Increase security and performance tuning in pentaho+ and tomcat
Hardening is a process of taking a finished application and making it more difficult to reverse engineer and tamper. Combined with secure coding practices, application hardening is a best practice for companies to protect their app’s IP and prevent misuse, cheating, and repackaging by bad users.
Tomcat-Hardening
The below steps to be followed to harden the Tomcat web server to secure the application.
1. Remove Server Banner
Open the tomcat application in firefox and verify the server info from firebug.
Removing Server Banner from HTTP Header is one of the first things to do as hardening. Having server banner expose the product you are using and leads to information leakage vulnerability.
i. Go to <tomcat installed directory>/conf folder
ii. Modify server.xml by using vim editor
iii. Add following under Connector port and save the file
Server =” “ <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server =" " redirectPort="8443" />
Usage: Server banner information should be ignored, since It will protect the server from the hackers to launch Targeted attacks against our web server and version.
Verification:
i. Open Firefox with firebug
ii. Access Tomcat application
iii. You will notice Server value is blank now.
2. Starting Tomcat with a Security Manager
Security Manager protects you from an untrusted applet running in your browser. Running Tomcat with a security manager is definitely better than running without one.
start tomcat with –security argument <tomcat installed directory>/bin# ./startup.sh -security
Usage: Security Manager protects you from an untrusted applet running in your browser, use of a SecurityManager, while running Tomcat can protect your server from trojan servlets, JSPs, JSP beans, and tag libraries. Or even inadvertent mistakes
3. Enable access log logging
The default configuration doesn’t capture access logs. The access log is very useful in troubleshooting to check request type, requester IP address, status code, etc.
i. Go to <tomcat installed directory>/conf
ii. Modify server.xml by using vi
iii. Go to the end of the file and uncomment Valve entry for valves.AccessLogValue
iv. <Valve className=”org.apache.catalina.valves.AccessLogValve”
v. directory=”logs”
vi. prefix=”localhost_access_log.”
vii. suffix=”.txt”
viii. pattern=”common” resolveHosts=”false”/>
ix. Restart Tomcat server and you should see localhost_access_log is created under <tomcat installed directory>/logs folder
Usage: The default configuration doesn’t capture access logs. The access log is very useful in troubleshooting to check request type, requester IP address, status code, etc.
4. Enforced HTTPS
It’s good to force redirect all HTTP requests to HTTPS to ensure web application data transmission are over SSL Certification.
i. Go to <tomcat installed directory>/conf folder
ii. Modify web.xml by using vim editor
iii. Add following before </web-app> syntax
iv. <security-constraint>
v. <web-resource-collection>
vi. <web-resource-name>Protected Context</web-resource-name>
vii. <url-pattern>/*</url-pattern>
viii. </web-resource-collection>
ix. <user-data-constraint>
x. <transport-guarantee>CONFIDENTIAL</transport-guarantee>
xi. </user-data-constraint>
xii. </security-constraint>
xiii. Restart Tomcat and access web application to verify.
Note: ensure Tomcat is configured to run on SSL else it will break the application accessibility.
5. Add Secure flag in cookie
It is possible to steal or manipulate web application session and cookies without having a Secure flag in HTTP Header as Set-Cookie.
i. Go to <tomcat installed directory>/conf folder
ii. Modify server.xml by using vi
iii. Add following in Connector port
Secure=”true" <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server=" " Secure="true" redirectPort="8443" />
Usage : The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTPS Response.
The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
Verification:
i. Open Firefox with firebug
ii. Access your application and check HTTP response header, you should see Secure flag
6. Add HttpOnly in cookie
Best practice to have this enabled at application code level. However, due to bad programming or developer’s unawareness, it comes to Web Infrastructure.
i. Go to <tomcat installed directory>/conf folder
ii. Modify context.xml by using vi
iii. Add following in Context directive
usehttponly=”true” <context usehttponly="true"> ... </context>
Usage: Adding Http only in cookies will prevent the webservers from the steal or manipulate web application session and cookies.
Verification:
Press F12 / firebug , go to the Cookies tab to verify the tomcat application pages for HttpOnly.
7. Enable Secure Socket Layer (SSL)
To enable Tomcat to listen over HTTPS protocol, you must configure tomcat with SSL. This assumes you have SSL Certificate imported under keystore.
i. Go to $tomcat/conf folder
ii. Modify server.xml by using vim editor
iii. Add following under Connector port
SSLEnabled=”true” scheme=”https” keystoreFile="conf/keystore" keystorePass="password" <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" Server=" " Secure="true" SSLEnabled="true" scheme="https" keystoreFile="conf/keystore" keystorePass="password" clientAuth=”false” sslProtocol=”SSLv3” redirectPort="8443" />
Usage: It is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication.
The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted and securedIt is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication.
The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted and secured.
Verification: Open the tomcat application in browser with https:///, if you open the same with http:// then it will not allow you to view the application.
8. Run Tomcat from non-privileged account
It’s good to use a separate non-privileged user for Tomcat. The idea here is to protect other services running in case of any security hole.
i. Create a UNIX user
ii. Change <tomcat installed directory> ownership to newly created UNIX user
Usage: For security purpose, tomcat should be run as a separate user with reduced permission, to protect other services running in case of any security hole.
9. Remove default/unwanted applications
By default, Tomcat comes with following web applications, which may or not be required in a production environment. You can delete them to keep it clean and avoid any known security risk with Tomcat default application.
i. ROOT – Default welcome page
ii. Docs – Tomcat documentation
iii. Examples – JSP and servlets for demonstration
iv. Manager, host-manager – Tomcat administration
Usage: By default, Tomcat comes with sample web applications, which are not be required in a production environment. Clean up and avoid any known security risk with Tomcat default application.
10. Change SHUTDOWN port and Command
By default, tomcat is configured to be shutdown on 8005 port. Do you know you can shutdown tomcat instance by doing a telnet to IP:port and issuing SHUTDOWN command?
# telnet localhost 8005 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SHUTDOWN Connection closed by foreign host. #
You see having default configuration leads to high-security risk. It’s recommended to change tomcat shutdown port and default command to something unpredictable.
i. Go to $tomcat/conf folder
ii. Modify server.xml by using vim editor
<Server port="8005" shutdown="SHUTDOWN">
Usage: Default shutdown port and commands leaves anyone to easily connect and shutdown the server, So the default shutdown port and command must be changed or it should be disabled.
11. Replace default 404, 403, 500 page
Having default page for not found, forbidden, server error exposes Tomcat version and that leads to security risk if you are running with vulnerable version. Let’s look at default 404 page.
To mitigate, you can first create a general error page and configure web.xml to redirect to general error page.
i. Go to $tomcat/webapps/$application
ii. Create an error.jsp file
#vi error.jsp <html> <head> <title>404-Page Not Found</title> </head> <body> That's an error! </body> </html>
- Go to $tomcat/conf folder
- Add following in web.xml by using vi. Ensure you add before </web-app> syntax
<error-page> <error-code>404</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.jsp</location> </error-page>
Restart tomcat server. Now, let’s test it.
Usage: Default error page served by Tomcat can include the server and its configuration / path information that could be considered a vulnerability. To prevent this need to have a custom error page.
Verification: Restart tomcat server. Now, let’s test it.
12. Session Timeout
The session timeout for all web applications must be set to 20 minutes.
This can be done by editing the file in the $tomcat/conf/web.xml and setting the following configuration option:
<session-config> <session-timeout>20</session-timeout> </session-config>
Usage: Server terminates automatically, if sessions remains idle for a specific time period
Pentaho+ Hardening
Disable Home Perspective Widgets
The default console Home perspective contains the Getting Started widget, which has easy instructions and tutorials for evaluators. The directions below show you how to hide not only the Getting Started widget, but also other Home perspective widgets, as needed:
i. Shut down the Pentaho+ Server, if it is currently running.
ii. If you have not deployed yet, navigate to the /pentaho-platform/user-console/source/org/pentaho/mantle/home/properties/config.properties file.
iii. If you have manually deployed and want to hide widgets at a later time, navigate to /pentaho-server/tomcat/webapps/pentaho/mantle/home/properties/config.properties file.
iv. Find the line that starts with disabled-widgets= and type in the ID of the widget getting-started. You can also disable the Recents and Favorites widgets using the same method, as shown here. Save and close the file.
v. disabled-widgets=getting-started,recents,favorites
vi. Locate the /pentaho-server/tomcat/webapps/pentaho/mantle/home and open the index.jsp file with any text editor.
vii. Find this line and comment it out, then save and close the file.
viii. <script language='JavaScript' type='text/javascript' src='https://admin.brightcove.com/js/BrightcoveExperiences.js'></script>
ix. Start the Pentaho+ Server and log in to the User Console.
You now have a Home page that is scrubbed of the specified widget(s).
Turn Autocomplete Off for Web App Login Screen
- The User Console’s login settings have autocomplete turned off by default; if you need to, here is how to manually disable the autocomplete.
- Stop the Pentaho+ Server.
- Navigate to the /pentaho-server/tomcat/webapps/pentaho/jsp directory and open the PUCLogin.jsp file with any text editor.
- Find the following two sections of text and change the autocomplete entry to off, as shown.
<input id="j_username" name="j_username" type="text" placeholder="" autocomplete="off"> <input id="j_password" name="j_password" type="password" placeholder="" autocomplete="off">
- Save and close the PUCLogin.jsp file.
- Restart the Pentaho+ Server.
- Autocomplete for user names and passwords is now disabled for the User Console login screen.
Remove Sample Data from the Pentaho+ Server
By default, Pentaho+ provides a sample data source and a solution directory filled with example content. These samples are provided for evaluation and testing. Once you are ready to move from an evaluation or testing scenario to development or production, you can remove the sample content. Follow the instructions below to completely remove the Pentaho+ sample data and solutions:
i. Stop the Pentaho Plus Server.
ii. Delete the samples.zip file from the /pentaho-server/pentaho-solutions/system/default-content directory. If you performed a manual WAR build and deployment, then the file path is /pentaho-server/pentaho-solutions/system.
iii. Edit the /pentaho/WEB-INF/web.xml file inside of the deployed pentaho.war. As laid down by the Pentaho Plus graphical installer and archive packages, this path should be /pentaho-server/tomcat/webapps/pentaho/WEB-INF/web.xml. If you performed a manual WAR build and deployment, then you must adjust the path to fit your configuration.
iv. Remove the hsqldb-databases section from the /pentaho/WEB-INF/web.xml file:
v. BEGIN HSQLDB DATABASES
<!-- [BEGIN HSQLDB DATABASES] --> <context-param> <param-name>hsqldb-databases</param-name> <param-value>sampledata@../../data/hsqldb/sampledata</param-value> </context-param> <!-- [END HSQLDB DATABASES] -->
vi. Remove the hsqldb-starter section from the /pentaho/WEB-INF/web.xml file:
vii. BEGIN HSQLDB STARTER
<!-- [BEGIN HSQLDB STARTER] --> <listener> <listener-class>org.pentaho.platform.web.http.context.HsqldbStartupListener</listener-class> </listener> <!-- [END HSQLDB STARTER] -->
viii. Remove the SystemStatusFilter:
Note: This is not part of the Pentaho samples; it provides error status messages that are only useful for development and testing purposes, and should be removed from a production system.
<filter> <filter-name>SystemStatusFilter</filter-name> <filter-class>com.pentaho.ui.servlet.SystemStatusFilter</filter-class> <init-param> <param-name>initFailurePage</param-name> <param-value>InitFailure</param-value> <description>This page is displayed if the Pentaho+ System fails to properly initialize.</description> </init-param> </filter>
i. Save and close the web.xml file.
ii. Delete the /pentaho-server/data/ directory. This directory does not exist if you installed Pentaho with the installation wizard. It contains a sample database, control scripts for that database, the environment settings it needs to run, and SQL scripts to initialize a new repository.
iii. Restart the Pentaho+ Server.
iv. Log on to the User Console with the administrator user name and password and go to the Browse Files page.
- In the Folders pane, expand the Public folder and click to highlight the folder containing the Steel Wheels sample data. Click Move to Trash in the Folder Actions pane and confirm the deletion.
- Highlight the folder containing the Pentaho Plus Operations Mart sample data. Click Move to Trash in the Folder Actions pane and confirm the deletion.
Your Pentaho+ Server instance is now cleaned of samples and development/testing pieces, and is streamlined for production.
Enable JPivot in the User Console
We recommend that you use Pentaho+ Analyzer for analytic reporting. However, perform the following steps if you need to enable JPivot on the Pentaho+ Server:
Caustion: JPivot was deprecated in Pentaho 5.0 and is no longer supported by Pentaho Customer Support.
i. Shut down the Pentaho Plus Server if it is currently running.
ii. Navigate to /pentaho-server/pentaho-solutions/system/pentaho-jpivot-plugin-legacy/plugin.xml file and delete file.
iii. Rename the file called /pentaho-server/pentaho-solutions/system/pentaho-jpivot-plugin-legacy/plugin.xml.enabled to /pentaho-server/pentaho-solutions/system/pentaho-jpivot-plugin-legacy/plugin.xml and save it. You can either turn off the deprecation message for JPivot, or restart the Pentaho at this point.
iv. Turn Off Deprecation Message for JPivot – Optional
v. Shut down the Pentaho Plus Server if it is currently running.
vi. Navigate to the /pentaho-solutions/system/pentaho-jpivot-plugin-legacy/settings.xml and open the file.
vii. Change the Boolean value as shown and save the file.
