uniface lectures webinar - application & infrastructure security - hardening tomcat
TRANSCRIPT
Application & Infrastructure Security
Hardening Tomcat
Jason Huggins
Director, Global Delivery
Agenda
Introduction
Tomcat hardening
Closing remarks
So, why are we here?
Security
CIA triad
Risk Avoidance vs Risk ManagementCost
Impact
Recovery
Usability
Acceptance
“I don’t need to worry…”...it’s an internal application
…our team would never
…we’ve never had a attack
…we’re not that interesting to hackers
…our data is public record
…I’m not doing web, I’m okay
…my password is strong
…it is too complicated
“…everyone needs to worry”
Accidental hacker
Cyber criminals
Not just a privacy issue
Increasingly connected, integrated and exposed
Desktop, web, mobile, {x} as a service
Developers must be aware
Only as strong as…
the weakest link
These alone are not the solution
This Photo by Unknown Author is licensed under CC BY-NC-SA
This Photo by Unknown Author is licensed under CC BY-NC-ND
Firewall
Antivirus
The “IT infrastructure” guy
Automatic updates
Not just applicable to web applications
Uniface Web Application Server
(WASV)
Desktop
API
Mobile
Web
HTTPHTTPSSOAPREST
Web
USP, DSP
Desktop
HTML container
Mobile
Hybrid, Web
API
SOAP, REST, UHTTP
Tomcat Hardening
What is hardening?
Enhancing the security
Closing loopholes
Turning off developer/debug options
Removing non-essential objects
Not volunteering information
Patching
A ‘process’ not just an ‘event’
Technical Architecture
Desktop
API
Mobile
Webe
Uniface Virtual
Machine
Server - Tomcate
ServiceEngine - Catalina
eHost
eContext
Servlet - WRDServlet - WRD*
Servlet - WRDServlet – SRD*
Port (8009)<> Connector (AJP) <> Valve
Port (443) <> Connector (HTTPS) <> Valve
Port (80)<> Connector (HTTP) <> Valve UVM Connector
* WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher
SSL
SSL
Asymmetric Encryption
Public & Private Keys
Transport Layer Security (TLS)
Secure Sockets Layer (SSL)
Tomcat – Add Certificates / Keys
Create a key storekeytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks
Add CA certkeytool -import -alias root -keystore truststore.jks -trustcacerts -file CA.cer
Add PKCS12 SSL key pairkeytool -importkeystore -destkeystore truststore.jks -srckeystore tomcat.p12 -srcstoretype
PKCS12
Note: The certificate key and keystore passwords need to match
Tomcat – Configure SSL connectorserver.xml – Uncomment the SSL connector
Add keystoreFile and keystorePass attributes
<Connector port="443“ protocol="org.apache.coyote.http11.Http11NioProtocol“
maxThreads="150“SSLEnabled="true" scheme="https" secure="true“clientAuth="false"
keystoreFile="truststore.jks“ keystorePass=“letmein“ sslProtocol="TLS" />
Set the recommended SSL ciphers
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_EC
DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES
_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,T
LS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_
WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S
HA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WI
TH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T
LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WIT
H_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
server.xml
Harden the defaults
Remove default applications
‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’
Switch off the shutdown port
<Server port="-1" shutdown="SHUTDOWN">
Do not volunteer information
<Connector Server=" " port="443“ ……..
Prevent malicious deployments
<Host name="localhost" appBase="webapps“
unpackWARs="false" autoDeploy="false">
Harden the defaults (2)
Remove unused connectors e.g the AJP1.3
<!--Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" / -->
Bind connectors to specific network cards
<Connector Secure="true" Server=" " address=“192.64.10.11"
port="8080“ protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443" />
Note: repeat whole connector block for each address and
create matching virtual hosts if multiple subdomains used.
Tomcat web.xml
Harden the defaults (3)
Reduce the default documents<welcome-file-list>
<welcome-file>index.htm</welcome-file>
</welcome-file-list>
Force SSL<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name><url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reduced information exposure
Define generic pages 400, 404, 403 and 500 errors:<error-page>
<error-code>400</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>404</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>403</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>500</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type> <location>/error.htm</location>
</error-page>
Context web.xml
Web app instance hardening
Prevent uniface middleware exposing information
<init-param>
<param-name>TESTABLE</param-name>
<param-value>false</param-value>
</init-param>
Tomcat timeouts
<session-config>
<session-timeout>20</session-timeout>
</session-config>
context.xml
Context wide hardening
Prevent client side access to cookies
<Context usehttponly="true">
Stop automatic reload/update of files
<!—
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
-->
filters: rewrite
URL rewriting
Hide actual URL’s and hinder direct access
Added the tomcat rewrite filter and rules
Rewrite rules examples:RewriteCond %{REQUEST_URI} ^/talk$
RewriteRule ^/talk$ /messenger/wrd/main [L]
RewriteCond %{HTTP_REFERER} !(.*)/talk(.*)$
RewriteCond %{HTTP_REFERER} !(.*)/messenger(.*)$
RewriteRule ^(.*)$ /error.htm [L]
RewriteCond %{REQUEST_URI} ^/(css|common|img|dspjs|bootstrap-3.3.7-dist|index.htm|error.htm)(.*)$
RewriteRule ^(.*)$ /messenger$1 [L]
RewriteCond %{HTTP_REFERER} (.*)/talk(.*)$
RewriteCond %{REQUEST_URI} ^/(.*)$
RewriteRule ^(.*)$ /messenger/wrd$1 [L]
RewriteCond %{HTTP_REFERER} (.*)/messenger(.*)$
RewriteCond %{REQUEST_URI} ^/(.*)$
Other considerations
Uniface Application Errors
Application errors (i.e. Yellow Error Screens)
You can replace USYSHTTPBODY with the same html
that is used in the index and error pages referred to in
previous sections.
Uniface WRD errors
Infrastructure/configuration errors (i.e. Red Error Screens)
Templates in error_{locale} below the WEB-INF.
Practical Examples
Resources
Tomcat Security Documentationhttps://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
Open Web Application Security Project (OWASP)https://www.owasp.org/
SSL Server Testhttps://www.ssllabs.com/ssltest/index.html
Summary
Coach, train, mentor team
Continual monitoring and improvement are essential
A few simple steps greatly improve security
Server hardening is just one step along the path to security
Do not assume higher (or lower) layers provide adequate security
A 100% secure system is practically impossible
A 100% secure system would be unusable!
Thank You
& Questions