Setup Guide - Fusion Products

thumbsshameServers

Nov 17, 2013 (3 years and 6 months ago)

73 views






FUSION
SECURITY

Setup

Guide

FUSION
SECURITY

Fusion Security
is a web application

which provides a
Graphical User Interface for administering user accounts
in the Fusion Product Suite.
Account
changes in real
time to
any application that is secured with
Fusion
Security
.

Setup

Guide

This guide
provides information on how to
deploy and
configure Fusion Security



1


Table of Contents

1

Fusion Security
Dependencies

................................
................................
................................
......

2

1.1

Servlet Container

................................
................................
................................
..................

2

1.2

Rabb
itMQ

................................
................................
................................
..............................

2

1.3

Email Server

................................
................................
................................
..........................

2

2

Deploying Fusion Security

................................
................................
................................
.............

2

3

Configuring Fusion Security Properties

................................
................................
.........................

3

3.1

Product Name

................................
................................
................................
.......................

4

3.2

Port Red
irects
................................
................................
................................
........................

4

3.3

Email Server

................................
................................
................................
..........................

4

3.4

Security Folder

................................
................................
................................
......................

4

3.4.1

UNIX

................................
................................
................................
..............................

4

3.4.2

WINDOWS

................................
................................
................................
.....................

4

3.4.3

Default User Account

................................
................................
................................
....

4

3.5

Password Verification Properties

................................
................................
..........................

4

4

Configuring Fusion Security Logs

................................
................................
................................
..

5

5

Configuring HTTPS
................................
................................
................................
.........................

6

5.1

Tomcat

Configuration

................................
................................
................................
...........

6

6

Launching Fusion Security

................................
................................
................................
.............

7





2


1

Fusion
Security

Dependencies

Fusion
Security

consists of a single Web Application Archive (war) file called Fusion
Security
.war. The
war file is deployed to a servlet container, such
as Apache Tomcat. It requires a connection to a
database and
connection
to an
email server. Also an integral part of the architecture is the use of a
robust message queue which allows for the deployment of a high availability and scalable system.

1.1

Servlet
Container

Fusion
Security
is deployed to a Servlet Container. Apache Tomcat is a popular, open source servlet
container
. D
ownload links and installation instructions can be found at the following URL.


http://tom
cat.apache.org/

It is recommended to use the latest version of Apache Tomcat as it will include the latest security
patches. Fusion
Security
will not run in any version lower than 6.0.

Fusion
Security
requires HTTPS to be enabled on the servlet container,

and as such a security
certificate must be made available to the servlet container. This is described later in this document.

1.2

RabbitMQ

RabbitMQ is an open source message broker that implements Advanced Messaging Protocol
(AMQP). Fusion Security uses Rab
bitMQ to publish auditable events, such as authentication events,
or account modifications. Fusion Security also publishes events which can be picked up by other
running instances of Fusion Security, allowing for more than one instance to be running.

The

Rabbit MQ installation instructions can be found from the following URL:

http://www.rabbitmq.com/

It is recommended to use the latest version of RabbitMQ. At the time of writing, it is version 3.1.3
release.

1.3

Email

Server

Fusion Security requires a connection to a Simple Mail Transfer Protocol (SMPT) email server. The
email server is used in order to email users in the following circumstances:

1.

When a

user for
g
ets

their
password
.

2.

If a user account if automatically l
ocked due to excessive login failure
.


2

Deploying Fusion Security

The deployment section assumes Apache Tomcat is being used, but the information provided is
transferrable to any servlet container.

Whilst Apache Tomcat will automatically unpack the war file on application start
-
up, it is
recommended to unpack it manually, as there are some configuration files that will need to be
edited before start
-
up. The steps required to manually deploy Fusion
S
ecurity

are described below:

1.

Under [tomcat home]/webapps create the folder
'
FusionSecurity
'

2.

Unzip the contents of Fusion
Security
.war to
'
Fusion
Security
'

a.

This step may require a rename of
FusionSecurity
.war to Fusion
Security
.zip

b.

Ensure the
FusionSecurity
f
older does not include
FusionSecurity
.war


3


c.

If step 2 cannot be performed, then copy
FusionSecurity
.war under [tomcat
home]/webapps and launch tomcat. After tomcat is launched shut down tomcat.
Tomcat will have automatically created the
FusionSecurity
fold
er.