From:
<show-deprecation-warning>true</show-deprecation-warning>
To: <show-deprecation-warning>false</show-deprecation-warning>
Restart the Pentaho+ Server.
The JPivot plug-in is enabled in the User Console and the deprecation message is turned off.
Change the Location of the Server Log File
If you are using Linux, the log4j.xml file is found in /pentaho-server/tomcat/webapps/pentaho/WEB-INF/classes/.
Modify the location as shown in the sample below, using the appropriate path to your installation:
<param name="File" value="home/pentaho/server/pentaho-server/logs/pentaho.log"/> <param name="Append" value="true"/>
Change the Quartz Misfire Threshold
With Quartz, sometimes scheduled jobs, transformations, or reports might try to run several times when they are manually stopped and restarted, instead of running only once. This is typically caused by the misfireThreshold property in Quartz being set at too high of a number.
These steps show how to reset the misfireThreshold to a lower numerical value.
i. Stop the Pentaho+ Server.
ii. Locate the /pentaho-server/pentaho-solutions/system/quartz directory.
iii. Open the quartz.properties file with any text editor.
iv. Find the property shown below and change the default to a smaller number, such as 5000. The default value represents the number of milliseconds.
v. org.quartz.jobStore.misfireThreshold = 60000
vi. Save and close the quartz.properties file.
vii. Restart the Pentaho+ Server.
Set System Max Row Limit for Interactive Reports
You can prevent too many resources from hitting your database server at once by setting a system-wide maximum row-limit for Pentaho Plus Interactive Reports. Your users can still define their own design-time row limits in PIR, but they will never be able to go over the maximum number of rows that you have specified while designing their reports.
i. Shut down the Pentaho+ Server.
ii. Locate the /pentaho-server/pentaho-solutions/system/pentaho-interactive-reporting directory.
iii. Open the settings.xml file with any text editor.
iv. Find the <query-limit> tag and change the default number of 100000 within the tags to the maximum number of rows desired.
<!– The maximum number of rows that will be rendered in a report on PIR edit and view mode. A zero value means no limit. –>
<query-limit>100000</query-limit>
i. Save and close the settings.xml file.
ii. Start the Pentaho Plus Server.
If you are migrating content from a previous version, you will need to add the <query-limit> tag to your settings.xml for PIR.
Roll Back System Max Row Limit
These instructions show you how to return the system maximum row limit to the Pentaho 5.3 settings.
i. Shut down the Pentaho Server.
ii. Locate the /pentaho-server/pentaho-solutions/system/pentaho-interactive-reporting directory.
iii. Open the settings.xml file with any text editor.
1. To change the maximum number of rows that will be rendered in a Pentaho Interactive Report in edit or view mode, find the <design-query-limit> tag and change the default number of 500 back to 25.
FROM:
<design-query-limit>500</design-query-limit>
TO:
<design-query-limit>25</design-query-limit>
2. To turn the design-query-limit to be OFF by default, find the <design-query-limit-enabled> tags and change the value to false.
<design-query-limit-enabled>false</design-query-limit-enabled>
Save and close the settings.xml file.
Restart the server.
Increase the CSV File Upload Limit
You may find that you need to increase the size of the upload limit for your CSV files. These steps guide you through this process.
i. Go to /pentaho-server/pentaho-solutions/system and open the pentaho.xml file.
ii. Edit the XML as needed (sizes are measured in bytes):
<file-upload-defaults> <relative-path>/system/metadata/csvfiles/</relative-path> <!-- max-file-limit is the maximum file size, in bytes, to allow to be uploaded to the server --> <max-file-limit>10000000</max-file-limit> <!-- max-folder-limit is the maximum combined size of all files in the upload folder, in bytes. --> <max-folder-limit>500000000</max-folder-limit> </file-upload-defaults>
i. Save your changes to the file.
ii. In the User Console, go to Tools > Refresh System Settings to ensure that the change is implemented.
iii. Restart the User Console.
