Security 24/7

Archive for the ‘Tomcat’ Category

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform

SSL implementation phase

1. Login to the server using Root account.
2. Create folder for the SSL certificate files:
   mkdir -p /var/apache/tomcat55/conf/ssl.crt
3. Create folder for the SSL private key:
   mkdir -p /var/apache/tomcat55/conf/ssl.key
4. Change ownership of all server files to the tomcat user:
   chown -R tomcat:tomcat /var/apache/tomcat55/conf/*
5. Run the command bellow to generate a key store:
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg "RSA" -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730
Note: The command above should be written as one line.
6. Run the command bellow to generate a CSR (certificate request):
   For 32bit operating system:
   /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
   For x64 operating system:
   /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg "RSA" -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword
Note: The command above should be written as one line.
7. Send the file /tmp/tomcat.csr to a Certificate Authority server.
8. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
9. Copy the file “server.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
10. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
11. Copy the file “ca-bundle.crt” using SCP into /var/apache/tomcat55/conf/ssl.crt
12. Run the command bellow to import the trusted root CA public certificate:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt
Note: The command above should be written as one line.

13. Run the command bellow to import the signed public key into the key store:
    For 32bit operating system:
    /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

    For x64 operating system:
    /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt
Note: The command above should be written as one line.

14. Stop the Tomcat service:
    /etc/init.d/tomcat stop
15. Edit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow:
    <Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3"
keystoreFile="/var/apache/tomcat55/conf/ssl.key/server.key"
keystorePass="ComplexPassword"
truststoreFile="/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts"
truststorePass="changeit"
ciphers="ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"
tcpNoDelay="true" />
16. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the <security-constraint> tag:
    <user-data-constraint>
<description>
Constrain the user data transport for the whole application
</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

17. Start the Tomcat service:
    /etc/init.d/tomcat start -security

Print PDF

Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.

Installation phase

1. Login to the server using Root account.
2. Make sure the folder /usr/jdk exists:
   ls /ad /usr/jdk
3. If the folder /usr/jdk doesn’t exists, manually create it:
   mkdir /usr/jdk
4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
5. Move to /usr/jdk folder
   cd /usr/jdk
6. Change the permissions on the JDK 1.6 (32bit) script:
   chmod +x jdk-6u15-solaris-i586.sh
7. Run the command bellow to install JDK 1.6 (32bit):
   ./jdk-6u15-solaris-i586.sh
8. Change the permissions on the JDK 1.6 (x64) script:
   chmod +x jdk-6u15-solaris-x64.sh
9. Run the command bellow to install JDK 1.6 (x64):
   ./jdk-6u15-solaris-x64.sh
10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
    rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample

11. Remove the link for the Java
    rm /usr/bin/java
12. Create new link for the Java (for x64 servers):
    ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
13. Reload the links into memory:
    rehash
14. Mount Solaris 10 DVD, and move to the packages folder:
    cd /cdrom/sol_10_1008_x86/Solaris_10/Product
15. Run the command bellow to install Tomcat packages:
    pkgadd -d . SUNWtcatr SUNWtcatu
16. Remove the following default folders:
    rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer

17. Copy the server.xml configuration file:
    cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line.
18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector:
    From:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" />To:
    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<connector port="8080" debug="off" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8443" acceptcount="100" connectiontimeout="20000" disableuploadtimeout="true" tcpnodelay="true" />
19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
    <!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTMLManger and Manager command</web-resource-name>
<url-pattern>/jmxproxy/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
<url-pattern>/stop</url-pattern>
<url-pattern>/install</url-pattern>
<url-pattern>/remove</url-pattern>
<url-pattern>/deploy</url-pattern>
<url-pattern>/undeploy</url-pattern>
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
<url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</ROLE-NAME>
</auth-constraint>
</security-constraint>
20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
    <role rolename="admin">
<role rolename="manager">
<user roles="admin,manager" password="adminpass" username="admin">Note: Specify complex password for the admin account (and document it).
21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
    Uncomment the section bellow:
    org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow:
    From:
    allow="127.0.0.1"To:
    allow="172.16.*.*"Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
    Inside the “Context” section, add the following line:
    <valve allow="172.16.*.*" classname="org.apache.catalina.valves.RemoteAddrValve">Note: You may replace “172.16.*.*” with internal network segment.
    Example: allow=”128.117.140.62, 128.117.140.63, 128.117.140.99″
23. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
24. Extract the file catalina.jar
    jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.propertiesReplace the string bellow from:
    server.infoerver.info=Apache Tomcat/5.5.26To:
    server.infoerver.info=Secure Web serverReplace the string bellow from:
    server.number=5.5.26.0To:
    server.number=1.0.0.0
26. Move to the folder /usr/apache/tomcat55/server/lib
    cd /usr/apache/tomcat55/server/lib
27. Repackage the file catalina.jar
    jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
28. Remove the folder bellow:
    rm -r /usr/apache/tomcat55/server/lib/org
29. Create a user account for the Tomcat service:
    mkdir /home/tomcatgroupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat
30. Create using VI, the file /etc/init.d/tomcat with the following content:
    #!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac
31. Change the permissions on the file /etc/init.d/tomcat
    chmod u+x /etc/init.d/tomcat
32. Create soft link/symoblic links for system level startup
    ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
33. Reload the links into memory:
    rehash
34. Change ownership of all server files to the tomcat user:
    chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*

Print PDF