Secure Configuration Guide

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Secure Configuration Guide

Rowan Burgess
Hello,

Is there a guide/reference available that outlines "best practices" on how
to configure TomEE securely?

I have used Tomcat in the past, and am familiar with steps such as those
described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html ,
but I have not worked with TomEE before.

I need to ensure that no ports/services have been exposed unnecessarily.

I also need to ensure that there are no servlets / JSP's mapped and
accessible by default.

Appreciate any help/guidance you might have,

Thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure Configuration Guide

Romain Manni-Bucau
Hi Rowan,

listing what didnt work can help to be more accurate but dont think we
duplicated this page on tomee site directly.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-07-26 1:29 GMT+02:00 Rowan Burgess <[hidden email]>:

> Hello,
>
> Is there a guide/reference available that outlines "best practices" on how
> to configure TomEE securely?
>
> I have used Tomcat in the past, and am familiar with steps such as those
> described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
> ,
> but I have not worked with TomEE before.
>
> I need to ensure that no ports/services have been exposed unnecessarily.
>
> I also need to ensure that there are no servlets / JSP's mapped and
> accessible by default.
>
> Appreciate any help/guidance you might have,
>
> Thanks!
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure Configuration Guide

jgallimore
Hi Rowan

Thanks for your email! This would make a great page on the site, so please
do follow up with your experiences as you get to grips with TomEE. It would
be useful to know which version of TomEE you are running, as there are a
couple of things that are slightly different between TomEE 7.x and TomEE
1.7.x, specifically in terms of the tomee/ejb servlet being available for
remote EJB calls (it is off in TomEE 7.x by default).

As a start, I'd suggest you remove any applications you do not want from
the webapps directory, and ensure that server.xml has only the ports that
you wish to use. The config in server.xml is the same config you're used to
with Tomcat, please do let us know if you encounter anything that doesn't
work in that regard (the information on the page you reference should be
good). Lock down any users and permissions in tomcat-users.xml, and check
your realm config in server.xml - out of the box we ship with the
UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.

If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
setup there may be other things you want to do to allow access to
administrative applications from a management VLAN but not the outside
world, for example - the above doesn't cover anything like that, but is
hopefully useful as a start.

Please do let us know if you have any questions or feedback!

Jon

On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <[hidden email]>
wrote:

> Hi Rowan,
>
> listing what didnt work can help to be more accurate but dont think we
> duplicated this page on tomee site directly.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-07-26 1:29 GMT+02:00 Rowan Burgess <[hidden email]>:
>
> > Hello,
> >
> > Is there a guide/reference available that outlines "best practices" on
> how
> > to configure TomEE securely?
> >
> > I have used Tomcat in the past, and am familiar with steps such as those
> > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.
> html
> > ,
> > but I have not worked with TomEE before.
> >
> > I need to ensure that no ports/services have been exposed unnecessarily.
> >
> > I also need to ensure that there are no servlets / JSP's mapped and
> > accessible by default.
> >
> > Appreciate any help/guidance you might have,
> >
> > Thanks!
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure Configuration Guide

Rowan Burgess
Hi Jon,

Thanks for the feedback. We are using TomEE plus 7.0.3 and have followed
the "Tomcat Security How To" guide as an opening step. The server will be
deployed behind a load balancer and firewall.

I have found the documentation related to remote EJB calls (
http://tomee.apache.org/ejbd-transport.html ) and confirmed this is not
present.

Are there any other considerations we should be aware of?

Apologies for such a broad question - I have not worked with an EJB
container previously ( usually just simple Spring applications! ). TomEE is
being used to migrate an inherited legacy application away from WebLogic
and we are trying to verify that we have taken appropriate steps to secure
the server.

Thanks again for your help!

Rowan

On Wed, Jul 26, 2017 at 7:05 PM, Jonathan Gallimore <
[hidden email]> wrote:

> Hi Rowan
>
> Thanks for your email! This would make a great page on the site, so please
> do follow up with your experiences as you get to grips with TomEE. It would
> be useful to know which version of TomEE you are running, as there are a
> couple of things that are slightly different between TomEE 7.x and TomEE
> 1.7.x, specifically in terms of the tomee/ejb servlet being available for
> remote EJB calls (it is off in TomEE 7.x by default).
>
> As a start, I'd suggest you remove any applications you do not want from
> the webapps directory, and ensure that server.xml has only the ports that
> you wish to use. The config in server.xml is the same config you're used to
> with Tomcat, please do let us know if you encounter anything that doesn't
> work in that regard (the information on the page you reference should be
> good). Lock down any users and permissions in tomcat-users.xml, and check
> your realm config in server.xml - out of the box we ship with the
> UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.
>
> If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
> setup there may be other things you want to do to allow access to
> administrative applications from a management VLAN but not the outside
> world, for example - the above doesn't cover anything like that, but is
> hopefully useful as a start.
>
> Please do let us know if you have any questions or feedback!
>
> Jon
>
> On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <[hidden email]
> >
> wrote:
>
> > Hi Rowan,
> >
> > listing what didnt work can help to be more accurate but dont think we
> > duplicated this page on tomee site directly.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-07-26 1:29 GMT+02:00 Rowan Burgess <[hidden email]>:
> >
> > > Hello,
> > >
> > > Is there a guide/reference available that outlines "best practices" on
> > how
> > > to configure TomEE securely?
> > >
> > > I have used Tomcat in the past, and am familiar with steps such as
> those
> > > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.
> > html
> > > ,
> > > but I have not worked with TomEE before.
> > >
> > > I need to ensure that no ports/services have been exposed
> unnecessarily.
> > >
> > > I also need to ensure that there are no servlets / JSP's mapped and
> > > accessible by default.
> > >
> > > Appreciate any help/guidance you might have,
> > >
> > > Thanks!
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure Configuration Guide

HWinMT
Hello,

Contribution to this discussion. The attached pdf has 4 links. The first two are dated, but worth reading. The second two have already been mentioned. The rest of the document is notes from setting up Tomcat 8.5.16 on Windows Server 2012.

notesFromSettingUpTomcat_8.pdf

Howard
Loading...