Share:|

In this post we'll take a look at locking down Tomcat Web Server. We'll be specifically looking at locking down the Tomcat that runs the RSSO server application, some of these configurations can also be used to configure other applications that run on Tomcat Web Server such as Remedy Midtier.

 

BMC Software is engaged in an ongoing process to continually improve the security of the applications it develops. If you have encounter any security issues with BMC products the first thing to do is to contact the BMC Appication Security team. DO NOT disclose any suspected vulnerabilities publicly. For information on how to contact the BMC Application Security team see https://www.bmc.com/corporate/bmc-security.html

 

Report any suspected Vulnerabilities of Tomcat Webserver to Apache see https://httpd.apache.org/security_report.html

 

This is a collaborate post between BMC Support, Engineering/Dev , Apps Security team and Customers. So we'll encourage you to post comments, questions and suggestions you may have, make them public if possible so everyone can benefit from your experiences (Do Not Disclose any unknown or suspected vulnerabilities publicly see above on how to contact the BMC Application Security team).

 

Locking down the Tomcat Server is only one of your security measures along with securing the network and all assets within it.  The security of the system will only be as secure as the weakest link in the environment and your applications as secure as the container that hosts it (Tomcat).

 

To start off with the first thing you will need to do is use the latest supported version of Tomcat (at the writing of this post Tomcat 8) see the following post Migrating Remedy Single Sign-On To A New Version Of Tomcat for information on migrating to the latest version and also the BMC Compatability matrix for information on which versions are supported. Along with TC its a good idea to also update to the latest supported level of java.

 

Versions Used in the examples in this post

Remedy Single Sign-On 9.1.04

Apache Tomcat 8.5.23

Java JRE 8.0_151

 

Apache provides a report of which security  has been fixed in each version it releases go to Apache Tomcat® - Reporting Security Problems to see what has been found and fixed in each version. Another good resource from Apache is Apache Tomcat 8 (8.0.48) - Security Considerations some of the information from that doc page we'll cover in this post along with RSSO specific information.

 

Locking down a TC server is a balancing act, we don't won't to overdo the securing to a point where users experience a slowdown in performance or not able to access the applications altogether. This portion is going to be determined by many factors, mainly to do with a particular environment, what works well for one environment will not necessarily work for another, there are too many factors which dictates this that it would be impossible for a one rule suites all configuration, so its important when making these changes that they are tested before making them in a live production system.

 

Tomcat Out Of the Box

By default tomcat can be installed and configured very quickly to start publishing web applications. The default install can and should be made more secure, if the TC server is accessible over the web this is more imperative. The default tomcat is configured in none SSL mode (HTTP) and also deploys its standard applications, An attacker could use these applications to gain access to other portions of the system.

 

We'll start by removing these default applications and get TC into secure SSL mode.

 

Tomcat Default Applications

By default TC deploys the following applications Docs, Examples, Host-manager, Manager, ROOT. All these applications serves some purposes for TC, but we won't need them for running RSSO. A brief summary of what these applications are and why they can be removed.

 

ROOT - This is the deault TC application when going to http://severname:8080, this will show the tomcat "is running" page along with the version of Apache Tomcat being used. For RSSO we won't need this page to do any configuration, you can change the default web page to something custom to your environment either a disclaimer or even just a blank page, This should be deleted.

 

Examples - Apache recommends removing these applications, these example applications can be used to gather more information  about the system and other applications. This should be deleted

 

Host Manager - This application is not accessible by default to anyone, unless you are creating an virtual hosts on this TC server you generally won't ever need to use this, certainly not to get RSSO configured. If you do intend to use this see Apache Documentation to secure this application.  This should be deleted.

 

Manager - This is used to allow remote deployment of web applications, its frequently used by attackers to gain information and access to the system. If there is a need to do remote deployment of applications then make sure you secure this application by following guidance from Apache on the docs page, for RSSO we don't need this. This should be deleted

 

Docs - Holds the doc pages of Apache and also hold version information. You can get the latest docs information at https://tomcat.apache.org so we really don't need this. This can be deleted

 

If deleting or removing these applications is not possible for some reason, then move them into another location on the system away from the publishing area in TC /webapps. After moving or deleting the the default applications restart Tomcat to make sure it comes up correctly, with no errors in the apache-tomcat8.5.23\logs\catalina.log file. Going to any page on on the TC server should return a "Page can't be found HTTP ERROR 404" or a custom message. You should not redirect the default page to the RSSO admin console by default.

 

SSL Mode

The advantages of using SSL has long been documented and should be one of the first things you do when installing TC in a secure configuration. SSL certificates are used to protect sensitive information as it crosses notworks by way of encryption and provides a framework of Trusted and Trustees.  SSL is configured by enabling in the tomcat /conf/server.xml file. We'll take a look at some of these entries to enable SSL for TC in the server.xml file.

 

By default tomcat is installed in HTTP mode deafult port 8080. To enable SSL mode we need to add the correct entries in the server.xml file.

 

The format of the connector port in server.xml will look something like the below

 

<Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="https_port" />

 

   <Connector port="<https_port>"

                      protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"

                       maxThreads="150" scheme="https" secure="true"

                       maxHttpHeaderSize="32768"

                       clientAuth="want"

                       sslEnabledProtocols="TLSv1.1, TLSv1.2"

                       ciphers= "<list of ciphers to use> "

              keystoreFile="<path to keystore location>"

                      keystorePass="<keystore password>"

                      keyAlias="<key alias name in the keystore>"

                      truststoreFile="<trusstore location optional>"

                      truststorePass="<truststore password" />

 

The above entries need to be in the server.xml file to enable SSL mode. See Creating a keystore From Tomcat Webserver Video for instructions on how to create thge keystore, sign the request and import the certificate onto the tomcat web server (Video shows the TSPS tomcat server, but is valid for RSSO tomcat web server also)

 

SSL Offloading

The best way to manage SSL certificates in the environment is to use SSL Offloading. SSL Offloading/Termination allows the Load Balancer to deal with any certificates exchanges on behalf of the server and client.  See Remedy SSO Managing SSL Certificates with SSL Offloading video for more information and configuration.

 

Redirects & HTTPS Only

In some instances you may not want the port of the Tomcat server to be published along with the URL. The best method to do this is to have a Load Balancer rewrite the url and remove the port from the url. If you don't have or use a Load Balancer you will have to make some to the tomcat server.xml & web.xml files. You may also want to only allow HTTPS connections, again this best done at the Load Balancer, but it can also be achieved using Tomcat's configuration files.  The configurations below uses Tomcat auto redirect ports (80 & 443), which have the affect of removing the ports from the URL, this is done in the server.xml file

 

in the server.xml file change the Connector port to 80, redirect port to 443 & HTTPS connector port to 443

 

<Connector port="80" protocol="HTTP/1.1"

               connectionTimeout="20000"

               redirectPort="443" />    

 

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"            

                       maxThreads="150" scheme="https" secure="true"

                       maxHttpHeaderSize="32768"

                       clientAuth="want"

                      sslEnabledProtocols="TLSv1.1, TLSv1.2"

                       ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"

              keystoreFile="C:/Program Files/Apache Software Foundation RSSO/apache-tomcat8.5.23/conf/keystore.p12"

                      keystorePass="internal4bmc"

                      keyAlias="tomcat"

                      truststoreFile="C:\Program Files\Apache Software Foundation RSSO\apache-tomcat8.5.23\conf\TrustStore.jks"

      truststorePass="internal4bmc"

      />

 

Ciphers: Usually there is a long list of ciphers you can list to be available (The first acceptable cipher found will the one used)

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA........."

 

Tomcat also accept OpenSSL syntax for the list for ciphers e.g ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH" as above. By not naming ciphers explicitly this makes it easier to use stronger ones automatically as new Tomcat & Java versions are released.

 

HTTPS Only &  HTTP Strict Transport Security (HSTS)

To have the TC server to only accept HTTPS secure connections put the following in the web.xml file (only use when communicating withe the server directly, if using an LB or a reverse proxy have the LB or proxy do the HTTP/HTTPS conversion)

 

<!-- Force HTTPS, required for HTTP redirect! -->

   <security-constraint>

   <web-resource-collection>

   <web-resource-name>Protected Context</web-resource-name>

   <url-pattern>/*</url-pattern>

   </web-resource-collection>

    

   <!-- auth-constraint goes here if you require authentication -->

   <user-data-constraint>

   <transport-guarantee>CONFIDENTIAL</transport-guarantee>

   </user-data-constraint>

</security-constraint>

 

The configurations above will take effect once the TC service is restarted. Now if you go to http://rssoserver.bmc.com/rsso it will redirect to HTTPS://rssoserver.bmc.com/rsso/admin/#/

 

NOTE: Check that no other process is using port "80" on the system run "netstat -ano" to see if the port is opened and used by another process.

 

HSTS

If a website is accessed through HTTP and there is a redirect to HTTPS, this creates an opportunity for a man in the middle attack, the redirect (HTTP) can be used to redirect to a malicious site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. To configure HSTS edit the /tomcat/conf/web.xml file, uncomment the httpHeaderSecurity filter definition and add the hstsMaxAgeSeconds & hstsIncludeSubDomains parameters

 

<filter>
  <filter-name>HTTP Header Security Filter</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <init-param>
  <param-name>hstsMaxAgeSeconds</param-name>
  <param-value>31536000</param-value>
  </init-param>
  <init-param>
  <param-name>hstsIncludeSubDomains</param-name>
  <param-value>true</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>HTTP Header Security Filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

 

See the HTSTS Parameters for information of available parameters.

 

 

Tomcat User for service/Process

Running the Tomcat Service/Process as a privileged user should be avoided i.e. any user that has Administrator or Root permissions. Create a dedicated user to start the Tomcat service/process.

 

Windows

Create a user with "Log on as service". On the file system set the following permissions on the Tomcat Directory for the user "Modify", "Read & Excute", "List Folder Content", "Read" and "Write" (Fig1)

 

Fig1.

 

Linux

For security purposes, you need to create a dedicated non-root user "tomcat" who belongs to the "tomcat" group. From the shell:

sudo groupadd tomcat

sudo mkdir /opt/tomcat
sudo useradd -s /bin/nologin -g tomcat -d /opt/tomcat tomcat

 

This creates a user "tomcat" who belongs to the group "tomcat". You cannot use this user account to log into the system. The home directory is /opt/tomcat, which is where the Apache Tomcat program will reside (change the location to where you want to install Tomcat)

 

 

Tomcat Auto Deploy Feature

One feature Tomcat has out of the box is the ability to deploy .war files on startup. This should be disabled. Not only will this stop unauthorised applications from deploying it will also make startup quicker.  If you are using Tomcat as a shared web Server , ensure that no other applications needs this auto deployment feature. Auto deployment can be turned off in the server.xml file

 

<Host name="localhost"  appBase="webapps"

            unpackWARs="true" autoDeploy="false">

 

 

Tomcat Shutdown Port

Disable the tomcat shutdown port by setting the shutdown port value to "-1" in the server.xml file . This prevents malicious actors from shutting down Tomcat's web services.  If the port can not be disabled then set a strong password for shutdown. You can still shutdown tomcat directly on the server itself with the "-1" entry but not remotely with something like telnet

 

e.g. Disable port

<Server port="-1" shutdown="SHUTDOWN">

 

e.g. Strong Password

<Server port="8005" shutdown="5hu!dOwN!\">

 

Connectors

By default Tomcat publishes two connector types HTTP & AJP

 

non-SSL/TLS HTTP/1.1 8080

AJP xx Connector 8009

 

In most configurations Tomcat request/responses will go over HTTP/HTTPS.  The AJP connector is generally used for parsing requests through reverse proxies, although still slightly more efficient than HTTP over reverse proxies it's often not needed and should be disabled in the server.xml file (though test that connections still work if you are using a reverse proxy)

 

From

 

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

 

To

 

<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

 

 

Clear Text Password In Server.xml file

Clear text passwords is never a good idea. In Tomcat Because there is no good way to "secure" them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured see FAQ/Password - Tomcat Wiki

 

Ciphers

Its important not to specify any weak ciphers to be used in the server.xml file some ciphers along with SSL versions have been deemed not to be secure and should not be used.

 

SSL v2 is insecure and must not be used. This protocol version can be used to attack RSA keys and sites with the same name even if they are on an entirely different servers (the DROWN attack).

 

SSL v3 is insecure when used with HTTP (the POODLE attack) and weak when used with other protocols. It’s also obsolete and shouldn’t be used.

 

TLS v1.0 is a legacy protocol that shouldn't be used.

 

TLS v1.1 and v1.2 are both without known security issues, but only v1.2 provides modern cryptographic algorithms.

 

TLS v1.2 should be your main protocol because it's the only version that offers modern authenticated encryption (also known as AEAD)

 

Choosing which ciphers to use will depend on the requirements from the security team. You can use the below as a starting point

 

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

 

The recommendation here though is to use the OpenSSL syntax for the list for ciphers e.g ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH". By not naming ciphers explicitly this makes it easier to use stronger ones automatically as new Tomcat & Java versions are released.

 

Which Ciphers gets used? By default Tomcat will use the first acceptable cipher presented by the client browser. But often this selection is not the strongest cipher available. This behavior can be changed by using useServerCipherSuitesOrder="true" in the server.xml file. By enabling useServerCipherSuitesOrder Tomcat will probe the client using this ordered sequence until a supported cipher is matched making sure the most secure connection available is always used.

 

NOTE: Always test your TLS configuration in a testing/dev/ environment, transferring the changes to the production environment only when certain that everything works as expected

 

 

Other Tomcat Configurations

Out of the Box the following tomcat parameters are disabled with Tomcat (version 8.0 ), its good to be aware of them in case you need to enable them for reasons of troubleshooting etc. be sure to disable them after. Most of these entries are configured in the server.xml file they are not there by default, you will have to specifically add them in.

 

allowTrace - The allowTrace attribute may be used to enable TRACE requests which can be useful for debugging. Due to the way some browsers handle the response from a TRACE request (which exposes the browser to an XSS attack), support for TRACE requests is disabled by default.

 

xpoweredBy  - The xpoweredBy attribute controls whether or not the X-Powered-By HTTP header is sent with each request. If sent, the value of the header contains the Servlet and JSP specification versions, the full Tomcat version (e.g. Apache Tomcat/8.0), the name of the JVM vendor and the version of the JVM. This header is disabled by default. This header can provide useful information to both legitimate clients and attackers.

 

SSL V2,V3 - SSLv2 and SSLv3 are inherently unsafe (Poodle Attack), there is no reason to have this protocol enabled. Search the server.xml file for enabled protocols "sslProtocol=" and remove it from the protocol list

 

deployXML - In a hosted environment where web applications may not be trusted, set the deployXML attribute to false to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled that the deployXML attribute will default to false.

 

Listings - The DefaultServlet is configured with listings set to false. This isn't because allowing directory listings is considered unsafe but because generating listings of directories with thousands of files can consume significant CPU leading to a DOS attack.

 

DefaultServlet - This applies to the default conf/web.xml file and WEB-INF/web.xml files in web applications if they define the components mentioned here.

The DefaultServlet is configured with readonly set to true. Changing this to false allows clients to delete or modify static resources on the server and to upload new resources. This should not normally be changed without requiring authentication.The DefaultServlet is configured with listings set to false. This isn't because allowing directory listings is considered unsafe but because generating listings of directories with thousands of files can consume significant CPU leading to a DOS attack. The DefaultServlet is configured with showServerInfo set to true. When the directory listings is enabled the Tomcat version number is included in the response sent to clients. To avoid this, you can explicitly configure a DefaultServlet and set its showServerInfo attribute to false.

 

Host Header Attack

A Host Header Attack is a common way for an attacker to manipulate the host header to launch a Web-Cache Poisoning or a Password Reset Poisoning attack. Host header attack vulnerability have been identified an fixed in version of Tocat 8.x see Apache Tomcat 8.x vulnerabilities

 

Java Security

Always use the later version of Java with Tomcat and ensure your applications supports the new version of Java version, for information on the supported version of Java for RSSO see the BMC Compatibilty Matrix To configure the security settings for Java open the java control panel-->Security tab and set the security level

 

Java 8u20 control panel Security tab

 

Security levels in the Java Control Panel

 

Very High

This is the most restrictive security level setting. All the applications that are signed with a valid certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked.

