SlideShare une entreprise Scribd logo

Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat

Télécharger en tant que PPTX, PDF
Uniface
Uniface

The Uniface Lectures are an ongoing series of free monthly technical webinars that cover a wide range of useful topics. In this Lectures webinar on Application & Infrastructure Security we cover the following topics: • Introduction • Tomcat hardening • Closing remarks Full webinar video recording can also be found on: youtube.com/unifacesme

Logiciels
1  sur  36
Application & Infrastructure Security Hardening Tomcat Jason Huggins Director, Global Delivery
Agenda Introduction Tomcat hardening Closing remarks
So, why are we here?
Security CIA triad Risk Avoidance vs Risk Management Cost Impact Recovery Usability Acceptance
“I don’t need to worry…” ...it’s an internal application …our team would never …we’ve never had a attack …we’re not that interesting to hackers …our data is public record …I’m not doing web, I’m okay …my password is strong …it is too complicated
“…everyone needs to worry” Accidental hacker Cyber criminals Not just a privacy issue Increasingly connected, integrated and exposed Desktop, web, mobile, {x} as a service Developers must be aware
Only as strong as… the weakest link
These alone are not the solution This Photo by Unknown Author is licensed under CC BY-NC-SA This Photo by Unknown Author is licensed under CC BY-NC-ND Firewall Antivirus The “IT infrastructure” guy Automatic updates
Not just applicable to web applications Uniface Web Application Server (WASV) Desktop API Mobile Web HTTP HTTPS SOAP REST Web USP, DSP Desktop HTML container Mobile Hybrid, Web API SOAP, REST, UHTTP
Tomcat Hardening
What is hardening? Enhancing the security Closing loopholes Turning off developer/debug options Removing non-essential objects Not volunteering information Patching A ‘process’ not just an ‘event’
Technical Architecture Desktop API Mobile Web e Uniface Virtual Machine Server - Tomcat e Service Engine - Catalina e Host e Context Servlet - WRDServlet - WRD* Servlet - WRDServlet – SRD* Port (8009)<> Connector (AJP) <> Valve Port (443) <> Connector (HTTPS) <> Valve Port (80)<> Connector (HTTP) <> Valve UVM Connector * WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher
SSL
SSL Asymmetric Encryption Public & Private Keys Transport Layer Security (TLS) Secure Sockets Layer (SSL)
Tomcat – Add Certificates / Keys Create a key store keytool -genkey -alias foo -keystore truststore.jks keytool -delete -alias foo -keystore truststore.jks Add CA cert keytool -import -alias root -keystore truststore.jks -trustcacerts -file CA.cer Add PKCS12 SSL key pair keytool -importkeystore -destkeystore truststore.jks -srckeystore tomcat.p12 -srcstoretype PKCS12 Note: The certificate key and keystore passwords need to match
Tomcat – Configure SSL connector server.xml – Uncomment the SSL connector Add keystoreFile and keystorePass attributes <Connector port="443“ protocol="org.apache.coyote.http11.Http11NioProtocol“ maxThreads="150“SSLEnabled="true" scheme="https" secure="true“clientAuth="false" keystoreFile="truststore.jks“ keystorePass=“letmein“ sslProtocol="TLS" /> Set the recommended SSL ciphers ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_EC DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,T LS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_ WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S HA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WI TH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WIT H_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
server.xml
Harden the defaults Remove default applications ‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’ Switch off the shutdown port <Server port="-1" shutdown="SHUTDOWN"> Do not volunteer information <Connector Server=" " port="443“ …….. Prevent malicious deployments <Host name="localhost" appBase="webapps“ unpackWARs="false" autoDeploy="false">
Harden the defaults (2) Remove unused connectors e.g the AJP1.3 <!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" / --> Bind connectors to specific network cards <Connector Secure="true" Server=" " address=“192.64.10.11" port="8080“ protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> Note: repeat whole connector block for each address and create matching virtual hosts if multiple subdomains used.
Tomcat web.xml
Harden the defaults (3) Reduce the default documents <welcome-file-list> <welcome-file>index.htm</welcome-file> </welcome-file-list> Force SSL <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name><url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you require authentication --> <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Reduced information exposure Define generic pages 400, 404, 403 and 500 errors: <error-page> <error-code>400</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>404</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.htm</location> </error-page> <error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.htm</location> </error-page>
Context web.xml
Web app instance hardening Prevent uniface middleware exposing information <init-param> <param-name>TESTABLE</param-name> <param-value>false</param-value> </init-param> Tomcat timeouts <session-config> <session-timeout>20</session-timeout> </session-config>
context.xml
Context wide hardening Prevent client side access to cookies <Context usehttponly="true"> Stop automatic reload/update of files <!— <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> -->
filters: rewrite
URL rewriting Hide actual URL’s and hinder direct access Added the tomcat rewrite filter and rules Rewrite rules examples: RewriteCond %{REQUEST_URI} ^/talk$ RewriteRule ^/talk$ /messenger/wrd/main [L] RewriteCond %{HTTP_REFERER} !(.*)/talk(.*)$ RewriteCond %{HTTP_REFERER} !(.*)/messenger(.*)$ RewriteRule ^(.*)$ /error.htm [L] RewriteCond %{REQUEST_URI} ^/(css|common|img|dspjs|bootstrap-3.3.7-dist|index.htm|error.htm)(.*)$ RewriteRule ^(.*)$ /messenger$1 [L] RewriteCond %{HTTP_REFERER} (.*)/talk(.*)$ RewriteCond %{REQUEST_URI} ^/(.*)$ RewriteRule ^(.*)$ /messenger/wrd$1 [L] RewriteCond %{HTTP_REFERER} (.*)/messenger(.*)$ RewriteCond %{REQUEST_URI} ^/(.*)$
Other considerations
Uniface Application Errors Application errors (i.e. Yellow Error Screens) You can replace USYSHTTPBODY with the same html that is used in the index and error pages referred to in previous sections.
Uniface WRD errors Infrastructure/configuration errors (i.e. Red Error Screens) Templates in error_{locale} below the WEB-INF.
Practical Examples
Resources Tomcat Security Documentation https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html Open Web Application Security Project (OWASP) https://www.owasp.org/ SSL Server Test https://www.ssllabs.com/ssltest/index.html
Summary Coach, train, mentor team Continual monitoring and improvement are essential A few simple steps greatly improve security Server hardening is just one step along the path to security Do not assume higher (or lower) layers provide adequate security A 100% secure system is practically impossible A 100% secure system would be unusable!
Thank You & Questions

