Securing Your Environment
Creating a secure production environment means that each component that the application touches
is secured, including application servers, web servers, message servers, databases, external systems, and
so on. The following topics provide information about securing the environment:
Secure Tokens
Java CAPS supports authentication and authorization based on secure tokens, including the following
security token types:
-
Username Token
-
X.509 Certificate
-
SAML Token
-
Kerberos ticket
-
Issued Token
Securing Java CAPS Repository Components
Java CAPS provides user managements tools for securing the Repository, Enterprise Manager, the
Suite Installer, and Repository-based components in NetBeans.
Securing Repository Tools
Repository security manages the Java CAPS Suite Installer and Java CAPS projects, libraries,
and environments in NetBeans. You can use the security features provided by Java
CAPS for Repository security or you can use an LDAP server to manage
security. You can also configure the Repository to use SSL for both scenarios.
Default user names and passwords are provided for the Repository tools, but you
should change these accounts for a more secure environment.
Securing Enterprise Manager
Enterprise Manager is an administration tool that allows you to deploy, monitor, and
manage Java CAPS Java EE applications. People who use Enterprise Manager can have
a variety of roles, from deploying applications, installing management applications, monitoring applications, and performing
management tasks against running applications. For this reason, the Enterprise Manager User Management
feature provides several predefined roles that you can assign to users to grant
and restrict security permissions.
You can use the security features provided by Java CAPS for Enterprise Manager
security or you can use an LDAP server to manage security. You can
also configure Enterprise Manager to use SSL for both scenarios. Default user accounts
are created automatically when you install Java CAPS, but you should change these
accounts for your production environment.
Security in NetBeans
When developing applications, you might want to consider taking advantage of NetBeans version
control plug-ins. You can easily use NetBeans with CVS, Mercurial, and Subversion, or
you can integrate your own version control system with NetBeans. Incorporating version control into
your development environment ensures that proprietary information in your source code remains secure
by only making it available to authorized users. Java CAPS also provides a
version control system for Repository-based projects.
Securing the Production Environment
Securing the production environment includes securing the hardware and non-Java CAPS software in
the environment, especially the operating system. It also means securing the GlassFish Server
to which Java CAPS applications are deployed.
Securing Production Computers
A Java CAPS production environment is only as secure as the computer on
which it is running. It is important that you secure the physical computers,
the operating systems, and all other software that is installed on the host
computers. The following are recommendations for securing the computers that host Java CAPS
applications in a production environment. In addition to these recommendations, check with the manufacturer
of the computers and operating systems for their recommended security measures.
Note - The domain and server configuration files should be accessible only to the operating
system users who configure or execute Java CAPS components and applications.
Table 1 Securing Java CAPS Host Computers
|
|
Physically secure
the hardware. |
Keep your hardware in a secured area to prevent unauthorized operating system
users from tampering with the deployment computer or its network connections. |
Log out of
any Java CAPS web-based administration tools before navigating to a non-secure site. |
If you
are logged in to a secure Java CAPS administrative tool, be sure to
log out completely before browsing to an unknown or non-secure web site. These
tools include Enterprise Manager, the GlassFish Admin Console, and the Java CAPS Suite
Installer. |
Use a file system that can prevent unauthorized access. |
Make sure that the
file system on each Java CAPS host can prevent unauthorized access to protected
resources. For example, on a Windows computer, use only NTFS. |
Set file access permissions
for data stored on disk. |
Set operating system file access permissions to restrict
access to data stored on disk. This data includes, but is not limited
to, the following:
Operating systems provided utilities such as unmask and chmod to set the
file access permissions. At a minimum, deny read and write permissions to general
users. Generated files should only have write permissions for the user who generated
the file (-rw-r--r--). |
Limit the number of accounts on the host computer. |
Avoid creating
more user accounts than necessary on the host, and limit the file access
privileges as described above. On operating systems that allow more than one system
administrator user, the host should have two user accounts with system administrator privileges and
one user with sufficient privileges to run the Java CAPS server. The Java
CAPS user should be a restricted user and not a system administrator user. Review
active accounts regularly and when personnel leave.
| Caution - Configuration data and some URL resources
are stored in clear text on the file system. A sophisticated user or
intruder with read access to files and directories might be able to defeat the
security measures you establish with authentication and authorization methods.
|
|
Follow best practices for establishing
system administrator user account names and passwords. |
For additional security, do not choose obvious
user names such as system or administrator for administrator accounts. Follow these guidelines when setting
passwords:
Passwords should be difficult to guess and guarded carefully.
Set a policy to expire passwords periodically.
