4.2.3 Security Hardening
In the modern environment, production use of Oscar demands basic security hardening.
- v1.0 – initial public release on oscarmanual.org – May 9, 2010
- v1.1 – corrections to Tomcat configuration – June 2, 2010
- v1.2 – ported to new.oscarmanual.org – June 26, 2010
- v1.3 – updated for version 10_06 – July 1, 2010
- v1.4 – added screen shot – Aug 23, 2010
- v1.5 – added amendment to allow local http access to drugref – Aug 31, 2010
- v1.6 – added whole disk encryption – June 19, 2011
- v1.7 – adjusted SQL to expire oscardoc credentials in a month – June 19, 2011
- You have the Ubuntu 10.4 LTS "Lucid" alternate installation CD
- You have a basic level of Linux knowledge
- You can open a Linux terminal
- You can use a Linux text editor
- You can cut and paste EXACTLY the following instructions
Level One Defenses are necessary if you do not expose Oscar to the internet but have a network where a machine can be compromised.
Change the Default Login
Oscar's default user's login credentials are published. In version 10.6 and newer the login for 'oscardoc' expires in a month after installation. In any version you should set up your own user and password with admin privileges and then expire the 'oscardoc' either through the GUI at Admin> Search/Edit/Delete Security Records or at the command line (replace ****** with the MySQL password):
mysql -uroot -p*********
mysql>update security set date_ExpireDate=DATE_ADD(CURDATE(), INTERVAL 1 MONTH), b_ExpireSet=1 where user_name='oscardoc';
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This has several security advantages
- The sever presents authentication to the user as a "Certificate", as proof the site is who and what it claims to be.
- The data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing
Use the Java keytool to generate a key for tomcat using standard RSA encryption. Don't use the password changeit that is shown but do use the same password for both the keypass and the storepass .
sudo $JAVA_HOME/bin/keytool -genkey -alias tomcat -validity 3650 -keyalg RSA
-keypass changeit -storepass changeit
You will be prompted for your name (your server IP or domain), organisational unit (clinic), organisation (.), city, province and country. The result is a hidden .keystore file in the /etc/tomcat6 directory.
sudo vi $CATALINA_BASE/conf/server.xml
Add the following code
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" enableLookups="false" disableUploadTimeout="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat6/.keystore" keystorePass="changeit" />
<Connector port="8080" protocol="HTTP/1.1" address="127.0.0.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443"/>
Remove or comment out the following default connector that is less secure, unless you need it (You might, usually for integration with the native webserver, eg the Apache Http server).
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /
Now restart Tomcat
sudo /etc/init.d/tomcat6 restart
If you have installed Oscar locally with the instructions in 6.1 you should be able to login to Oscar at https://localhost:8443/oscar otherwise substitute localhost with the IP for the Oscar server.
Note that the browser will be concerned about the validity of the Certificate (after all anyone could have signed it!) so you will have to add an exception for the browser to let you access the Oscar webpages. This varies by browser. For Firefox 3.x click on "I Understand the Risks" > Add Exemption > Confirm Security Exemption
Note that full disc encryption doesn't protect you from: "Cold Boot Attacks Against Disk Encryption"or "Weak password brute force."To set up full disc encryption in Ubuntu 10.04 LTS you use the alternate cd and select full disc encryption as below
SSH access to Oscar.
If you actually have to expose your production box to the raw Internet then you should further reduce the ways that your box will be attacked. First remember that the more services that are running on the server the more ways it can be attacked. If possible disable other deamons and services or remove to another machine. Then make sure that Tomcat has the least number of loose ends available to be targeted.
Remove extraneous Tomcat resources:
rm -rf $CATALINA_HOME/webapps/js-examples $CATALINA_HOME/webapps/servlet-example $CATALINA_HOME/webapps/webdav \ $CATALINA_HOME/webapps/tomcat-docs $CATALINA_HOME/webapps/balancer $CATALINA_HOME/webapps/ROOT/admin $CATALINA_HOME/webapps/examples
cd $CATALINA_HOME/lib sudo jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
Navigate to the util directory that was created and open ServerInfo.properties in an editor
sudo vi ServerInfo.properties
Update the following attributes from something like the defaults below to anything else...
server.number=220.127.116.11 server.info=Apache Tomcat/6.0 server.built=Jul 8 2009 11:40:35
sudo chown tomcat6.tomcat6 $CATALINA_HOME sudo chown tomcat6.tomcat6 $CATALINA_BASE sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf sudo chown tomcat6:tomcat6 $CATALINA_HOME/logs sudo chown tomcat6:tomcat6 $CATALINA_HOME/temp sudo chown tomcat6:tomcat6 $CATALINA_HOME/bin sudo chown tomcat6:tomcat6 $CATALINA_HOME/webapps sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.policy sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.properties sudo chown tomcat6:tomcat6 /etc/tomcat6/policy.d sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/context.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/logging.properties sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/server.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/tomcat-users.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/web.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties sudo chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml sudo chmod 770 /etc/tomcat6/policy.d sudo chmod 770 $CATALINA_HOME/conf/catalina.policy sudo chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties sudo chmod g-w,o-rwx $CATALINA_HOME/webapps sudo chmod g-w,o-rwx $CATALINA_HOME/bin sudo chmod o-rwx $CATALINA_HOME/temp sudo chmod o-rwx $CATALINA_HOME/logs sudo chmod g-w,o-rwx $CATALINA_HOME/conf sudo chmod g-w,o-rwx $CATALINA_BASE sudo chmod g-w,o-rwx $CATALINA_HOME
sudo vi $CATALINA_HOME/conf/server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" enableLookups="false" disableUploadTimeout="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/etc/tomcat6/.keystore" keystorePass="changeit" />
To create a keystore named client-keystore.jks that contains a client certificate named client.cer, generate the client certificate.
sudo $JAVA_HOME/bin/keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
sudo $JAVA_HOME/bin/keytool -export -alias client-alias -storepass changeit -file client.cer -keystore keystore.jks
sudo $JAVA_HOME/bin/keytool\bin\keytool -import -v -trustcacerts
-alias client-alias -file client.cer
-alias client-alias -file client.cer
-keypass changeit -storepass changeit