Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat
Transcript of Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat
![Page 1: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/1.jpg)
![Page 2: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/2.jpg)
Application & Infrastructure Security
Hardening Tomcat
Jason Huggins
Director, Global Delivery
![Page 3: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/3.jpg)
Agenda
Introduction
Tomcat hardening
Closing remarks
![Page 4: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/4.jpg)
So, why are we here?
![Page 5: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/5.jpg)
Security
CIA triad
Risk Avoidance vs Risk ManagementCost
Impact
Recovery
Usability
Acceptance
![Page 6: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/6.jpg)
“I don’t need to worry…”...it’s an internal application
…our team would never
…we’ve never had a attack
…we’re not that interesting to hackers
…our data is public record
…I’m not doing web, I’m okay
…my password is strong
…it is too complicated
![Page 7: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/7.jpg)
“…everyone needs to worry”
Accidental hacker
Cyber criminals
Not just a privacy issue
Increasingly connected, integrated and exposed
Desktop, web, mobile, {x} as a service
Developers must be aware
![Page 8: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/8.jpg)
Only as strong as…
the weakest link
![Page 9: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/9.jpg)
These alone are not the solution
This Photo by Unknown Author is licensed under CC BY-NC-SA
This Photo by Unknown Author is licensed under CC BY-NC-ND
Firewall
Antivirus
The “IT infrastructure” guy
Automatic updates
![Page 10: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/10.jpg)
Not just applicable to web applications
Uniface Web Application Server
(WASV)
Desktop
API
Mobile
Web
HTTPHTTPSSOAPREST
Web
USP, DSP
Desktop
HTML container
Mobile
Hybrid, Web
API
SOAP, REST, UHTTP
![Page 11: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/11.jpg)
Tomcat Hardening
![Page 12: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/12.jpg)
What is hardening?
Enhancing the security
Closing loopholes
Turning off developer/debug options
Removing non-essential objects
Not volunteering information
Patching
A ‘process’ not just an ‘event’
![Page 13: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/13.jpg)
Technical Architecture
Desktop
API
Mobile
Webe
Uniface Virtual
Machine
Server - Tomcate
ServiceEngine - Catalina
eHost
eContext
Servlet - WRDServlet - WRD*
Servlet - WRDServlet – SRD*
Port (8009)<> Connector (AJP) <> Valve
Port (443) <> Connector (HTTPS) <> Valve
Port (80)<> Connector (HTTP) <> Valve UVM Connector
* WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher
![Page 14: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/14.jpg)
SSL
![Page 15: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/15.jpg)
SSL
Asymmetric Encryption
Public & Private Keys
Transport Layer Security (TLS)
Secure Sockets Layer (SSL)
![Page 16: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/16.jpg)
Tomcat – Add Certificates / Keys
Create a key storekeytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks
Add CA certkeytool -import -alias root -keystore truststore.jks -trustcacerts -file CA.cer
Add PKCS12 SSL key pairkeytool -importkeystore -destkeystore truststore.jks -srckeystore tomcat.p12 -srcstoretype
PKCS12
Note: The certificate key and keystore passwords need to match
![Page 17: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/17.jpg)
Tomcat – Configure SSL connectorserver.xml – Uncomment the SSL connector
Add keystoreFile and keystorePass attributes
<Connector port="443“ protocol="org.apache.coyote.http11.Http11NioProtocol“
maxThreads="150“SSLEnabled="true" scheme="https" secure="true“clientAuth="false"
keystoreFile="truststore.jks“ keystorePass=“letmein“ sslProtocol="TLS" />
Set the recommended SSL ciphers
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_EC
DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES
_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,T
LS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_
WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S
HA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WI
TH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T
LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WIT
H_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
![Page 18: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/18.jpg)
server.xml
![Page 19: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/19.jpg)
Harden the defaults
Remove default applications
‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’
Switch off the shutdown port
<Server port="-1" shutdown="SHUTDOWN">
Do not volunteer information
<Connector Server=" " port="443“ ……..
Prevent malicious deployments
<Host name="localhost" appBase="webapps“
unpackWARs="false" autoDeploy="false">
![Page 20: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/20.jpg)
Harden the defaults (2)
Remove unused connectors e.g the AJP1.3
<!--Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" / -->
Bind connectors to specific network cards
<Connector Secure="true" Server=" " address=“192.64.10.11"
port="8080“ protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443" />
Note: repeat whole connector block for each address and
create matching virtual hosts if multiple subdomains used.
![Page 21: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/21.jpg)
Tomcat web.xml
![Page 22: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/22.jpg)
Harden the defaults (3)
Reduce the default documents<welcome-file-list>
<welcome-file>index.htm</welcome-file>
</welcome-file-list>
Force SSL<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name><url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
![Page 23: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/23.jpg)
Reduced information exposure
Define generic pages 400, 404, 403 and 500 errors:<error-page>
<error-code>400</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>404</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>403</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<error-code>500</error-code> <location>/error.htm</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type> <location>/error.htm</location>
</error-page>
![Page 24: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/24.jpg)
Context web.xml
![Page 25: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/25.jpg)
Web app instance hardening
Prevent uniface middleware exposing information
<init-param>
<param-name>TESTABLE</param-name>
<param-value>false</param-value>
</init-param>
Tomcat timeouts
<session-config>
<session-timeout>20</session-timeout>
</session-config>
![Page 26: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/26.jpg)
context.xml
![Page 27: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/27.jpg)
Context wide hardening
Prevent client side access to cookies
<Context usehttponly="true">
Stop automatic reload/update of files
<!—
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
-->
![Page 28: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/28.jpg)
filters: rewrite
![Page 29: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/29.jpg)
URL rewriting
Hide actual URL’s and hinder direct access
Added the tomcat rewrite filter and rules
Rewrite rules examples:RewriteCond %{REQUEST_URI} ^/talk$
RewriteRule ^/talk$ /messenger/wrd/main [L]
RewriteCond %{HTTP_REFERER} !(.*)/talk(.*)$
RewriteCond %{HTTP_REFERER} !(.*)/messenger(.*)$
RewriteRule ^(.*)$ /error.htm [L]
RewriteCond %{REQUEST_URI} ^/(css|common|img|dspjs|bootstrap-3.3.7-dist|index.htm|error.htm)(.*)$
RewriteRule ^(.*)$ /messenger$1 [L]
RewriteCond %{HTTP_REFERER} (.*)/talk(.*)$
RewriteCond %{REQUEST_URI} ^/(.*)$
RewriteRule ^(.*)$ /messenger/wrd$1 [L]
RewriteCond %{HTTP_REFERER} (.*)/messenger(.*)$
RewriteCond %{REQUEST_URI} ^/(.*)$
![Page 30: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/30.jpg)
Other considerations
![Page 31: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/31.jpg)
Uniface Application Errors
Application errors (i.e. Yellow Error Screens)
You can replace USYSHTTPBODY with the same html
that is used in the index and error pages referred to in
previous sections.
![Page 32: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/32.jpg)
Uniface WRD errors
Infrastructure/configuration errors (i.e. Red Error Screens)
Templates in error_{locale} below the WEB-INF.
![Page 33: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/33.jpg)
Practical Examples
![Page 34: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/34.jpg)
Resources
Tomcat Security Documentationhttps://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
Open Web Application Security Project (OWASP)https://www.owasp.org/
SSL Server Testhttps://www.ssllabs.com/ssltest/index.html
![Page 35: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/35.jpg)
Summary
Coach, train, mentor team
Continual monitoring and improvement are essential
A few simple steps greatly improve security
Server hardening is just one step along the path to security
Do not assume higher (or lower) layers provide adequate security
A 100% secure system is practically impossible
A 100% secure system would be unusable!
![Page 36: Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat](https://reader034.fdocuments.us/reader034/viewer/2022042511/5a6697c27f8b9ac5128b58bb/html5/thumbnails/36.jpg)
Thank You
& Questions