Recommandé

Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface
 
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface
 
Node.js Express Framework
Node.js Express FrameworkNode.js Express Framework
Node.js Express Framework
TheCreativedev Blog
 
Express JS
Express JSExpress JS
Express JS
Designveloper
 
Expressjs
ExpressjsExpressjs
Expressjs
Yauheni Nikanovich
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
py_sunil
 
Express JS
Express JSExpress JS
Express JS
Alok Guha
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
connectwebex
 

Recommandé

Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dep...
Uniface
 
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Dev...
Uniface
 
Node.js Express Framework
Node.js Express FrameworkNode.js Express Framework
Node.js Express Framework
TheCreativedev Blog
 
Express JS
Express JSExpress JS
Express JS
Designveloper
 
Expressjs
ExpressjsExpressjs
Expressjs
Yauheni Nikanovich
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
py_sunil
 
Express JS
Express JSExpress JS
Express JS
Alok Guha
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
connectwebex
 
RESTful web service with JBoss Fuse
RESTful web service with JBoss FuseRESTful web service with JBoss Fuse
RESTful web service with JBoss Fuse
ejlp12
 
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
Uniface
 
Express js
Express jsExpress js
Express js
Manav Prasad
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
Vivian S. Zhang
 
Websockets and SockJS, Real time chatting
Websockets and SockJS, Real time chattingWebsockets and SockJS, Real time chatting
Websockets and SockJS, Real time chatting
University of Alabama at Birmingham
 
Build RESTful API Using Express JS
Build RESTful API Using Express JSBuild RESTful API Using Express JS
Build RESTful API Using Express JS
Cakra Danu Sedayu
 
Intro to Node
Intro to NodeIntro to Node
Intro to Node
Aaron Stannard
 
Vuex
VuexVuex
Vuex
Asaquzzaman Mishu
 
Nuxt.js - Introduction
Nuxt.js - IntroductionNuxt.js - Introduction
Nuxt.js - Introduction
Sébastien Chopin
 
Web driver training
Web driver trainingWeb driver training
Web driver training
Dipesh Bhatewara
 
Nuxt Talk
Nuxt TalkNuxt Talk
Nuxt Talk
Sébastien Chopin
 
How to Build SPA with Vue Router 2.0
How to Build SPA with Vue Router 2.0How to Build SPA with Vue Router 2.0
How to Build SPA with Vue Router 2.0
Takuya Tejima
 
Selenium webdriver
Selenium webdriverSelenium webdriver
Selenium webdriver
sean_todd
 
