Hi
As part of my ongoing work with AwareIM I have been requested to create an area where personal infotmation including banking information maybe entered into the system across the web (by our customers).
Are there any extra considerations I should have with regards to security to do this. Its mainly advice I am after. I have opted to use the Derby Database for the simplicity of getting up and running.
Any help at all on this would be greatly appreciated as I dont want to just attack this blind. I imagine the users themselves would need there own security installed on there machines but this would be kind of up to them.
Also as a side question, do you have any reccomendations when it comes to backing the system up. A routine for doing this and for repairing once corrupted would be great?
Best Regards
John
General Security Question
-
- Posts: 7526
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Are there any extra considerations I should have with regards to security to do this. Its mainly advice I am after.
The standard approach to protect sensitive information over the web is to use SSL protocol. To use SSL you will need to purchase the SSL certificate from the appropriate certificate authority (you can also use the default free certificate for the time being). You will then need to install this certificate into Tomcat. For details see this thread:
http://www.awareim.com/forum/viewtopic.php?t=556
Also as a side question, do you have any reccomendations when it comes to backing the system up. A routine for doing this and for repairing once corrupted would be great?
Backing up Derby database is easy - all you need to do is save the DATA directory under the Aware IM root. Backing up other databases will require invoking certain backup procedures - please refer to the documentation of the corresponding database. You need to backup the database called BASDB using these procedures.
As far as recovery is concerned Derby does not offer any tools for this. Other databases do have some recovery tools - please refer to their documentation.
The standard approach to protect sensitive information over the web is to use SSL protocol. To use SSL you will need to purchase the SSL certificate from the appropriate certificate authority (you can also use the default free certificate for the time being). You will then need to install this certificate into Tomcat. For details see this thread:
http://www.awareim.com/forum/viewtopic.php?t=556
Also as a side question, do you have any reccomendations when it comes to backing the system up. A routine for doing this and for repairing once corrupted would be great?
Backing up Derby database is easy - all you need to do is save the DATA directory under the Aware IM root. Backing up other databases will require invoking certain backup procedures - please refer to the documentation of the corresponding database. You need to backup the database called BASDB using these procedures.
As far as recovery is concerned Derby does not offer any tools for this. Other databases do have some recovery tools - please refer to their documentation.
Aware IM Support Team
Hi
Yes this makes sense. I have had a bit of a read. Is it difficult here to specify the particular pages that require the security? I ask because if I make the whole system secure it maybe noticable in terms of performance.
Also the link provided may have changed to:
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
assuming I am looking in the correct place
Best Regards
John
Yes this makes sense. I have had a bit of a read. Is it difficult here to specify the particular pages that require the security? I ask because if I make the whole system secure it maybe noticable in terms of performance.
Also the link provided may have changed to:
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html
assuming I am looking in the correct place
Best Regards
John
-
- Posts: 7526
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Ok so let me get this straight because I am a complete novice at this. To enable a ssl connection I need to
Uncomment the https bit in the server.xml file under AwareIM\Tomcat\conf
Run the keytool in the AwareIM\JDK\bin using "changeit" as the password and give this certifficate to a CA for them to sort me a real one out (from then on I am oblivious to what will happen)
Then am I right in thinking that the address of my site will change to:
https://<<domainName>>:8443/AwareIM/logon.jsp
Could you just give me an indication if I am on the right lines here as we really need to do this right. Is there anything else I need to do? I am sorry if this falls outside your normal support but I feel I must ask somebody who knows what they are doing before going ahead. Any little snippet of information would be greatly appreciated. Also am I safe to do this while the system is running or do I need to stop it first. I ask because if this is the case I will leave it till after hours?
