protocol="AJP/1.3"

redirectPort="8443" / -->

Bind connectors to specific network cards

<Connector Secure="true" Server=" " address=“192.64.10.11"

port="8080“ protocol="HTTP/1.1" connectionTimeout="20000"

redirectPort="8443" />

Note: repeat whole connector block for each address and

create matching virtual hosts if multiple subdomains used.

Tomcat web.xml

Harden the defaults (3)

Reduce the default documents<welcome-file-list>

<welcome-file>index.htm</welcome-file>

</welcome-file-list>

Force SSL<security-constraint>

<web-resource-collection>

<web-resource-name>Protected Context</web-resource-name><url-pattern>/*</url-pattern>

</web-resource-collection>

<!-- auth-constraint goes here if you require authentication -->

<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

Reduced information exposure

Define generic pages 400, 404, 403 and 500 errors:<error-page>

<error-code>400</error-code> <location>/error.htm</location>

</error-page>

<error-page>

<error-code>404</error-code> <location>/error.htm</location>

</error-page>

<error-page>

<error-code>403</error-code> <location>/error.htm</location>

</error-page>

<error-page>

<error-code>500</error-code> <location>/error.htm</location>

</error-page>

<error-page>

<exception-type>java.lang.Exception</exception-type> <location>/error.htm</location>

</error-page>

Context web.xml

Web app instance hardening

Prevent uniface middleware exposing information

<init-param>

<param-name>TESTABLE</param-name>

<param-value>false</param-value>

</init-param>

Tomcat timeouts

<session-config>

<session-timeout>20</session-timeout>

</session-config>

context.xml

Context wide hardening

Prevent client side access to cookies

<Context usehttponly="true">

Stop automatic reload/update of files

<!—

<WatchedResource>WEB-INF/web.xml</WatchedResource>

<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

-->

filters: rewrite

URL rewriting

Hide actual URL’s and hinder direct access

Added the tomcat rewrite filter and rules

Rewrite rules examples:RewriteCond %{REQUEST_URI} ^/talk$

RewriteRule ^/talk$ /messenger/wrd/main [L]

RewriteCond %{HTTP_REFERER} !(.*)/talk(.*)$

RewriteCond %{HTTP_REFERER} !(.*)/messenger(.*)$

RewriteRule ^(.*)$ /error.htm [L]

RewriteCond %{REQUEST_URI} ^/(css|common|img|dspjs|bootstrap-3.3.7-dist|index.htm|error.htm)(.*)$

RewriteRule ^(.*)$ /messenger$1 [L]

RewriteCond %{HTTP_REFERER} (.*)/talk(.*)$

RewriteCond %{REQUEST_URI} ^/(.*)$

RewriteRule ^(.*)$ /messenger/wrd$1 [L]

RewriteCond %{HTTP_REFERER} (.*)/messenger(.*)$

RewriteCond %{REQUEST_URI} ^/(.*)$

Other considerations

Uniface Application Errors

Application errors (i.e. Yellow Error Screens)

You can replace USYSHTTPBODY with the same html

that is used in the index and error pages referred to in

previous sections.

Uniface WRD errors

Infrastructure/configuration errors (i.e. Red Error Screens)

Templates in error_{locale} below the WEB-INF.

Practical Examples

Resources

Tomcat Security Documentationhttps://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

Open Web Application Security Project (OWASP)https://www.owasp.org/

SSL Server Testhttps://www.ssllabs.com/ssltest/index.html

Summary

Coach, train, mentor team

Continual monitoring and improvement are essential

A few simple steps greatly improve security

Server hardening is just one step along the path to security

Do not assume higher (or lower) layers provide adequate security

A 100% secure system is practically impossible

A 100% secure system would be unusable!

Thank You

& Questions