Personal tools
You are here: Home / OSCAR EMR 10.x / 4.0 Developers / 4.2 Installation 10.x / 4.2.3 Security Hardening
 

4.2.3 Security Hardening

In the modern environment, production use of Oscar demands basic security hardening.

Preface

The basic install is adequate for a local instance of Oscar for development work or for a local production setup (eg single laptop/tablet).  Once you are accessing the Oscar server from other machines there are certain security considerations.  General firewall and similar issues are beyond the scope of this document.  The following are specific issues for running Oscar on a network and/or the internet.  They assume a Linux installation, but almost identical instructions apply for other operating systems.

Document Version History

  • v1.0 – initial public release on oscarmanual.org – May 9, 2010
  • v1.1 – corrections to Tomcat configuration – June 2, 2010
  • v1.2 – ported to new.oscarmanual.org – June 26, 2010
  • v1.3 – updated for version 10_06 – July 1, 2010
  • v1.4 – added screen shot – Aug 23, 2010
  • v1.5 – added amendment to allow local http access to drugref – Aug 31, 2010
  • v1.6 – added whole disk encryption – June 19, 2011
  • v1.7 – adjusted SQL to expire oscardoc credentials in a month – June 19, 2011
This document is copyright by Peter Hutten-Czapski 2010-2011 © under the Creative Commons Attribution-Share Alike 3.0 Unported License

Contents

  1. Preface
    1. Document Version History
  2. Prerequisites
  3. Level One Defenses:
    1. Change the Default Login
    2. Set up Tomcat to use SSL connections
      1. Prepare a Certificate
      2. Edit Tomcat Configuration
  4. Level Two Defenses: Disk Encryption
  5. Level Three Defenses: Harden Tomcat 6
    1. Prune Tomcat of Unused Resources
    2. Hide the Tomcat Version
    3. Set permissions on Tomcat
    4. Use Client Side Authentication (untested)

Prerequisites

It is assumed that
  1. You have the Ubuntu 10.4 LTS "Lucid" alternate installation CD
  2. You have a basic level of Linux knowledge
  3. You can open a Linux terminal
  4. You can use a Linux text editor
  5. You can cut and paste EXACTLY the following instructions
NOTE: Firefox will copy with Control+C while a linux terminal requires Shift+Control+V for paste

Level One Defenses:

Level One Defenses are necessary if you do not expose Oscar to the internet but have a network where a machine can be compromised.

Change the Default Login

Oscar's default user's login credentials are published. In version 10.6 and newer the login for 'oscardoc'  expires in a month after installation. In any version you should set up your own user and password with admin privileges and then expire the 'oscardoc'  either through the GUI at Admin> Search/Edit/Delete Security Records or at the command line  (replace ****** with the MySQL password):

mysql -uroot -p********* oscar_mcmaster
mysql>update security set date_ExpireDate=DATE_ADD(CURDATE(), INTERVAL 1 MONTH), b_ExpireSet=1 where user_name='oscardoc';
mysql>quit;

Set up Tomcat to use SSL connections

SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This has several security advantages

  • The sever presents authentication to the user as a "Certificate", as proof the site is who and what it claims to be.
  • The data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing
You can set up SSL connection via Tomcat with the instructions below.  If you need lower port numbers or need to run a full web server you can set up SSL with Apache (see Installing Oscar to run on port 443)

a) Prepare a Certificate

Use the Java keytool to generate a key for tomcat using standard RSA encryption.  Don't use the password changeit that is shown but do use the same password for both the keypass and the storepass . 

sudo $JAVA_HOME/bin/keytool -genkey -alias tomcat -validity 3650 -keyalg RSA -keystore /etc/tomcat6/.keystore -keypass changeit -storepass changeit

You will be prompted for your name (your server IP or domain),  organisational unit (clinic), organisation (.),  city, province and country. The result is a hidden .keystore file in the /etc/tomcat6 directory. 

b) Edit Tomcat Configuration

The final step is to configure the Connector for the Tomcat 6 instance.

sudo vi $CATALINA_BASE/conf/server.xml

Add the following code

<Connector port="8443" protocol="HTTP/1.1" 
SSLEnabled="true" 
maxThreads="200" 
scheme="https" 
secure="true"
enableLookups="false"
disableUploadTimeout="true"
clientAuth="false" 
sslProtocol="TLS"
keystoreFile="/etc/tomcat6/.keystore"
keystorePass="changeit"   />
 
Review server.xml for connectors that you are not using.  Oscar needs only need the connector you defined in the section above.  If you followed the default instructions, then drugref 2/3 only needs to be accessed locally on the server, so limit the connections to the local address which is called 127.0.0.1 internally.  For drugref 2/3 it should also be configured to transmit UTF-8 encoded data to properly handle drug doses.   
<Connector port="8080" protocol="HTTP/1.1" 
address="127.0.0.1" 
connectionTimeout="20000" 
URIEncoding="UTF-8" 
redirectPort="8443"/>

Remove or comment out the following default connector that is less secure, unless you need it (You might, usually for integration with the native webserver, eg the Apache Http server).

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /

 Now restart Tomcat

sudo /etc/init.d/tomcat6 restart

If you have installed Oscar locally with the instructions in 6.1 you should be able to login to Oscar at https://localhost:8443/oscar otherwise substitute localhost with the IP for the Oscar server. 

