Versions Compared

Old Version 1

changes.mady.by.user Marc Dumontier

Saved on

compared with

New Version Current

changes.mady.by.user Marc Dumontier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the modern environment, production use of Oscar demands basic security hardening.


Preface

The basic install is adequate for a local instance of Oscar for development work or for a local production setup (eg single laptop/tablet).  Once you are accessing the Oscar server from other machines there are certain security considerations.  General firewall and similar issues are beyond the scope of this document.  The following are specific issues for running Oscar on a network and/or the internet.  They assume a Linux installation, but almost identical instructions apply for other operating systems.

Document Version History

  • v1.0 – initial public release on oscarmanual.org – May 9, 2010
  • v1.1 – corrections to Tomcat configuration – June 2, 2010
  • v1.2 – ported to new.oscarmanual.org – June 26, 2010
  • v1.3 – updated for version 10_06 – July 1, 2010
  • v1.4 – added screen shot – Aug 23, 2010
  • v1.5 – added amendment to allow local http access to drugref – Aug 31, 2010
  • v1.6 – added whole disk encryption – June 19, 2011
  • v1.7 – dropped SQL to expire default credentials as this is now in the install scripts – Aug 30, 2011
  • v1.8 – added information to support printing and faxing on non standard ports – Sept 7, 2012

This document is copyright by Peter Hutten-Czapski 2010-2012 © under the Creative Commons Attribution-Share Alike 3.0 Unported License.  

Contents

  1. Preface
    1. Document Version History
  2. Prerequisites
  3. Level One Defenses:
    1. Set up Tomcat to use SSL connections
    1. Prepare a Certificate
    2. Edit Tomcat Configuration
  4. Level Two Defenses: Disk Encryption
  5. Level Three Defenses: Secure SSH
  6. Level Four Defences: Harden Tomcat 6
  1. Prune Tomcat of Unused Resources
  2. Hide the Tomcat Version
  3. Set permissions on Tomcat
  4. Use Client Side Authentication (untested)


Prerequisites

It is assumed that 

  1. You have the Ubuntu 10.4 LTS "Lucid" alternate installation CD
  2. You have a basic level of Linux knowledge
  3. You can open a Linux terminal
  4. You can use a Linux text editor
  5. You can cut and paste EXACTLY the following instructions

NOTE: Firefox will copy with Control+C while a linux terminal requires Shift+Control+V for paste

Level One Defences: SSL

Level One Defenses are necessary if you do not expose Oscar to the internet but have a network where a machine can be compromised.

TIP: New installs of Oscar 12_1 Build 48 and above can be configured to automatically setup SSL connections for Oscar

Set up Tomcat to use SSL connections

SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This has several security advantages

...

You can set up SSL connection via Tomcat with the instructions below.  If you need lower port numbers or need to run a full web server you can set up SSL with Apache (see Installing Oscar to run on port 443)

a) Prepare a Certificate

Use the Java keytool to generate a key for tomcat using standard RSA encryption.  Don't use the password changeit that is shown but do use the same password for both the keypass and the storepass for Tomcat 6 or earlier. 

...



You will be prompted for your name (your server IP or domain),  organisational unit (clinic), organisation (.),  city, province and country. The result is a hidden .keystore file in the /etc/tomcat6 directory.  

b) Edit Tomcat Configuration

The final step is to configure the Connector for the Tomcat 6 instance.

...

Note that the browser will be concerned about the validity of the Certificate (after all anyone could have signed it!) so you will have to add an exception for the browser to let you access the Oscar webpages.  This varies by browser.  For Firefox 3.x click on "I Understand the Risks" > Add Exemption > Confirm Security Exemption

Troubleshooting and Tweaks

If you mess up the keytool and want to try again you will need to delete the tomcat keytool that you stored

...

Oscar printing to pdf and faxing assumes that you have configured https on port 8443.   You can configure other ports to work (eg 88443) by adding the following property value to oscar_mcmaster.properties (or similar named file)

oscar_port=88443

Level Two Defences Full Disc Encryption

An option in the "alternate cd" installation of Ubuntu is to encrypt the entire hard drive.  This will make it very difficult for a thief to access your data even if they physically steal the server (physical theft or access is usually enough to steal data, even in linux) 

...

To set up full disc encryption in Ubuntu 10.04 LTS you use the alternate cd and select full disc encryption as below
Full Disc Encryption

Level Three Defences Secure SSH

Most Linux servers are remotely managed by SSH login.  Thus the most common type of attack is by trying to login to your ip on port 22.

...

it installs, runs, check the logs and updates      /etc/hosts.deny   with a blocked address.   The hackers can only attack a handful of times instead of DOSing the server hundreds of times.
 

Level Four Defences Harden Tomcat 6

If you want to access Oscar from the Internet it is probably best if you form a tunnel and use SSH access to Oscar.  

If you actually have to expose your production box to the raw Internet then you should further reduce the ways that your box will be attacked.  First remember that the more services that are running on the server the more ways it can be attacked.  If possible disable other deamons and services or remove to another machine.  Then make sure that Tomcat has the least number of loose ends available to be targeted.

Prune Tomcat of Unused Resources 

Remove extraneous Tomcat resources:

...

apt-get --purge remove tomcat6-admin

Hide the Tomcat Version


Remove the tomcat version and date information from that which the server sends

...

sudo jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Set permissions on Tomcat

Many of Tomcats internal files are sensitive and access should be limited to the tomcat6 user (and root)

sudo chown tomcat6.tomcat6 $CATALINA_HOME sudo chown tomcat6.tomcat6 $CATALINA_BASE sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf sudo chown tomcat6:tomcat6 $CATALINA_HOME/logs sudo chown tomcat6:tomcat6 $CATALINA_HOME/temp sudo chown tomcat6:tomcat6 $CATALINA_HOME/bin sudo chown tomcat6:tomcat6 $CATALINA_HOME/webapps sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.policy sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/catalina.properties sudo chown tomcat6:tomcat6 /etc/tomcat6/policy.d sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/context.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/logging.properties sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/server.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/tomcat-users.xml sudo chown tomcat6:tomcat6 $CATALINA_HOME/conf/web.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml sudo chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties sudo chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml sudo chmod 770 /etc/tomcat6/policy.d sudo chmod 770 $CATALINA_HOME/conf/catalina.policy sudo chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties sudo chmod g-w,o-rwx $CATALINA_HOME/webapps sudo chmod g-w,o-rwx $CATALINA_HOME/bin sudo chmod o-rwx $CATALINA_HOME/temp sudo chmod o-rwx $CATALINA_HOME/logs sudo chmod g-w,o-rwx $CATALINA_HOME/conf sudo chmod g-w,o-rwx $CATALINA_BASE sudo chmod g-w,o-rwx $CATALINA_HOME


Use Client Side Authentication (untested)

We usually use SSL technology just to encrypt traffic to and from the server.  However the server can be also be configured to ask for authentication of the client (user)

...