Do not deploy an application that can be accessed with the default user name and no password.
|
Safeguard password files. |
The -passwordfile asadmin command specifies the name of a file that
contains password entries in a specific format. These password entries are stored in
clear text in the password file, and rely on the file system mechanisms
for protection. For additional security, create a password alias (see below). |
Use a password
alias. |
A password alias stores a password in encrypted form in the domain keystore,
providing a clear-text alias name to use instead of a password. Use the
create-passoword-alias asadmin command to create an alias. The password for which the alias
is created is stored in encrypted form. In password files and in the
domain configuration file, use the following form to refer to the encrypted password: ${alias=alias-name} |
Avoid
using unencrypted passwords in command lines. |
You can run certain asadmin commands with
the password specified in the command line. This is a security risk because
they can be easily viewed on the monitor screen by others, and they
may be displayed in process listings that log the execution of those commands.
Take the following precautions when entering commands:
Enter passwords only when prompted. If you omit the password form the command line, you should be prompted for it when the command is executed.
Create a password file to use for running commands.
When the host is running on a 64–bit Red Hat Enterprise Linux 5 platform or on any HP-UX platform, do not use the shortcut link in the home directory to start the domain. The default start_appserver_domain1 echoes the password as you type it. Instead, use the asadmin command start-domain domain_name and enter the password when prompted.
When building projects from a command line, specify the security credential in the build.properties file instead of in the command itself (see Deploying Oracle Java CAPS Projects).
When running the stcmsctrlutil command, enter an asterisk (*) in place of the password so the utility prompts you for the password when it runs.
|
Do not run the application server as
root. |
The application server should run only as an unprivileged user, and never as
root. The directory structure in which Java CAPS is installed should be protected
from access by unprivileged users. |
Do not develop applications on a production computer. |
Develop
Java CAPS applications on a development computer and then deploy the applications to
a development computer once they have been completely tested. |
Do not install development or
sample software on a production computer. |
Do not install development tools on production computers.
This reduces the leverage intruders have should they get partial access to a production
computer. |
Enable security auditing. |
If the operating system of the production server supports security auditing
of access to files and directories, use audit logging to track any denied
directory or file access violations. If you enable audit logging, ensure that sufficient
disk space is available for the audit log. |
Consider using additional software to secure
your operating system. |
Most operating systems can run additional software to secure a production environment.
For example, an Intrusion Detection System (IDS) can detect attempts to modify the
production environment. Refer to your operating system vendor for information about available software. |
Apply
operating system security patches. |
Refer to your operating system vendor for a list
of security-related patches. |
|
Securing the GlassFish Server in Production
The following table lists measures you can take to secure the GlassFish Server
that is used in the production environment. For additional information about the security
features of GlassFish Server, see Chapter 9 "Configuring Security" in the GlassFish Enterprise Server v2.1.1 Administration Guide.
Table 2 Securing the GlassFish Server
|
|
Protect the GlassFish Server
password file. |
If you create a domain with the -savelogin option, the administration user
name and password are saved in the .asadminpass file in the user's
home directory. Make sure that this file remains protected. Information in this file
is used by asadmin commands to manage the domain. The same thing applies to
any files you use that might include passwords, such as build.properties files or silent
installation properties files. |
Follow best practices for establishing system administrator user account names and
passwords. |
The Java CAPS Installer expects complex passwords for the GlassFish server with the
following characteristics:
Contain least eight characters long.
Contain at least one numeric character.
Contain at least one uppercase character.
Contain at least one lowercase character.
Note that the installer does not enforce these policies. |
Use SSL, but
do not use the self-signed certificates in a production environment. |
To prevent sensitive data
from being compromised, secure data transfers by using HTTPS. By default, GlassFish Server
uses self-signed certificates. The self-signed certificates might not be trusted by clients by default
because a certificate authority does not vouch for the authenticity of the certificate.
You can instead use your own certificates as described in Generating a KeyStore and TrustStore in Configuring Oracle Java CAPS for SSL Support. |
Restrict the size
and the time limit of requests on external channels to prevent Denial of
Service attacks. |
The default setting for maximum post size is 2097152 bytes and 900
seconds for the request timeout. |
Enable authentication and authorization auditing. |
Auditing is the process
of recording key security events in your Java CAPS environment. You can use
the audit trail of the GlassFish Server to develop an audit trail of
all authentication and authorization decisions. To enable audit logging, do the following:
On the GlassFish Admin Console, navigate to Configuration > Security. Select the Audit Logging Enabled checkbox.
Set the auditOn property for the active audit module to true.
|
Set logging
for security messages. |
Consider setting the log levels for the javax.enterprise.system.core.security module to
log more security information. Be aware that setting finer logging levels my produce
a large log file. |
Ensure that you have correctly assigned users to the
correct groups. |
Make sure only active users have accounts for the GlassFish Server and that
they are assigned to the correct groups. In particular, be sure that users
assigned to the asadmin group need to be members of that group. |
Create no
fewer than two user accounts in the asadmin group. |
The admin user is
created when you install Java CAPS. For production environments, create at least one
other account in the asadmin group in case one account password is compromised. |
|
Securing Oracle Java CAPS JMS IQ Manager
You can define security for the Oracle Java CAPS JMS IQ Manager using
GlassFish Server security features or through an LDAP server. You can also configure
the JMS IQ Manager to use SSL. The following topics provide information on
setting up security for the JMS IQ Manager: