Hardening
Introduction
For more secure installations, these instructions demonstrate how to harden a DDF system.
The web administration console is not compatible with Internet Explorer 7
Disabling the Web Administration Console
To harden DDF for security purposes, disable the Web Administration Console so that users do not have access. All configuration is done via the DDF command line console and/or .cfg configuration files.
Open the web administration console.
- http://localhost:8181/system/console
- Default Username/Password:
admin/admin - Select the Features tab
- Uninstall the
webconsole-basefeature by clicking the Install/Uninstall button on the right
Accessing any page on the web admin console will now result in an HTTP 404 error.
To re-enable the web administration console, go to the Karaf command line console and install the ddf-webconsole feature.
features:install webconsole
Enabling SSL for Services
Do not use the Web Administration Console to SSL enable the DDF services. While the Web Administration Console's Pax Web Runtime offers this configuration option, it has proven to be unreliable and may crash the system.
Edit the provided configuration file <DDF_INSTALL_DIR>/etc/org.ops4j.pax.web.cfg with the settings for the desired configuration.
Pax Web Configuration Settings
Property
Sample Value
Description
org.osgi.service.http.enabledfalse Set this to false to disable HTTP without SSL org.osgi.service.http.secure.enabled
true
Set this to true to SSL enable the DDF services
org.osgi.service.http.port.secure
8993
Set this to the HTTPS port number.
(Verify this port does not conflict with any other secure ports being used in the network. For example, JBoss and other application servers use port 8443 by default)
org.ops4j.pax.web.ssl.keystore.type
jks
Set this to the type of keystore (most likely jks)
org.ops4j.pax.web.ssl.keystore
/opt/ddf/keystore.jks
Set this to the fully-qualified path to the SSL keystore file
org.ops4j.pax.web.ssl.keypassword
password1
Set this to the password for the user's private key
org.ops4j.pax.web.ssl.password
password2
Set this to the password for overall keystore integrity checking
Here is an example .cfg file:
######################
# HTTP settings
######################
# Disable HTTP
org.osgi.service.http.enabled=false
# HTTP port number
org.osgi.service.http.port=8181
######################
# HTTPS settings
######################
# Enable HTTPS
org.osgi.service.http.secure.enabled=true
# HTTPS port number
# (Verify this port does not conflict with any other secure ports being used in the
# network. For example, JBoss and other application servers use port 8443 by default)
org.osgi.service.http.port.secure=8993
# Fully-qualified path to the SSL keystore
org.ops4j.pax.web.ssl.keystore=/opt/ddf/keystore.jks
# SSL Keystore Type
org.ops4j.pax.web.ssl.keystore.type=jks
# Keystore Integrity Password
org.ops4j.pax.web.ssl.password=abc123
# Keystore Password
org.ops4j.pax.web.ssl.keypassword=abc123
All .cfg files follow a strict formatting structure in that every entry is a key=value pair. There should be no whitespace before the key, around the equals sign (=), or after the value. Otherwise, the key or value may be misinterpreted.
Also take care if .cfg files originated on an operating system other than the operating system DDF is currently running on. Hidden characters, e.g., ^M, can be added during the file transfer between the operating systems. This occurs often when a DDF zip install file from a Unix operating system is transferred to a Windows operating system and installed.
Optional: Disable HTTP for the DDF services and only use HTTPS by setting the org.osgi.service.http.enabled property to false. After this, all DDF clients need to pass the appropriate certificates.
Reference
Configuring a Java Keystore for Secure Communications
Additional Pax-Web SSL configuration info: http://team.ops4j.org/wiki/display/paxweb/SSL+Configuration
Do not use the Web Administration Console to SSL enable the DDF services. While the Web Administration Console's Pax Web Runtime offers this configuration option, it has proven to be unreliable and may crash the system.
<DDF_INSTALL_DIR>/etc/org.ops4j.pax.web.cfg with the settings for the desired configuration.Property | Sample Value | Description |
|---|---|---|
org.osgi.service.http.enabled | false | Set this to false to disable HTTP without SSL |
|
| Set this to true to SSL enable the DDF services |
|
| Set this to the HTTPS port number. |
|
| Set this to the type of keystore (most likely |
|
| Set this to the fully-qualified path to the SSL keystore file |
|
| Set this to the password for the user's private key |
|
| Set this to the password for overall keystore integrity checking |
###################### # HTTP settings ###################### # Disable HTTP org.osgi.service.http.enabled=false # HTTP port number org.osgi.service.http.port=8181 ###################### # HTTPS settings ###################### # Enable HTTPS org.osgi.service.http.secure.enabled=true # HTTPS port number # (Verify this port does not conflict with any other secure ports being used in the # network. For example, JBoss and other application servers use port 8443 by default) org.osgi.service.http.port.secure=8993 # Fully-qualified path to the SSL keystore org.ops4j.pax.web.ssl.keystore=/opt/ddf/keystore.jks # SSL Keystore Type org.ops4j.pax.web.ssl.keystore.type=jks # Keystore Integrity Password org.ops4j.pax.web.ssl.password=abc123 # Keystore Password org.ops4j.pax.web.ssl.keypassword=abc123
All .cfg files follow a strict formatting structure in that every entry is a key=value pair. There should be no whitespace before the key, around the equals sign (=), or after the value. Otherwise, the key or value may be misinterpreted.
Also take care if .cfg files originated on an operating system other than the operating system DDF is currently running on. Hidden characters, e.g., ^M, can be added during the file transfer between the operating systems. This occurs often when a DDF zip install file from a Unix operating system is transferred to a Windows operating system and installed.
Optional: Disable HTTP for the DDF services and only use HTTPS by setting the org.osgi.service.http.enabled property to false. After this, all DDF clients need to pass the appropriate certificates.
Reference
Configuring a Java Keystore for Secure Communications
Additional Pax-Web SSL configuration info: http://team.ops4j.org/wiki/display/paxweb/SSL+Configuration
Configuring DDF Without the Web Administration Console
Depending on the environment, it may be easier for integrators and administrators to configure DDF using the Web Administration Console prior to disabling it and switching to SSL. The Web Administration Console can be re-enabled for additional configuration changes.
In an environment hardened for security purposes, access to the DDF Web Administration Console will be denied. It is necessary to configure DDF (e.g., providers, Schematron rulesets, etc.) either using .cfg configuration files or by using the Karaf command line console. The OSGi container detects the addition, updating, or deletion of .cfg files in the etc/ddf directory.
The following sections describe how to configure each DDF item using both of these mechanisms. A template file is provided for each configurable DDF item so that it can be copied/renamed and then modified with settings.
If at a later time the Web Administration console is enabled again, all of the configuration done via .cfg files and/or the Karaf command line console are loaded and displayed. However, note that the name of the .cfg file is not used in the admin console. Rather, OSGi assigns a universally unique identifier (UUID) when the DDF item was created and displays this UUID in the console (e.g., OpenSearchSource.112f298e-26a5-4094-befc-79728f216b9b)
Templates included with DDF:
DDF Service | Template File Name | Factory PID | Configurable Properties (from DDF Users Guide) |
|---|---|---|---|
DDF Catalog Framework |
| ddf.catalog.CatalogFrameworkImpl | Standard Catalog Framework |
Configuring Using a .cfg File Template
Configuring a new source or feature using a config file follows a standard procedure:
- Copy/rename the provided template file in the
etc/templatesdirectory to theetcdirectory (consult preceding table to determine correct template).- Mandatory: The dash between the PID (e.g., OpenSearchSource_site.cfg) and the instance name (e.g.,
OpenSearchSource_site.cfg)is required. The dash is a reserved character used by OSGi to detect that an instance of a managed service factory should be created. - Not required, but a good practice is to change the instance name (
e.g. federated_source) of the file to something identifiable (source1-ddf)
- Mandatory: The dash between the PID (e.g., OpenSearchSource_site.cfg) and the instance name (e.g.,
- Edit the file copied to
etcwith the settings for the configuration (consult preceding table to determine the configurable properties).- This file is a Java properties file, hence the syntax is <key> = <value>
- Consult the inline comments in the file for guidance on what to modify
- The Configurable Properties tables in the Integrator's Guide for the Included Catalog Components also describe each field and its value
- The new service can now be used in the same way as if it was created using the web administration console.
Configuring Using the Command Line Console
Configuring a new source, provider, or feature using the command console follows a standard procedure. The properties and their values will change based on type of service being created, but the actual commands entered at the command line do not change.
To help illustrate the commands, an example of creating a new OpenSearch Federated Source is shown after each step.
- Create the federated source using the
config:editcommandMandatory: The dash between the PID (e.g., OpenSearch_source) and the instance name (
e.g., search) is required. The dash is a reserved character used by OSGi to detect that an instance of a managed service factory should be created._sourceconfig:edit OpenSearchSource-my_federated_source
Enter the settings for the federated source's properties. These properties can be found by looking in the template file for the specified service.
config:propset endpointUrl http://ddf:8181/services/query?q={searchTerms}&src={fs:routeTo?}&mr={fs:maxResults?}&count={count?}&mt={fs:maxTimeout?}&dn={idn:userDN?}&lat={geo:lat?}&lon={geo:lon?}&radius={geo:radius?}&bbox={geo:box?}&polygon={geo:polygon?}&dtstart={time:start?}&dtend={time:end?}&dateName={cat:dateName?}&filter={fsa:filter?}&sort={fsa:sort?}Save the configuration updates
config:update
- The new service can now be used in the same way as if it was created using the web administration console.