Mule esb
Mule esbMule esb
Mule esb
Khan625
 
WEB SOCKET 應用
WEB SOCKET 應用WEB SOCKET 應用
WEB SOCKET 應用
Jerromy Lee
 
Running ms sql stored procedures in mule
Running ms sql stored procedures in muleRunning ms sql stored procedures in mule
Running ms sql stored procedures in mule
AnilKumar Etagowni
 
"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders
Dmitry Makarchuk
 
Building and managing java projects with maven part-III
Building and managing java projects with maven part-IIIBuilding and managing java projects with maven part-III
Building and managing java projects with maven part-III
princeirfancivil
 
Spring Boot Update
Spring Boot UpdateSpring Boot Update
Spring Boot Update
Sergi Almar i Graupera
 
Harish Aspnet Deployment
Harish Aspnet DeploymentHarish Aspnet Deployment
Harish Aspnet Deployment
rsnarayanan
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 

Contenu connexe

Tendances

WEB SOCKET 應用
WEB SOCKET 應用WEB SOCKET 應用
WEB SOCKET 應用
Jerromy Lee
 
"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders
Dmitry Makarchuk
 
Harish Aspnet Deployment
Harish Aspnet DeploymentHarish Aspnet Deployment
Harish Aspnet Deployment
rsnarayanan
 

Tendances (20)

RESTful web service with JBoss Fuse
RESTful web service with JBoss FuseRESTful web service with JBoss Fuse
RESTful web service with JBoss Fuse
 
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
Uniface Lectures Webinar - Building Responsive Applications with Uniface: Get...
 
Express js
Express jsExpress js
Express js
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
Websockets and SockJS, Real time chatting
Websockets and SockJS, Real time chattingWebsockets and SockJS, Real time chatting
Websockets and SockJS, Real time chatting
 
Build RESTful API Using Express JS
Build RESTful API Using Express JSBuild RESTful API Using Express JS
Build RESTful API Using Express JS
 
Intro to Node
Intro to NodeIntro to Node
Intro to Node
 
Vuex
VuexVuex
Vuex
 
Nuxt.js - Introduction
Nuxt.js - IntroductionNuxt.js - Introduction
Nuxt.js - Introduction
 
Web driver training
Web driver trainingWeb driver training
Web driver training
 
Nuxt Talk
Nuxt TalkNuxt Talk
Nuxt Talk
 
How to Build SPA with Vue Router 2.0
How to Build SPA with Vue Router 2.0How to Build SPA with Vue Router 2.0
How to Build SPA with Vue Router 2.0
 
Selenium webdriver
Selenium webdriverSelenium webdriver
Selenium webdriver
 
Mule esb
Mule esbMule esb
Mule esb
 
WEB SOCKET 應用
WEB SOCKET 應用WEB SOCKET 應用
WEB SOCKET 應用
 
Running ms sql stored procedures in mule
Running ms sql stored procedures in muleRunning ms sql stored procedures in mule
Running ms sql stored procedures in mule
 
"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders
 
Building and managing java projects with maven part-III
Building and managing java projects with maven part-IIIBuilding and managing java projects with maven part-III
Building and managing java projects with maven part-III
 
Spring Boot Update
Spring Boot UpdateSpring Boot Update
Spring Boot Update
 
Harish Aspnet Deployment
Harish Aspnet DeploymentHarish Aspnet Deployment
Harish Aspnet Deployment
 

Similaire à Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat

[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
tanujagrawal
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Websockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableWebsockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalable
Gareth Marland
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

Similaire à Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat (20)

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Securing Portlets With Spring Security
Securing Portlets With Spring SecuritySecuring Portlets With Spring Security
Securing Portlets With Spring Security
 
Websockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalableWebsockets in Node.js - Making them reliable and scalable
Websockets in Node.js - Making them reliable and scalable
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 

Plus de Uniface

Plus de Uniface (20)

Ubg Uniface 10 Version Control and Additions 2019
Ubg Uniface 10 Version Control and Additions 2019Ubg Uniface 10 Version Control and Additions 2019
Ubg Uniface 10 Version Control and Additions 2019
 
Ubg Uniface 10 Community Edition 2019
Ubg Uniface 10 Community Edition 2019Ubg Uniface 10 Community Edition 2019
Ubg Uniface 10 Community Edition 2019
 
Ubg Roadmap 2019
Ubg Roadmap 2019Ubg Roadmap 2019
Ubg Roadmap 2019
 
Ubg eLearning 2019
Ubg eLearning 2019Ubg eLearning 2019
Ubg eLearning 2019
 
Ubg Business Update 2019
Ubg Business Update 2019Ubg Business Update 2019
Ubg Business Update 2019
 
