Securing Tomcat

So we have this wonderful application, “Crystal Reports Server 2008 V1″. Property of SAP, fomerly property of “Business Objects”, formerly property of Seagate Software, formerly… nevermind.

CR Server claims to run on IIS, so we had hoped to deploy the new version without needing to add the usual pile of unmaintainable WAMP cruft. Unfortunately, it turns out there are bits of it that out-and-out require a J2EE web server, such as Tomcat. Rather than manage IIS and Tomcat, We are just going to run with the cat. Good decision? Meh…

Here is the quick-and-dirty on some simple security measures we took to protect the app:

  1. Remove the sample and documentation webapps from the Tomcat server “webapps” directory.  Delete jsp-examples, servlet-examples, tomcat-docs.  Consider also removing ROOT, balancer, webdav, if not needed by your application.
  2. Use the java “keytool.exe” to create a java keystore.  Create web server key pair in the keystore, then generate a CSR from the pair.  Have the CSR signed and import the signed cert back into the same keystore alias.  The best doc on CSR generation and import is probably this one:

    http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

    But note that you may need to specify a “keyAlias” parameter in your Tomcat server.xml , if you did not use the alias “tomcat” when generating your key.  This tidbit is not in the documentation.

    Also note that you likely will need to add the parameter “-keylength 2048″ to your “genkey” command, if you want to ensure a key length of at least 2048 bits (most modern CAs will not issue a cert less than this length). Additionally, you can add the “-storepass” parameter towards the start of your command string to help with automation of future commands within the same shell session.

  3. Using the same doc as above, update the stanza in the Tomcat server.xml to use TLS.  In the stanza, include the following additional parameter:

    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

    This will prevent the use of weak cryptographic ciphers.

  4. To the Tomcat web.xml config file, add a “security-constraint” stanza, as documented here. (can’t post the code directly to stupid wordpress because it clobbers XML.)This will enforce the use of SSL for all web apps running in tomcat.
  5. If you want a redirect from standard HTTP port 80 to the secure port, add a second connector stanza to “server.xml”, with the following parameter:

    redirectPort=”443″

  • No comments yet