5.491 Securing Client Connections to MWS

All connections to MWS, except those requesting the documentation or the main page, must be authenticated properly. MWS uses a single-trusted-user authentication model, meaning a single user exists that has access to all aspects of MWS. The username and password for this user are configured with the auth.defaultUser properties in the configuration file. For more information, see Configuration.

When using the MWS user interface in a browser, the user will be prompted for username and password. For information on how to authenticate requests when not using a browser, see Authentication.

The username and password in the Basic Authentication header are encoded but not encrypted. Therefore, it is strongly recommended that MWS be run behind a proxy (like Apache) with SSL enabled. The instructions below provide an example of how to do this.

5.491.1 Encrypting Client Connections Using Apache and SSL

This section shows how to encrypt client connections to MWS using Apache and SSL. These instructions have been tested on CentOS™ 6.2 with the "Web Server" software set installed. The same ideas are applicable to other operating systems, but the details might be different. As shown in the diagram below, these instructions assume that Tomcat and Apache are running on the same server.

To encrypt client connections using Apache and SSL

  1. Create a self-signed certificate. (If desired, see http://www.openssl.org/docs/HOWTO/certificates.txt for more information.)
  2. Instead of creating a self-signed certificate, you can buy a certificate from a certificate vendor. If you do, then the vendor will provide instructions on how to configure Apache with your certificate.

  3. Do the following:
    1. Run these commands:
    2. cd /etc/pki/tls/certs
      cp -p make-dummy-cert make-dummy-cert.bak
      cp -p localhost.crt localhost.crt.bak
    3. Edit make-dummy-cert and replace the answers() function with code similar to this:
    4. answers() {
         echo US
         echo Utah
         echo Provo
         echo Adaptive Computing Enterprises, Inc.
         echo Engineering
         echo test1.adaptivecomputing.com
         echo
      }
    5. Run this command:
    6. ./make-dummy-cert localhost.crt
  4. Configure Apache to use the new certificate and to redirect MWS requests to Tomcat. To do so, edit /etc/httpd/conf.d/ssl.conf. Do the following"
    1. Comment out this line:
    2. SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    3. Add these lines near the end, just above </VirtualHost>:
    4. ProxyPass /mws http://127.0.0.1:8080/mws retry=5
      ProxyPassReverse /mws http://127.0.0.1:8080/mws
  5. Configure Apache to use SSL for all MWS requests. Add these lines to the end of /etc/httpd/conf/httpd.conf:
  6. RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (/mws.*) https://%{HTTP_HOST}%{REQUEST_URI}
  7. Give Apache permission to connect to Tomcat.
  8. setsebool -P httpd_can_network_connect 1
  9. Turn on Apache.
  10. chkconfig httpd on
    service httpd start
  11. Using system-config-firewall-tui, enable "Secure WWW (HTTPS)" and "WWW (HTTP)" as trusted services.

5.491.2 Encrypting Client Connections Using Tomcat and SSL

This section shows how to encrypt client connections to MWS using Tomcat and SSL but without requiring the use of Apache. These instructions have been tested on CentOS™ 6.2 with Tomcat 6.0.

To encrypt client connections using Tomcat and SSL

  1. First, you must generate a certificate. Do the following:
    1. Use the keytool utility that is shipped with the Oracle Java Runtime Environment. As the Tomcat user, run the following:
    2. keytool -genkey -alias tomcat -keyalg RSA
    3. Specify a password value of "changeit". This will create a .keystore file that contains the new certificate in the user's home directory.

  2. Enable the Tomcat SSL connector. Do the following:
    1. Open the server.xml file, usually located in $CATALINA_HOME/conf/ ($CATALINA_HOME represents the directory where Tomcat is installed).
    2. Verify the SSL HTTP/1.1 Connector entry is enabled. To do so locate the SSL HTTP/1.1 Connector entry and uncomment it.
    3. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

      The code above enables SSL access on port 8443. The default for HTTPS is 443, but just as Tomcat uses 8080 instead of 80 to avoid conflicts, 8443 is used instead of 443.

    4. Save the server.xml file.
    5. Verify that server.xml is owned by the Tomcat user.
    6. chown -R tomcat:tomcat server.xml
    7. Next modify the MWSweb.xml file. Add a security-constraint section to the $CATALINA_HOME/webapps/mws/WEB-INF/web.xml file found in your Tomcat directory.
    8. <web-app>
         …
            <security-constraint>
               <web-resource-collection>
                  <web-resource-name>MWS Secure URLs</web-resource-name>
                  <url-pattern>/*</url-pattern>
               </web-resource-collection>
               <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
               </user-data-constraint>
            </security-constraint>
      </web-app>
    9. Now restart tomcat.

Related Topics 

© 2017 Adaptive Computing