This section depicts potential security weaknesses in the current release of the product and recommendations as to how to extend and harden security outside the product’s default configuration. It includes the following:
The configuration password is used to protect sensitive configuration information but the installation program does not enforce any password policy for this password; be sure that this password follows some strict guidelines choose a complex password that is not easily guessed and follow standard policy guidelines for strong passwords.
For example, it should be at least eight characters long, include upper case letters, lower case letters, and non-alphanumeric characters. It should not include your name, initials, or dates.
To access the Directory Server where the product’s configuration directory resides, your credentials must be in the Configuration Administrators group. However, if you need to create credentials other than admin for any reason, consider the following:
The installation program requires you to provide credentials for a user stored in the Console administrative subtree. However, the Core installation program will not expand users other than admin into “uid=admin,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot”. Therefore, you must specify the entire DN during Core installation.
Create a user in:
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot |
Add the new credentials to the Configuration Administrators group.
Set ACIs to allow only this user or all users in the Configuration Administrators group to access the Directory Server where the product’s configuration directory is stored.
Specify entire DN during Core installation.
For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Directory Server Enterprise Edition 7.0 Administration Guide
By default, clients of the Message Queue, such as the connectors and system manager, accept any SSL certificate that the Message Queue broker returns.
To override this setting and force Message Queue clients to validate the Message Queue broker’s certificate, edit:
Add the following to the JVM arguments of each process in Watchlist.properties :
-Djavax.net.ssl.trustStore=keystore_path-DimqSSLIsHostTrusted=false
Restart the Identity Synchronization for Windows daemon or service.
The javax.net.ssl.trustStore property should point to a JSEE keystore that trusts the broker certificate, for example, /etc/imq/keystore can be used on the machine where Core was installed because this is the same keystore used by the broker.
By default, the Message Queue broker uses a self-signed SSL certificate. To install a different certificate, use the keytool utility that ships with Java to modify the broker’s keystore (/var/imq/instances/isw-broker/etc/keystore on Solaris, /var/opt/sun/mq/instances/isw-broker/etc/keystore on Linux, and mq_installation_root /var/instances/isw-broker/etc/keystore on Windows 2000). The alias of the certificate must be imq.
By default, the Message Queue uses dynamic ports for all services except for its port mapper. To access the broker trough a firewall or restrict the set of hosts that can connect to the broker, the broker should use fixed ports for all services.
This can be achieved by setting the imq.service_name protocol_type .port broker configuration properties. Refer to the Sun Java System Message Queue Administration Guide for more information.
The system manager accepts any certificate when connecting to the product’s configuration directory over SSL; the Message Queue broker accepts any certificate when connecting to the product’s configuration directory over SSL. Currently, there is no way to make either the system manager or the Message Queue broker validate the product’s configuration directory SSL certificates.
When Core is installed, the process of adding information to the Directory Server where the product’s configuration directory is stored does not include adding any access control information. To restrict access to only configuration Administrators, the following ACI can be used:
(targetattr = "*") (target = "ldap://ou=IdentitySynchronization, ou=Services,dc=example,dc=com") (version 3.0;acl "Test";deny (all) (groupdn != "ldap://cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)
For more information about managing access controls in the Directory Server, see Chapter 6, Directory Server Access Control, in Sun Directory Server Enterprise Edition 7.0 Administration Guide