|
|
|
Verastream Host Integrator 6.x Security
Technical Note 10079
Last Reviewed 11-Sep-2008
Applies To
Verastream Host Integrator version 6.x
Summary
Technical Note 10079
Last Reviewed 11-Sep-2008
Applies To
Verastream Host Integrator version 6.x
Summary
This technical note describes security topics as they relate to a Verastream Host Integrator (VHI) installation in a production environment.
This technical note is organized into the following sections:
Foundational Security Considerations
Host Integrator in a Typical Production Environment
AADS Security Certificate Fingerprints
Additional Information
Host Integrator in a Typical Production Environment
Connection A: Application Web Server
Connection B: Session Server
Connection C: Host
Connection D: Administrative WebStation
Securing Host PasswordsConnection B: Session Server
Connection C: Host
Connection D: Administrative WebStation
AADS Security Certificate Fingerprints
Additional Information
Foundational Security Considerations
Verastream Host Integrator integrates multiple technologies, which also must be individually secured. In any installation, review the overall security of your operating systems, host, network environment, and applications, including the following:
- Evaluate and implement all security updates as recommended by vendors.
- Install and configure firewalls where appropriate.
- On systems where VHI server software is installed, secure the file system.
- Use strong passwords that cannot be easily guessed or compromised with dictionary attacks.
- Implement other industry-standard policies and procedures for authentication and authorization access control.
Host Integrator in a Typical Production Environment
Refer to the diagram below for an example of a typical production environment configuration.
Note: For information on ports that must be open between Host Integrator components, see Technical Note 40012.
In the diagram above, “VHI Server(s)” refers to one or more systems running the Server Kit components. Host Integrator supports the use of multiple systems for load balancing or failover.
For simplicity, the diagram above does not include any optional SMTP e-mail server or SNMP Network Management Station which may be used for remote event notification and monitoring.
Connection A: Application Web Server
To secure the web communication and web server, use the following standard practices:
- To encrypt the communications while in transit, configure your web server to support Secure HTTP (HTTPS) by installing an SSL certificate. You may also want to redirect HTTP requests to HTTPS. For more information, refer to your web server documentation.
- To protect the web server system from intrusions, configure your Internet firewall to block all communications except HTTPS (TCP destination port 443) and HTTP (TCP destination port 80).
- Keep your web server system up-to-date with the latest patches and security fixes.
If you used VHI Web Builder to generate a Java Web Application or Java Web Service, and run it under the VHI Web Server on Windows, refer to the following information to enable SSL encryption:
- VHI version 6.x: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
- VHI version 5.x: http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
Connection B: Session Server
To enable SSL encryption in communication between the connector and server, use one or more of the following methods:
- In your client application, make a RequireSecureConnection API call before the connection API call (ConnectToSession, ConnectToModel, ConnectToSessionViaDomain, or ConnectToModelViaDomain).
- When generating a client application in Web Builder, enable Require Secure Connection in the Project Properties.
- In the Administrative WebStation management console, enable security on your Session Servers (or domains, if you are using Session Server load balancing as described in Technical Note 10052). Note: This option also enables access control and requires the following:
- In Administrative WebStation, add an operating system user group to the User security profile.
- When the client application makes a connection API call, it must supply a valid user name and password for a member of the group configured above.
- If the server AADS component is running on a UNIX system, it must be run as root to use a UNIX security API for authenticating users. For more information about running VHI as root and non-root, see Technical Note 10016.
The connections between VHI components use the WCP control protocol. When the control protocol handshake determines that encryption is required, authentication is made using Diffie-Hellman key exchange. The Session Server component communicates with the AADS component to complete authentication on behalf of the connector. After successful authentication, an SSL tunnel is established using 128-bit AES algorithm for encryption (version 6.0 and higher).
SSL encryption is processor-intensive and may impact server performance, depending on your installation. For more information, see http://docs.attachmate.com/verastream/vhi/6.6/doc/help/server/serverperformance.html and Technical Note 10087.