Uniface 10 Around the world by Jason Huggins
Uniface 10 Around the world by Jason HugginsUniface 10 Around the world by Jason Huggins
Uniface 10 Around the world by Jason Huggins
 
Software imaging by Peter Lismer CEO
Software imaging by Peter Lismer CEO Software imaging by Peter Lismer CEO
Software imaging by Peter Lismer CEO
 
Uniface 10 Now is the time by David Akerman
Uniface 10 Now is the time by David AkermanUniface 10 Now is the time by David Akerman
Uniface 10 Now is the time by David Akerman
 
Roadmap by Mike Taylor
Roadmap by Mike TaylorRoadmap by Mike Taylor
Roadmap by Mike Taylor
 
Uniface I0 IDE Custom Menus and Worksheets
Uniface I0 IDE Custom Menus and WorksheetsUniface I0 IDE Custom Menus and Worksheets
Uniface I0 IDE Custom Menus and Worksheets
 
E learning jason huggins
E learning jason hugginsE learning jason huggins
E learning jason huggins
 
Uniface 10
Uniface 10Uniface 10
Uniface 10
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
 
Uniface Lectures Webinar - Extending Applications for Mobile
Uniface Lectures Webinar - Extending Applications for Mobile Uniface Lectures Webinar - Extending Applications for Mobile
Uniface Lectures Webinar - Extending Applications for Mobile
 
Customer Case Study: Synapse Innovation
Customer Case Study: Synapse InnovationCustomer Case Study: Synapse Innovation
Customer Case Study: Synapse Innovation
 
Uniface Lectures Webinar - Uniface Mobile
Uniface Lectures Webinar - Uniface MobileUniface Lectures Webinar - Uniface Mobile
Uniface Lectures Webinar - Uniface Mobile
 
Uniface Lectures Webinar - Uniface 10 Technical Deep Dive
Uniface Lectures Webinar - Uniface 10 Technical Deep DiveUniface Lectures Webinar - Uniface 10 Technical Deep Dive
Uniface Lectures Webinar - Uniface 10 Technical Deep Dive
 
Uniface 10 Infographic
Uniface 10 InfographicUniface 10 Infographic
Uniface 10 Infographic
 
Uniface Lectures Webinar: An Introduction to Uniface 10
Uniface Lectures Webinar: An Introduction to Uniface 10Uniface Lectures Webinar: An Introduction to Uniface 10
Uniface Lectures Webinar: An Introduction to Uniface 10
 
Uniface 10 Enterprise Edition
Uniface 10 Enterprise EditionUniface 10 Enterprise Edition
Uniface 10 Enterprise Edition
 

Dernier

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Dernier (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 

Uniface Lectures Webinar - Application & Infrastructure Security - Hardening Tomcat