Thanks in advance
John
Uncomment the https bit in the server.xml file under AwareIM\Tomcat\conf
Run the keytool in the AwareIM\JDK\bin using "changeit" as the password and give this certifficate to a CA for them to sort me a real one out (from then on I am oblivious to what will happen)
Then am I right in thinking that the address of my site will change to:
https://<<domainName>>:8443/AwareIM/logon.jsp
Could you just give me an indication if I am on the right lines here as we really need to do this right. Is there anything else I need to do? I am sorry if this falls outside your normal support but I feel I must ask somebody who knows what they are doing before going ahead. Any little snippet of information would be greatly appreciated. Also am I safe to do this while the system is running or do I need to stop it first. I ask because if this is the case I will leave it till after hours?
Thanks in advance
John
-
- Posts: 7526
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Yes, this sounds about right.
You need to stop the system when you are doing this. I recommend that you install Aware IM evaluation version on your local machine and try doing it on the local machine first and then if everything is OK, stop the production machine and do the same changes there.
You need to stop the system when you are doing this. I recommend that you install Aware IM evaluation version on your local machine and try doing it on the local machine first and then if everything is OK, stop the production machine and do the same changes there.
Aware IM Support Team
Hi
Thanks very much for that, I think I have managed it. It seems to work great and with very little difference in performance (admitidly my database is still very small).
Does this mean then that providing the address is prefixed with https the data is encrypted? Is the whole point of going to an external CA purely for third party verification (and kind of up to us)?
I am just about ready to put this one to bed now, thanks again you have been a great help in putting my mind at rest. As I say I am still a learner when it comes to a lot of this stuff so it is good to get an opinion from someone with experience.
Regards
John
Thanks very much for that, I think I have managed it. It seems to work great and with very little difference in performance (admitidly my database is still very small).
Does this mean then that providing the address is prefixed with https the data is encrypted? Is the whole point of going to an external CA purely for third party verification (and kind of up to us)?
I am just about ready to put this one to bed now, thanks again you have been a great help in putting my mind at rest. As I say I am still a learner when it comes to a lot of this stuff so it is good to get an opinion from someone with experience.
Regards
John
Hi
Further to my previous posts I have managed to generate a certificate (not verified) and used this successfully on our address which is
https://mail.nmgroup.co.uk:8443/AwareIM/logon.jsp
I have aqquired a certificate from a CA and tried to install this using the sub domain:
mail.nmgroup.co.uk as the name. All is almost fine except when I try to access the site internally I get a certificate message saying that the name is incorrect. I put this down to the fact that my address (internally) is defferent from the external one (I could be wrong). When I click to proceed however I get "The page cannot be found" message. This was working before I tried to go official.
Are there any Tomcat savvy people available to give me some tips on where I may have gone wrong? I am very stuck. I think it may have something to do with the server.xml file but I dont really know where to look. The example of the file and what to change I received from the CA looks a bit different to the one this system.
Regards
John
Further to my previous posts I have managed to generate a certificate (not verified) and used this successfully on our address which is
https://mail.nmgroup.co.uk:8443/AwareIM/logon.jsp
I have aqquired a certificate from a CA and tried to install this using the sub domain:
mail.nmgroup.co.uk as the name. All is almost fine except when I try to access the site internally I get a certificate message saying that the name is incorrect. I put this down to the fact that my address (internally) is defferent from the external one (I could be wrong). When I click to proceed however I get "The page cannot be found" message. This was working before I tried to go official.
Are there any Tomcat savvy people available to give me some tips on where I may have gone wrong? I am very stuck. I think it may have something to do with the server.xml file but I dont really know where to look. The example of the file and what to change I received from the CA looks a bit different to the one this system.
Regards
John
-
- Posts: 7526
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
This thread has died out so I assume that John was able to sort it out successfully. I am struggling with importing a CA certificate to Tomcat. Tomcat's and my CA's (geotrust in this case) instructions are for someone with a different programming background then mine. Can somebody share their experience and to give easy to follow instructions on importing root and web certificates? Much appreciate in advance.
I can answer it myself now and share experience on setting SSL on Windows.
First you need to create a local keystore file, it contains your private key and you add to it your registered certificate. Fortunately AwareIM comes with Java environment.
