forked from docs/doc-exports
Hasko, Vladimir
1746443702
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com> Co-authored-by: Hasko, Vladimir <vladimir.hasko@t-systems.com> Co-committed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
23 lines
5.6 KiB
HTML
23 lines
5.6 KiB
HTML
<a name="admin_guide_000272"></a><a name="admin_guide_000272"></a>
|
|
|
|
<h1 class="topictitle1">Hardening Policies</h1>
|
|
<div id="body1530067731227"><div class="section" id="admin_guide_000272__s509ca4e44e6d497084df593bdb4282e1"><h4 class="sectiontitle">Hardening Tomcat</h4><p id="admin_guide_000272__en-us_topic_0046736699_p41459272">Tomcat is hardened as follows based on open-source software during <span id="admin_guide_000272__text67509419010">MRS</span> Manager software installation and use:</p>
|
|
<ul id="admin_guide_000272__en-us_topic_0046736699_ul37589132"><li id="admin_guide_000272__en-us_topic_0046736699_li2757872">The Tomcat version is upgraded to the official version.</li><li id="admin_guide_000272__en-us_topic_0046736699_li24820853">Permissions on the directories under applications are set to <strong id="admin_guide_000272__b131741833102619">500</strong>, and the write permission on some directories is supported.</li><li id="admin_guide_000272__en-us_topic_0046736699_li22061093">The Tomcat installation package is automatically deleted after the system software is installed.</li><li id="admin_guide_000272__en-us_topic_0046736699_li64332111">The automatic deployment function is disabled for projects in application directories. Only the <strong id="admin_guide_000272__b292293625914">web</strong>, <strong id="admin_guide_000272__b1682117381596">cas</strong>, and <strong id="admin_guide_000272__b1630184218595">client</strong> projects are deployed.</li><li id="admin_guide_000272__en-us_topic_0046736699_li42118094">Some unused <strong id="admin_guide_000272__b1255210215019">http</strong> methods are disabled, preventing attacks by using the <strong id="admin_guide_000272__b125923451507">http</strong> methods.</li><li id="admin_guide_000272__en-us_topic_0046736699_li43518530">The default shutdown port and command of the Tomcat server are changed to prevent hackers from shutting down the server and attacking servers and applications.</li><li id="admin_guide_000272__en-us_topic_0046736699_li56122452">To ensure security, the value of <strong id="admin_guide_000272__b72968311114915">maxHttpHeaderSize</strong> is changed, which enables server administrators to control abnormal requests of clients.</li><li id="admin_guide_000272__en-us_topic_0046736699_li35340021">The Tomcat version description file is modified after Tomcat is installed.</li><li id="admin_guide_000272__en-us_topic_0046736699_li49624734">To prevent disclosure of Tomcat information, the Server attributes of Connector are modified so that attackers cannot obtain information about the server.</li><li id="admin_guide_000272__en-us_topic_0046736699_li43969424">Permissions on files and directories of Tomcat, such as the configuration files, executable files, log directories, and temporary folders, are under control.</li><li id="admin_guide_000272__li511312569810">Session facade recycling is disabled to prevent request leakage.</li><li id="admin_guide_000272__li81660513915">LegacyCookieProcessor is used as CookieProcessor to prevent the leakage of sensitive data in cookies.</li></ul>
|
|
</div>
|
|
<div class="section" id="admin_guide_000272__s9e655cd471c0471aa6d81f53fafcf3e1"><h4 class="sectiontitle">Hardening LDAP</h4><p id="admin_guide_000272__en-us_topic_0046736699_p4753596">LDAP is hardened as follows after a cluster is installed:</p>
|
|
<ul id="admin_guide_000272__en-us_topic_0046736699_ul42782368"><li id="admin_guide_000272__en-us_topic_0046736699_li49496992">In the LDAP configuration file, the password of the administrator account is encrypted using SHA. After the OpenLDAP is upgraded to 2.4.39 or later, data is automatically synchronized between the active and standby LDAP nodes using the SASL External mechanism, which prevents disclosure of the password.</li><li id="admin_guide_000272__en-us_topic_0046736699_li42819751">The LDAP service in the cluster supports the SSLv3 protocol by default, which can be used safely. When the OpenLDAP is upgraded to 2.4.39 or later, the LDAP automatically uses TLS1.0 or later to prevent unknown security risks.</li></ul>
|
|
</div>
|
|
<div class="section" id="admin_guide_000272__sdcb00b4084b144a8857f2cbd4256c116"><h4 class="sectiontitle">Hardening JDK</h4><p id="admin_guide_000272__p1096264551117">If the client process uses the AES256 encryption algorithm, JDK security hardening is required. The operations are as follows:</p>
|
|
<p id="admin_guide_000272__p3219968112">Obtain the Java Cryptography Extension (JCE) package whose version matches that of JDK. The JCE package contains <strong id="admin_guide_000272__b779300107114915">local_policy.jar</strong> and <strong id="admin_guide_000272__b1677290344114915">US_export_policy.jar</strong>. Copy the JAR files to the following directory and replace the files in the directory.</p>
|
|
<ul id="admin_guide_000272__ul169611321194516"><li id="admin_guide_000272__li2344917144514">Linux: <em id="admin_guide_000272__i195288395114915">JDK installation directory</em><strong id="admin_guide_000272__b1272682312182">/jre/lib/security</strong></li><li id="admin_guide_000272__li1334501715453">Windows: <em id="admin_guide_000272__i1619381111114915">JDK installation directory</em><strong id="admin_guide_000272__b433525121918">\jre\lib\security</strong></li></ul>
|
|
<div class="note" id="admin_guide_000272__note103641326306"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="admin_guide_000272__p731711371543">Access the Open JDK open-source community to obtain the JCE file.</p>
|
|
</div></div>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000271.html">Security Hardening</a></div>
|
|
</div>
|
|
</div>
|
|
|