This requires editing server.xml and context.xml on your server in the server configuration (Server/conf) directory and Admin privileges.
iDashboards is not in the system security experts, however, we would like to help with some of the best practices we have found (by no means does this insure the security of your system). This should help mitigate some of the risks. All scans should be done on a system with valid SSL certificate on the system not a self signed certificate. Make sure you have completed: Tomcat: Server SSL Certificate Installation.
Security Testing
All security scans should be performed on the most current version of iDashboards. When running the scan please turn the system log level to Debug (most Verbose). You can do this by going into iDashboards Admin click System then System Logs and look on the left for the General Level.
/Server/conf/server.xml
Add: server="IDBP"
Removes the Tomcat server version issues if a missing page is requested. Also adding a 404 page will help but it's recommended using both.
<Connector port="6700" protocol="HTTP/1.1"
connectionTimeout="20000"
server="IDBP"
redirectPort="8443" />
Force traffic to use HTTPS
Add: Secure="true"
Redirects the traffic to https from http requests.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
server="IDBP"
Secure="true"
redirectPort="8443" />
Allow Auto-Completion of Passwords
This setting indicates whether or not iDashboards passwords can be stored by the browser and automatically supplied by the browser upon logging into the iDashboards applications. To turn this off go into iDashboards Admin -> System -> System Settings -> Security Settings -> Allow Auto-Completion of Passwords set to FALSE. The option is set to TRUE by default and a lot of security scan applications do not like this option so if you are planning on running a security scan please turn this setting off.
OPEN SSL:
This issues help prevent the POODLE SSL exploit. (server.xml)
Add: sslEnabledProtocols="TLSv1.2"
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="ssl/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />
Cookies Not Sent Over SSL
Add: useHttpOnly=”true”
The session and SSO cookies in Tomcat are being sent with HttpOnly flag by default. Instructing browsers to prevent access to those cookies from JavaScript is considered more secure, but it will prevent JavaScript from accessing the value of the cookie. This feature can be controlled by useHttpOnly attribute on the context tags. This is off by default but implemented in Tomcat 6.0 and later. It can be enabled by setting useHttpOnly=“true” inside the context tags in a web application or in: CATALINA_BASE/conf/context.xml
X-Frame-Options Header
The user Application can be framed by another web page.
iDashboards Admin -> select System -> then click Security Settings
You will see three options they are set as follows by default:
- User Application X-Frame-Options Header = None
- Embedded Viewer X-Frame-Options Header = None
- IFRAME Dashboard Panels Enabled = False
Set all to None/FALSE to prevent framing of iDashboards.
Tomcat Manager
Removing Tomcat Manager will prevent anyone from trying to login to this application. There is no password and username to login, but brute force attacks can strain system resources and cause slow running dashboards.
Page Redirect
Create an index.html page and paste the following code into it:
<html><META http-equiv="refresh" content="0;URL=../idashboards"></html>
Anyone hitting the root directory will be forwarded to the iDashboards application. This also prevents having to type /idashboards
Custom 404 Page
Adding this page will send people to the 404 and then redirect them to the iDashboards application when used in conjunction with the page redirect. Great for people that mistype the URL or people probing for information. In the directory: webapps/ROOT/WEB-INF/Web.xml
Add 404.html
You will then need to add the following to the bottom of the file:
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
For More Information:
- Apache Tomcat 8 SSL
- Apache Tomcat 9 SSL
- Apache Tomcat 10 SSL
- Previously Read: Tomcat: Server SSL Certificate Installation
- Read Next: Tomcat : Renewing a Certificate
If the above is unable to resolve the issue, then please contact iDashboards Support for further assistance.
Comments
0 comments
Please sign in to leave a comment.