The FusionSecurity folder should contain the following directories, and file(s):


3

Configuring Fusion Security Properties

To configure Fusion Security, open the file:

[tomcat]/webapps/
Fusion
Security
/WEB
-
INF/classes/
fusion
-
security.properties


The default contents of the
fusion
-
security
.properties file are shown below:

product.name=Fusion

Security


port.http=8080

port.https=8443


mail.smtp=

mail.port=

mail.username=

mail.password=

mail.security=true


#DIRECTORY

FOR

PERSISTENCE

security.directory
=

security.file=SecurityFile.xml


#RESET

DETAILS


security.password.timeouthours=2

security.password.dissallowed=IllegalPassword.txt

security.password.minlength=1

security.password.minnum=
-
1

security.password.minchar=
-
1

security.password.minlower=
-
1

securi
ty.password.minupper=
-
1

security.password.illegalchars=

max.login.attempt=3


#SDMX

WEB

SERVICE

URL

TO

OBTAIN

ORGANISATIONS

structure.ws=


4


3.1

Product Name

The
product.name

property can be but does not require to be modified. This property is used for
two purposes:

1.

It is included in the email to users when they have forgotten their password (to identify the
application)
.

2.

Any auditable events published by Fusion
Security

will include this name, enabling users to
view audits by product name.

3.2

Port Redirects

The two port properties
port.http

and
port.https

a
re used by the security redirects. Fusion
Security
requires that users connect over https to ensure a secure connectio
n. Any user attempting to
connect via http will automatically be redirected to the same URL, but
using the
https

protocol
. As
https runs on a separate port to http, the redirect needs to know what the http port is, and what to
redirect it to for https.

The default ports are typically used as http and https ports.

3.3

Email Server

The email server is set up by adding values to the
mail

properties. If the email server does not
require a username or password, then these fields can be left blank and
mail.securi
ty

must be set to
false
.

3.4

Security Folder

User accounts

are
persisted to a security file. Fusion
Security

requires the location of the security
file
security.directory
, and the security file name
security.file
. Examples for UNIX and Windows are
provided b
elow:

3.4.1

UNIX

security.directory=/home/ubuntu/
FusionSuite
/Security

security.file=SecurityFile.xml


3.4.2

WINDOWS

security.directory=C:/FusionSuite/Security

security.file=SecurityFile.xml


3.4.3

Default User Account

The first time Fusion Security is launched, the Fusion
Security file will be created.

A root user will be
created with the following credentials:

U
ser id
: root

P
assword
: password


3.5

Password Verification Properties

Security password rules are provided to
enforce tighter controls on what passwords may be
.
There
are a number of options which are explained in the table below:

Property

Description

security.password.timeouthours

This is the time, in hours, that the user has to reset their
password, after they have submitted a forgotten
password request.

security.password.dissallowed

This is a text file containing a list of illegal passwords. The

5


file is relative to the security.directory property. If no
restrictions on passwords are required, then

this value
can be left blank.

security.password.minleng
th

The minimum length for a password.

Set to
-
1 if you wish
there to be no minimum length.

security.password.minnum

The minimum number of numeric characters
(0
-
9) that
must be present in the
password.
Set to
-
1 if
this setting
is not required.

security.password.minchar

The minimum number of alpha
betic

characters (a
-
zA
-
Z)

that must be present in the
password.
Set to
-
1 if this
setting is not required.

security.password.minlower

The minimum number of lower case characters
that must
be present in
the
password.
Set to
-
1 if this setting is not
required.

security.password.minupper

The minimum number of upper case characters
that must
be present in the
password.
Set to
-
1 if this setting is not
required.

security.password.illegalchars

Specified whic
h c
haracters cannot be included in a
password. These should be included with no sep
a
rators,
for example: £$%*&^

Leave blank if not applicable.

max.login.attempt

The maximum number of consecutive login failures for a
user before their account is
automatically locked. Note, in
suc
h a situation both the user who
s
e

account was locked,
and
all of the administrators
will receive an email.