Note that the browser will be concerned about the validity of the Certificate (after all anyone could have signed it!) so you will have to add an exception for the browser to let you access the Oscar webpages.  This varies by browser.  For Firefox 3.x click on "I Understand the Risks" > Add Exemption > Confirm Security Exemption


Add Exception

Level Two Defenses Full Disc Encryption

An option in the "alternate cd" installation of Ubuntu is to encrypt the entire hard drive.  This will make it very difficult for a thief to access your data even if they physically steal the server (physical theft or access is usually enough to steal data, even in linux)

Note that full disc encryption doesn't protect you from: "Cold Boot Attacks Against Disk Encryption"or "Weak password brute force."

To set up full disc encryption in Ubuntu 10.04 LTS you use the alternate cd and select full disc encryption as below

Full Disc Encryption

Level Three Defenses Harden Tomcat 6

If you want to access Oscar from the Internet it is probably best if you form a tunnel and use SSH access to Oscar

If you actually have to expose your production box to the raw Internet then you should further reduce the ways that your box will be attacked.  First remember that the more services that are running on the server the more ways it can be attacked.  If possible disable other deamons and services or remove to another machine.  Then make sure that Tomcat has the least number of loose ends available to be targeted.

Prune Tomcat of Unused Resources

Remove extraneous Tomcat resources:

rm -rf $CATALINA_HOME/webapps/js-examples  $CATALINA_HOME/webapps/servlet-example $CATALINA_HOME/webapps/webdav \
$CATALINA_HOME/webapps/tomcat-docs  $CATALINA_HOME/webapps/balancer  $CATALINA_HOME/webapps/ROOT/admin $CATALINA_HOME/webapps/examples
If you installed the Manager application by mistake remove it unless you really plan to use it!

apt-get --purge remove tomcat6-admin

Hide the Tomcat Version

Remove the tomcat version and date information from that which the server sends

cd $CATALINA_HOME/lib
sudo jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Navigate to the util directory that was created and open ServerInfo.properties in an editor

cd org/apache/Catalina/util
sudo vi ServerInfo.properties
 
Update the following attributes from something like the defaults below to anything else... 

server.number=6.0.26.0
server.info=Apache Tomcat/6.0
server.built=Jul 8 2009 11:40:35
Update the catalina.jar with the modified ServerInfo.properties file.

sudo jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Set permissions on Tomcat

Many of Tomcats internal files are sensitive and access should be limited to the tomcat6 user (and root)
sudo chown tomcat6.tomcat6 $CATALINA_HOME
sudo chown tomcat6.tomcat6 $CATALINA_BASE
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf
sudo chown tomcat6:tomcat6 $CATALINA_HOME/logs
sudo chown tomcat6:tomcat6 $CATALINA_HOME/temp
sudo chown tomcat6:tomcat6 $CATALINA_HOME/bin
sudo chown tomcat6:tomcat6 $CATALINA_HOME/webapps
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.policy
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.properties
sudo chown tomcat6:tomcat6 /etc/tomcat6/policy.d
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/context.xml
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/logging.properties
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/server.xml
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/tomcat-users.xml
sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/web.xml

sudo chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml
sudo chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml
sudo chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml
sudo chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties
sudo chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml
sudo chmod 770 /etc/tomcat6/policy.d
sudo chmod 770 $CATALINA_HOME/conf/catalina.policy
sudo chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties
sudo chmod g-w,o-rwx $CATALINA_HOME/webapps
sudo chmod g-w,o-rwx $CATALINA_HOME/bin
sudo chmod o-rwx $CATALINA_HOME/temp
sudo chmod o-rwx $CATALINA_HOME/logs
sudo chmod g-w,o-rwx $CATALINA_HOME/conf
sudo chmod g-w,o-rwx $CATALINA_BASE
sudo chmod g-w,o-rwx $CATALINA_HOME

Use Client Side Authentication (untested)

We usually use SSL technology just to encrypt traffic to and from the server.  However the server can be also be configured to ask for authentication of the client (user)

sudo vi $CATALINA_HOME/conf/server.xml
Adjust the following code to have clientAuth="true"

<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
enableLookups="false"
disableUploadTimeout="true"
clientAuth="true" 
sslProtocol="TLS"
keystoreFile="/etc/tomcat6/.keystore"
keystorePass="changeit"   />
 

To create a keystore named client-keystore.jks that contains a client certificate named client.cer, generate the client certificate.

sudo $JAVA_HOME/bin/keytool -genkey -alias client-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
Export the generated client certificate into the file client.cer.

sudo $JAVA_HOME/bin/keytool -export -alias client-alias -storepass changeit -file client.cer -keystore keystore.jks
Add the certificate to the trust-store file $J2EE_HOME/domains/domain1/config/cacerts.jks. Run keytool from the directory where you created the keystore and client certificate. Use the following parameters:

sudo $JAVA_HOME/bin/keytool\bin\keytool -import -v -trustcacerts  -alias client-alias -file client.cer -alias client-alias -file client.cer -keystore <J2EE_HOME>/domains/domain1/config/cacerts.jks -keypass changeit -storepass changeit

Document Actions