C:\AwareIM\JDK\bin>keytool -genkey -alias tomcat -keyalg RSA
changit is a standard password expected by Tomcat and unless you want to tell Tomcat explicitly that the password is different, I would stick with this one. It creates file . keystore in your home directory, in my case it was C:\Documents and Settings\Administrator.
Next you need to adjust Tomcat settings. Open file server.xml in AwareIM\Tomcat\conf directory and remove comment tags around the element on SSL connector
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Needless to mention that AwareIM should not be running. That is all you need to use secure connection on https://www.yourserver.com:8443/AwareIM/. You do not have to get a certificate signed by a recognised CA if your site is not for external customers who may be scared away by the browser's security message it displays if a certificate is not signed.
If you do need a signed certificate you have to create a certificate request as described by your CA, they are good at this while installation instructions can be ambiguous as it was in may case. Some CA's send only one certificate which makes the process slightly easier while many send you the web certificate and require you to download a root or chain certificate. You need to load both certificates to the same .keystore file that you used to create the certificate request. Be aware that some CA's send certificates as text and you need to convert them to binaries with openSSL; check openssl.org and find a link to an installation package.
You have to load a root (chain) certificate to the keystore first:
C:\Documents and Settings\Administrator>C:\AwareIM\JDK\bin\keytool -import -alias yourCA -keystore .keystore -file path-to-your-certificate\certificate
Then do the web certificate with
C:\Documents and Settings\Administrator> C:\AwareIM\JDK\bin\keytool -import -alias tomcat -keystore .keystore -trustcacerts -file path-to-your-certificate\certificate
Restart AwareIM and it should work.
First you need to create a local keystore file, it contains your private key and you add to it your registered certificate. Fortunately AwareIM comes with Java environment.
C:\AwareIM\JDK\bin>keytool -genkey -alias tomcat -keyalg RSA
changit is a standard password expected by Tomcat and unless you want to tell Tomcat explicitly that the password is different, I would stick with this one. It creates file . keystore in your home directory, in my case it was C:\Documents and Settings\Administrator.
Next you need to adjust Tomcat settings. Open file server.xml in AwareIM\Tomcat\conf directory and remove comment tags around the element on SSL connector
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Needless to mention that AwareIM should not be running. That is all you need to use secure connection on https://www.yourserver.com:8443/AwareIM/. You do not have to get a certificate signed by a recognised CA if your site is not for external customers who may be scared away by the browser's security message it displays if a certificate is not signed.
If you do need a signed certificate you have to create a certificate request as described by your CA, they are good at this while installation instructions can be ambiguous as it was in may case. Some CA's send only one certificate which makes the process slightly easier while many send you the web certificate and require you to download a root or chain certificate. You need to load both certificates to the same .keystore file that you used to create the certificate request. Be aware that some CA's send certificates as text and you need to convert them to binaries with openSSL; check openssl.org and find a link to an installation package.
You have to load a root (chain) certificate to the keystore first:
C:\Documents and Settings\Administrator>C:\AwareIM\JDK\bin\keytool -import -alias yourCA -keystore .keystore -file path-to-your-certificate\certificate
Then do the web certificate with
C:\Documents and Settings\Administrator> C:\AwareIM\JDK\bin\keytool -import -alias tomcat -keystore .keystore -trustcacerts -file path-to-your-certificate\certificate
Restart AwareIM and it should work.
Hi,
I have played unsuccessfully with this in the past but decided to give it another go but still cannot get it to work. I think that my problem is that I am on a GoDaddy Dedicated Windows Server and Port 8443 is being used by the Plesk service.
Any ideas on what needs to be changed in Aware to point to an unused open port? I tried just changing 8443 to 8048 in that one line but that didn't do the trick.
Thanks,
Pete
I have played unsuccessfully with this in the past but decided to give it another go but still cannot get it to work. I think that my problem is that I am on a GoDaddy Dedicated Windows Server and Port 8443 is being used by the Plesk service.
Any ideas on what needs to be changed in Aware to point to an unused open port? I tried just changing 8443 to 8048 in that one line but that didn't do the trick.
Thanks,
Pete