4

Configuring Fusion
Security
Logs

Fusion Security has been configured to audit events to Fusion Audit via RabbitMQ
.
T
he detail of the
audited log events, which can be used to provide insight to an audit event, can be configured in the
log4j.properties

file. This file is found in:


[tomcat]/webapps/
Fusion
Security
/WEB
-
INF/classes/log4j.properties


Fusion
Security
has been configured to capture all metadata technology Logs at DEBUG level. This
includes any code in the package com.sdmxfusion, com.metadatatechnology, and com.sdmxsource.
All other log statements are captured by the
rootLogger

at INFO log level. Thes
e levels can be
changed at any time

but it does
require an application restart
for changes
to take effect. The
custom

logger is responsible for publishing log messages to Fusion
Security
. The default configuration is
shown below:


#ROOT LOGGER

log4j.root
Logger=
INFO,

stdout
,

custom

log4j.rootLogger.additivity=
false


log4j.logger.com.sdmxfusion =
DEBUG

log4j.logger.com.metadatatechnology =
DEBUG

log4j.logger.org.sdmxsource =
DEBUG


#APPENDERS

log4j.appender.stdout=
org.apache.log4j.ConsoleAppender

log4j.appender.stdout.layout=
org.apache.log4j.PatternLayout

log4j.appender.stdout.layout.ConversionPattern=
%d

%p

[%c]

-

<%m>%n


6



log4j.appender.custom=
com.sdmxfusion.sdmx.integration.manager.publisher.LogPublisher

log4j.appender.custom.bufferSize=
30


5

Config
uring HTTPS

Fusion
Security
mandates that all communication is performed over HTTPS. This is to ensure that
any authentication information passed over the wire is encrypted.

The first thing that you will require to enable HTTPS is a valid certificate for the server to prove to
the client that it is to be trusted.
This certificate should ideally be signed by a trusted Certification
Authority (CA). Untrusted certificates may be
used but these will cause a slight inconvenience for
your end users.

Certificates can be obtained from c
ertificate authorities (e.g. VeriSign

/

Microsoft

/

etc.)
. If you are
planning on running the Registry in a production environment is it recommended you

fully
understand how certificates operate and setup a trusted certificate. If you wish to just explore how
the Registry supports HTTPS you can setup a certificate through the
Java
supplied application:

keytool
. This application is supplied as part of the
Java Development Kit (JDK) and can be
used to
view the contents of key stores or create a new key store

and certificate
. Details of how
keytool

works can be found
on Oracle’s website
:

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html



T
he following command create
s

an
unsigned

certificate and a keystore named
metatech.keystore

which has a password of
password
.

When prompted y
ou will need to
a
nswer questions
regarding the name and organisation of the certificate.
For further details please
refer to the
keytool

documentation
.

keytool

-
genkeypair

-
alias

serverTrust

-
keyalg

RSA

-
validity

365

-
storepass

password

-
keystore

metatech.keystore

-
storetype

JKS

-
ext

san=ip:192.168.4.1


Note:
Certificates are valid for a specific domain. You may specify your domain name as the CN
name of the certificate but in the example above I have specified that the "Subject Alternative
Name" (SAN) is the IP addr
ess: 192.168.4.1. This means that the machine running on this IP is
trusted with this certificate. If you use the example above ensure you modify the SAN value to be
the IP address of the machine that is running your Tomcat server.

5.1

Tomcat

Configuration

The

keystore file must
be copied to the
conf

directory of your Apache Tomcat.

Also within the conf directory, you will need to edit the file server.xml. Locate the section regarding
SSL and enable it. It will look something like the following:

<Connector

port="
8443
"

protocol="HTTP/1.1"

SSLEnabled="true"


maxThreads="150"

scheme="https"

secure="true"


clientAuth="false"

sslProtocol="TLS"


keystoreFile="conf/metatech.keystore"


keystorePass="password"

/>




7


In the above

example the secure port has been defined as 8443.

If you are using a secure port other
than 8443 you would need to change this value.

The value for keystoreFile must be the location of
your
keystore
file
(
which you just copied to your
conf

directory) and
the value for keystorePass
must be
the correct password for your keystore.

Once th
e above has
been configured you may start your Tomcat application server. In the startup log
you will now notice that there will be an output for your new secure port. A typi
cal example is
shown below
which states that there are two ports open: the first on 8080 (for http connections)
and the other on 8443 (for https connections)
:

org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http
-
bio
-
8080"]

org.
apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http
-
bio
-
8443"]


6

Launching Fusion
Security

Once Fusion
Security
has been configured, it can be launched. This is achieved by starting the
servlet container. Once the servlet container has been started, the web user interface for Fusion
Security
will be available to via from a web browser at the following URL:

http://server:port/FusionSecurity

NOTE:

Fusion
Security
will automatically redirect any http requests to https.

The resulting page will be the login
page:

this is shown in
Figure
1

below
.


Figure
1

showing the Fusion Security login page