 

High

This is the minimum recommended (and default) security level setting. Applications that are signed with a valid or expired certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. Applications are also allowed to run with security prompts when the revocation status of the certificate cannot be checked. All other applications are blocked.

 

Medium (removed from Java 8 Update 20 and later versions)

Only unsigned applications that request all permissions are blocked. All other applications are allowed to run with security prompts. Selecting the Medium security level is not recommended and will make your computer more vulnerable should you run a malicious application.

 

Java JCE (Java Cryptography Extension) Unlimited Strength

Its advisable to install Java unlimited strength policy files. Java run time environment out of the box enforces a limitation on certain key length parameters the length is limited to 128 bits. To use a key length higher that 128 bits (192 or 256 bits) you will need to download and install the JCE unlimited strength policy files. Download the unlimited strength files for your version of java from Oracle Java Download site.

 

NOTE:  From Java 8 u162 the unlimited policy is enabled by default. You no longer need to install the policy file in the JRE or set the security property crypto.policy

Some countries restrict the use of encryption key lengths, check the local country laws.

 

 

Application Security

Each application on the TC webserver has its own Deployment Descriptor file (web.xml) which normally will be in /webapps/application_name/WEB-INF. The configuration discussed above is the general configuration for TC, if there are multiple applications on the TC server, each application can be configured individually using its own web.xml file. Its best to make configuration changes globally and then if a specific configuration is needed for a particular application then make the changes to its web.xml file.

 

Remedy Single Sign-On

RSSO provides the function to use secure cookies. If you are using HTTPS  only then there is really no need to set this flag (doing so won't cause any issues) since all the trafffic from the server to the client will be encrypted. However if the tomcat is also configured to use HTTP then that can pose a security risk of cookies being intercepted and used in an impersonation attack.  We can use a secure flag for cookies even if HTTP is being used on the server, this will encrypt the cookie. The option to enable secured cookie in RSSO (fig1). If this option is selected then all applications must also run on HTTPS and the application servers must be accessed through HTTPS only. Otherwise, it causes a redirection loop.

 

Fig1

 

 

Limiting access to the RSSO Admin Console

You should limit access to the RSSO admin console to either a single IP address or a subset of IP address. Use the Remote Address filter in tomcat's server.xml file  to configure this, this is especially necessary if you are exposing the apps over the internet.

 

<filter>

    <filter-name>Remote Address Filter</filter-name>

    <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>

    <init-param>

        <param-name>allow</param-name> <!-- or deny -->

        <param-value>IPADDRESSESofAllowedServers</param-value> <!-- regexp for your ip addresses -->

    </init-param>

</filter>

<filter-mapping>

    <filter-name>Remote Address Filter</filter-name>

    <url-pattern>/admin/*</url-pattern> <!-- the url of your admin page or login page, etc -->

</filter-mapping>

 

(IPV6 environments)

<filter>

   <filter-name>Remote Address Filter</filter-name>

   <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>

   <init-param>

   <param-name>allow</param-name> <!-- or deny -->

   <param-value>10\.10\.1[12]\..*</param-value> <!-- regexp for your ip addresses -->

   </init-param>

</filter>

<filter-mapping>

   <filter-name>Remote Address Filter</filter-name>

   <url-pattern>*/admin</url-pattern> <!-- the url of your admin page or login page, etc -->

</filter-mapping>

 

 

Scanning For Vulnerabilities

After going through the TC & RSSO hardening before, ask the Network/Security team to run a vulnerability.  The scan will provide a detailed report of any vulnerabilities identified on the system, check the report and follow the recommendations of the report.

 

Reporting Vulnerabilities

BMC Software is engaged in an ongoing process to continually improve the security of the applications it develops. If you have encounter any issues with BMC products the first thing to do is to contact the BMC Appication Security team. DO NOT disclose any suspected vulnerabilities. For information on how to contact the BMC Application Security team see https://www.bmc.com/corporate/bmc-security.html

 

Report any suspected vulnerability to Apache see https://httpd.apache.org/security_report.html