Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Version

Date

Modified By

Description of Modification

1.0

 

Minh-Hai Nguyen

Initial version

2.0

 

Daniel FernandezEdits from review
2.103/28/2017Minh-Hai NguyenUpdate content

...

NSS Configuration

Prepare the Database Configuration File and Directories

...

  • Navigate to {JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/
  • Create gateway.p12 by executing the following (important: use the gateway.jks password for the new destination keystore): keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
  • To import the cert keypair into the FIPS database, execute the following: pk12util -i gateway.p12 -n gateway -d /nhin/nss/fips/db


Info
titleKeystore passwords

Under normal circumstances, the gateway.p12 password does not need to be the same as the gateway.jks password but for FIPS installations, an error will be encountered when importing the keypair into the FIPS database if they do not match.


Update Java.security option:

  • Editing ${JAVA_HOME}/jre/lib/security/java.security as follows:
    • As the first provider line, add: security.provider.1=sun.security.pkcs11.SunPKCS11 /nhin/nss/fips/config/pkcs11.cfg
    • Increment the number of every other provider by 1.

...

  • Disable nss_db first by executing the following: modutil -fips false -dbdir /nhin/nss/fips/db
  • Execute the following: modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /nhin/nss/fips/db/

Module Setup - org.connectopensource.configuration

Navigate to ${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main and do the following inside that directory:

Edit saml.properties and modify the following lines to reflect the name and password of the key in the NSS database:

...

Server Configuration: JAVA_OPTS

  •  In the standalone configuration file ${JBOSS_HOME}/bin/standalone.conf, append the following:

...

Edit to ${JBOSS_HOME}/standalone/configuration/standalone.xml and do the followings:

Replace https-listener under subsystem/undertow:

Code Block
<https-listener name="https" socket-binding="connect" security-realm="ApplicationRealm" verify-client="REQUIRED"/>

...

Code Block
<https-listener name="https" socket-binding="connect" security-realm="ApplicationRealm" enabled-protocols="TLSv1" verify-client="REQUIRED" enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA" />

Replace security realm under management/security-realms:

 

Code Block
languagexml
titleOld Security for Application Realm
<security-realm name="ApplicationRealm">
	<server-identities>
		<ssl>
			<keystore path="modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks" relative-to="jboss.home.dir" keystore-password="changeit" alias="gateway"/>
		</ssl>
	</server-identities>
	<authentication>
		<truststore path="modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks" relative-to="jboss.home.dir" keystore-password="changeit"/>
		<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
		<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
	</authentication>
	<authorization>
		<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
	</authorization>
</security-realm>

 

with this

Code Block
titleNew Security For Application Realm
<security-realm name="ApplicationRealm">
	<server-identities>
		<ssl>
			<keystore provider="PKCS11" keystore-password="<nss db password>" alias="gateway"/>
		</ssl>
	</server-identities>
	<authentication>
		<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
		<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
	</authentication>
	<authorization>
		<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
	</authorization>
</security-realm>

...

Background: In JSF framework, there is a viewstate associated with each component which is passed back and forth for each requests.  The view state for components can be stored in memory on server and bind into the session or pass to client as hidden value. To ensure security, CONNECT Admingui stores view states on the server and override the default encryption algorithm.  It is recommend to change the default value when deploying into Production. Below are some entry that need to be replaced:

  1. Edit admingui.properties from ${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main


Code Block
# For more information about what encryption/algorithm to use, please visit
# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
# Define the secret (Base64 encoded) used to initialize the secret key for encryption algorithm

jsf.secret=MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz

# Define the encryption algorithm used for encrypt the view state. Default is DES
jsf.algorithm=AES

# Defines the default mode and padding used for the encryption algorithm
jsf.algorithm.padding=CBC/PKCS5Padding

# Defines the initialization vector (Base64 encoded) used for the encryption algorithm
jsf.algorithm.iv=NzY1NDMyMTA3NjU0MzIxMA==

...

Links / Additional Reading

  1. CONNECT Developer Forums (connectopensource.org)
  2. Deploying to WildFly 8.2.1 (4.6) (atlassian.net)
  3. JBoss Issue Tracker (jboss.org)
  4. Mozilla NSS (mozilla.org)
  5. https://connectopensource.atlassian.net/wiki/x/I4Ch (Connection Validation Suite)
  6. https://wiki.apache.org/myfaces/Secure_Your_Application
  7. http://myfaces.apache.org/core20/myfaces-impl/webconfig.html
  8. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

...