Change the Staging Database for CSV Files
Hibernate is the default staging database for CSV files. Follow these instructions if you want to change the staging database.
i. Go to /pentaho-solutions/system/data-access and open the settings.xml file with any text editor.
ii. Edit the settings.xml file as needed. The default value is shown in the sample below.
iii. <!– settings for Agile Data Access –>
iv. <data-access-staging-jndi>hibernate</data-access-staging-jndi>
This value can be a JNDI name or the name of a Pentaho+ Database Connection.
i. Save and close the file.
ii. Restart the User Console
Change the Karaf Startup Timeout Setting
Upon start up, the system waits for Karaf to install all of its features before timing out. If you modify Karaf and it now takes longer to install during start up, you may need to extend the default timeout setting to allow Karaf more time to install. The current default timeout is 2 minutes (120000 milliseconds).
You can change this default timeout by editing the server.properties file.
1. Stop the Pentaho+ Server.
2. Navigate to the /pentaho-server/pentaho-solutions/system directory.
3. Open the server.properties file with any text editor, and search for the karafWaitForBoot parameter.
4. Uncomment the line containing the parameter and set it to your desired wait time in milliseconds.
# This sets the amount of time the system will wait for karaf to install all of
# it’s features before timing out. The default value is 2 minutes but can be
# overridden here.
#karafWaitForBoot = 120000
5. Save and close the file.
6. Restart the Pentaho Plus Server.
Change the Port Numbers for the Pentaho+ Server
Follow the instructions below to change the port through which the Pentaho+ Server runs:
i. Stop the Pentaho+ Server.
ii. Navigate to the /pentaho-server/tomcat/conf/ directory.
iii. Open the server.xml file with any text editor, and search for the value for Define a non-SSL HTTP/1.1 Connector. Change the port number in the connector port element below from 8080 to your preferred port number.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
i. Save and close the server.xml file.
ii. Navigate to the /pentaho-server/pentaho-solutions/system directory and open the server.properties file with any text editor.
iii. Change the fully-qualified-server-url entry to match the new port number you specified in server.xml.
fully-qualified-server-url=http://localhost:8080/pentaho/
Save and close the file.
Restart the Pentaho Plus Server.
If you recently upgraded to Pentaho+ 6.0, you may need to remove the <context-param> entry for the fully-qualified-server-url from the /tomcat/webapps/pentaho/WEB-INF/web.xml. If so, restart the Pentaho+ Server after removing it.
Change the Web Application Name or Port
The Pentaho+ Server and web application default port number is 8080. The default web application name is pentaho, which is the name of the .war file archive, the name of the directory that your application server creates, and also part of the URL structure for all content in the User Console.
If you need to change the User Console application name to something else, or if your Web application server is running on a port other than 8080, follow these instructions for either JBoss or Tomcat.
Change the Web Application Name on Tomcat
These instructions only work on Tomcat servers that are configured to accept context.xml overrides built into deployed .war files. Some Tomcat deployments may not have this feature turned on. You can change the Tomcat configuration on your own, or consult your Tomcat documentation to learn about other methods of changing a web application context. Use the XML snippet in these instructions in whichever configuration file you end up creating or modifying.
Follow these instructions to change the web application context for a Pentaho+ .war file that you deployed to a Tomcat server. While the example below uses ‘sample’ as the context name, you can use whatever context name you choose.
1. Stop the server.
2. Open the pentaho/server/pentaho-server/tomcat/webapps/pentaho/META-INF/context.xml file in a text editor, and change the pentaho references in the context path tag to your preferred context name. For example, to specify a context name of ‘sample’, modify context path as follows.
<context path="/sample" docbase="webapps/sample/">
3. Save and close the file.
4. Navigate to the pentaho/server/pentaho-server/tomcat/webapps folder, and rename the pentaho folder to your preferred context name. In this example, rename the pentaho folder to sample.
5. Edit the pentaho/server/pentaho-server/tomcat/webapps/ROOT/index.jsp file to change the pentaho reference in the URL property to your preferred context name. In this example, use the following line of code to specify ‘sample’ as the new context name:
<meta http-equiv=”refresh” content=”0;URL=/sample”>
7.Edit the pentaho/server/pentaho-server/pentaho-solutions/system/server.properties file to change pentaho in the value of the fully-qualified-server-url setting to your preferred context name. In this example, set the fully-qualified-server-url as follows.
fully-qualified-server-url=http://localhost:8080/sample/
8. Start the server.
Remove sample users and credentials
The sample users and the credentials in the pentaho console should be removed due to security purpose.To do that edit the file called /pentaho-server/pentaho-solutions/system/pentaho.xml and change the line as shown ln below.
<login-show-sample-users-hint>false</login-show-sample-users-hint>
Once changed, restart the server and check the pentaho user console and make sure that the default sample user credentials gets removed.