  • 1.
  • 2. Application & Infrastructure Security Hardening Tomcat Jason Huggins Director, Global Delivery
  • 4. So, why are we here?
  • 5. Security CIA triad Risk Avoidance vs Risk Management Cost Impact Recovery Usability Acceptance
  • 6. “I don’t need to worry…” ...it’s an internal application …our team would never …we’ve never had a attack …we’re not that interesting to hackers …our data is public record …I’m not doing web, I’m okay …my password is strong …it is too complicated
  • 7. “…everyone needs to worry” Accidental hacker Cyber criminals Not just a privacy issue Increasingly connected, integrated and exposed Desktop, web, mobile, {x} as a service Developers must be aware
  • 8. Only as strong as… the weakest link
  • 9. These alone are not the solution This Photo by Unknown Author is licensed under CC BY-NC-SA This Photo by Unknown Author is licensed under CC BY-NC-ND Firewall Antivirus The “IT infrastructure” guy Automatic updates
  • 10. Not just applicable to web applications Uniface Web Application Server (WASV) Desktop API Mobile Web HTTP HTTPS SOAP REST Web USP, DSP Desktop HTML container Mobile Hybrid, Web API SOAP, REST, UHTTP
  • 12. What is hardening? Enhancing the security Closing loopholes Turning off developer/debug options Removing non-essential objects Not volunteering information Patching A ‘process’ not just an ‘event’
  • 13. Technical Architecture Desktop API Mobile Web e Uniface Virtual Machine Server - Tomcat e Service Engine - Catalina e Host e Context Servlet - WRDServlet - WRD* Servlet - WRDServlet – SRD* Port (8009)<> Connector (AJP) <> Valve Port (443) <> Connector (HTTPS) <> Valve Port (80)<> Connector (HTTP) <> Valve UVM Connector * WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher
  • 14. SSL
  • 15. SSL Asymmetric Encryption Public & Private Keys Transport Layer Security (TLS) Secure Sockets Layer (SSL)
  • 16. Tomcat – Add Certificates / Keys Create a key store keytool -genkey -alias foo -keystore truststore.jks keytool -delete -alias foo -keystore truststore.jks Add CA cert keytool -import -alias root -keystore truststore.jks -trustcacerts -file CA.cer Add PKCS12 SSL key pair keytool -importkeystore -destkeystore truststore.jks -srckeystore tomcat.p12 -srcstoretype PKCS12 Note: The certificate key and keystore passwords need to match
  • 17. Tomcat – Configure SSL connector server.xml – Uncomment the SSL connector Add keystoreFile and keystorePass attributes <Connector port="443“ protocol="org.apache.coyote.http11.Http11NioProtocol“ maxThreads="150“SSLEnabled="true" scheme="https" secure="true“clientAuth="false" keystoreFile="truststore.jks“ keystorePass=“letmein“ sslProtocol="TLS" /> Set the recommended SSL ciphers ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_EC DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,T LS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_ WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_S HA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WI TH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,T LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WIT H_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
  • 19. Harden the defaults Remove default applications ‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’ Switch off the shutdown port <Server port="-1" shutdown="SHUTDOWN"> Do not volunteer information <Connector Server=" " port="443“ …….. Prevent malicious deployments <Host name="localhost" appBase="webapps“ unpackWARs="false" autoDeploy="false">
  • 20. Harden the defaults (2) Remove unused connectors e.g the AJP1.3 <!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" / --> Bind connectors to specific network cards <Connector Secure="true" Server=" " address=“192.64.10.11" port="8080“ protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> Note: repeat whole connector block for each address and create matching virtual hosts if multiple subdomains used.
  • 22. Harden the defaults (3) Reduce the default documents <welcome-file-list> <welcome-file>index.htm</welcome-file> </welcome-file-list> Force SSL <security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name><url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you require authentication --> <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
  • 23. Reduced information exposure Define generic pages 400, 404, 403 and 500 errors: <error-page> <error-code>400</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>404</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.htm</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.htm</location> </error-page> <error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.htm</location> </error-page>
  • 25. Web app instance hardening Prevent uniface middleware exposing information <init-param> <param-name>TESTABLE</param-name> <param-value>false</param-value> </init-param> Tomcat timeouts <session-config> <session-timeout>20</session-timeout> </session-config>
  • 27. Context wide hardening Prevent client side access to cookies <Context usehttponly="true"> Stop automatic reload/update of files <!— <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> -->
  • 29. URL rewriting Hide actual URL’s and hinder direct access Added the tomcat rewrite filter and rules Rewrite rules examples: RewriteCond %{REQUEST_URI} ^/talk$ RewriteRule ^/talk$ /messenger/wrd/main [L] RewriteCond %{HTTP_REFERER} !(.*)/talk(.*)$ RewriteCond %{HTTP_REFERER} !(.*)/messenger(.*)$ RewriteRule ^(.*)$ /error.htm [L] RewriteCond %{REQUEST_URI} ^/(css|common|img|dspjs|bootstrap-3.3.7-dist|index.htm|error.htm)(.*)$ RewriteRule ^(.*)$ /messenger$1 [L] RewriteCond %{HTTP_REFERER} (.*)/talk(.*)$ RewriteCond %{REQUEST_URI} ^/(.*)$ RewriteRule ^(.*)$ /messenger/wrd$1 [L] RewriteCond %{HTTP_REFERER} (.*)/messenger(.*)$ RewriteCond %{REQUEST_URI} ^/(.*)$
  • 31. Uniface Application Errors Application errors (i.e. Yellow Error Screens) You can replace USYSHTTPBODY with the same html that is used in the index and error pages referred to in previous sections.
  • 32. Uniface WRD errors Infrastructure/configuration errors (i.e. Red Error Screens) Templates in error_{locale} below the WEB-INF.
  • 34. Resources Tomcat Security Documentation https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html Open Web Application Security Project (OWASP) https://www.owasp.org/ SSL Server Test https://www.ssllabs.com/ssltest/index.html
  • 35. Summary Coach, train, mentor team Continual monitoring and improvement are essential A few simple steps greatly improve security Server hardening is just one step along the path to security Do not assume higher (or lower) layers provide adequate security A 100% secure system is practically impossible A 100% secure system would be unusable!