Connection C: Host
To encrypt the communications between the Session Server and host, you may use SSL or SSH port forwarding (depending on your host type and VHI version). For more information, see Technical Note 10068.
Connection D: Administrative WebStation
The Administrative WebStation (AWS) management console service is accessed with a web browser. By default, security is not enabled, thus allowing access with a blank username and password.
For access control security, you must enable the Administrative WebStation security feature and assign operating system user groups to the Administrator security profile. (You may also assign user groups to the Developer security profile to provide view-only access.)
For more information about configuring security in Administrative WebStation, see http://docs.attachmate.com/verastream/vhi/6.6/doc/help/server/HostIntegratorSecurity.html.
To protect passwords transmitted from the web browser while logging into Administrative WebStation, use one of the following approaches:
- Enable Secure HTTP encryption as described in the following information:
- VHI version 6.x: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
- VHI version 5.x: http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
- Alternatively, to prevent remote login over the network (allow login from web browser on the server only, opening http://localhost:9642/apptrieve), configure your firewall to block remote requests for TCP port 9642.
When security is enabled for Administrative WebStation, the following features also require authentication:
- Model deployment to the server, using Design Tool or the activatemodel and deactivatemodel commands.
- Web Builder development tool connecting to server to obtain model data.
- Session Monitor utility.
- Model Variable Management API (com.wrq.vhi.sconfig).
- Standalone Log Viewer utility connecting to Log Manager, as described in Technical Note 40032.
If the server AADS component is running on a UNIX system, it must be run as root to use a UNIX security API for authenticating users. For more information about running VHI as root and non-root, see Technical Note 10016.
Securing Host Passwords
If you use session pools (especially with 3270 or 5250 hosts), a Model Variable List (MVL) defines the unique host user names and passwords for the Session Server to use. The variable values are specified in the model deployment package and stored on the server.
When you are creating a Model Variable List (in Design Tool Deployment Options, mvl_desc.xml file, or Administrative WebStation), we strongly recommend that you use the Hidden option for host passwords. This provides the following benefits:
- When creating your model package file, the variable values can be encrypted. In the packagemodel command, if you add the -e "passphrase" option, your phrase will be used to generate a 3DES (Triple DES) encryption key to encrypt the hidden variable values. We recommend that you use a phrase of at least eight random characters or at least five space-delimited words. The same passphrase will also be required to decrypt values when deploying with the activatemodel command.
- On the session server, the variable values are automatically encrypted in the sesssrvr.config file using 3DES (Triple DES).
- In Administrative WebStation, the List Entries variable values are not visible in View Mode. Also, beginning in version 6.6, the values are not visible in Config Mode.
For more information on model deployment best practices, see Technical Note 10237.
We recommend that you enable Administrative WebStation security (as described in the previous section) so that administrator authentication is required to use the Model Variable Management API.
AADS Security Certificate Fingerprints
We suggest that you note any fingerprint displayed during installation, after the AADS certificate is generated. The fingerprint is a series of 20 hexadecimal values delimited by colons, such as 73:8D:29:EB:BF:C7:46:3E:3D:B0:5B:51:01:4F:A9:FA:D5:68:70:1F. Note: On Windows, the fingerprint is displayed during a Custom installation.
Fingerprints are stored in cert.fingerprint files in the VHI etc subfolders. These files should not be edited.
To ensure that you are connecting to your authentic AADS, verify that the fingerprint matches when you later connect to the AADS in the following situations:
- When adding a Session Server to the installation environment.
- When adding a Directory Server prior to logging into Administrative WebStation.
A fingerprint mismatch may indicate a security breach, with a fraudulent or unapproved AADS introduced in your environment. For more information about AADS fingerprints, see http://docs.attachmate.com/verastream/vhi/6.6/doc/help/server/setdirserv.html#fingerprints. For more information about AADS, see Technical Note 10060.
Additional Information
For more information on security in Host Integrator, see the Overview in the product documentation:
