Securing SBM
In the Secure SBM tab, you generate, export, or import key pairs (certificates with their private signing keys) to secure connections in your SBM installation. Configuring trust keys ensures greater security for your entire SBM installation.
- Securing Your Installation
- Working With Trust Keys
- Web Application Firewall
- Configuring SSL/TLS Protocols
Securing Your Installation
SBM Configurator warns you if your installation currently uses default certificates (which should be replaced) or if your current certificates will expire soon.
- Single server installation – All SBM components are installed on a single server.
- Distributed server installation – SBM components are installed on multiple servers that comprise a single production environment.
- Multiple environment installation (or "path to production") – SBM components are installed on single or multiple servers that are separated into multiple SBM environments (such as development, test, and production).
To secure SBM in a single server installation:
- Launch SBM Configurator.
- Click the Security tab.
- Click the Secure SBM sub-tab.
- Click the Generate All button. This operation creates new unique key pairs.
- Click the Apply button.
To secure SBM in a distributed server installation:
- Launch SBM Configurator on the server that hosts the Single Sign-On (SSO) component. (View the Components tab in SBM Configurator to determine which server has SSO installed if you are not sure).
- Click the Security tab.
- Click the Secure SBM sub-tab.
- Click the Generate All button. This operation creates new unique key pairs.
- Click the
Apply button.
If you are using the Configuration Settings database to store the configuration from all servers in a centralized location, click Update From Database, and then Apply on your other servers. You have now successfully secured your entire installation.
If you are not using the Configuration Settings database, proceed with the next step.
- Click the Export All button. This operation creates a .zip file that contains the new unique key pairs. Enter a password for the keystores in the .zip file and save the file locally.
- Copy the .zip file to each other server in your distributed installation.
- Navigate to the Secure SBM sub-tab on each server and click the Import All button. Browse to the .zip file that you saved in the previous step.
To secure SBM in a multi-environment (path to production) installation:
- Launch SBM Configurator on the production server that hosts the Single Sign-On (SSO) component. (View the Components tab in SBM Configurator to determine which server has SSO installed if you are not sure).
- Click the Security tab.
- Click the Secure SBM sub-tab.
- Click the Generate All button. This operation creates new unique key pairs.
- Click the
Apply button.
If you are using the Configuration Settings database to store the configuration from all servers in a centralized location, click Update From Database, and then Apply on your other servers. You have now successfully secured your entire multi-environment installation.
If you are not using the Configuration Settings database, proceed with the next step.
- Click the Export All button. This operation creates a .zip file that contains the new unique key pairs. Enter a password for the keystores in the .zip file and save the file locally.
- Copy the .zip file to each of the other servers in each of the environments throughout your installation.
- Navigate to the Secure SBM sub-tab on each server and click the Import All button. Browse to the .zip file that you saved in the previous step.
Working With Trust Keys
You can also generate, import, and export key pairs for individual components in utility mode. You can use the options in the Actions menu to establish trust relationships with other products.
In the Trust Keys section, click the Actions link, and then select one of the following options:
- Generate key pair – Click Generate Key pair to create a new unique signing key. For example, you can generate a new key pair for each component that is listed in the Components group box to create a unique trust between the selected component and the other SBM entities on the server.
- Import key pair – Click Import Key pair if you want to import key pairs. This does not import the certificates that are exported from SBM Configurator; instead, it imports a key pair that has been generated outside of SBM Configurator.
- Export Key pair – Click Export Key pair if you want to export a key pair for a selected component.
- Export Certificate – If you have integrated SBM with other products that use SSO, their truststores need to be updated as well. SBM Configurator cannot perform the update on these other products; therefore, click Export Certificate to export the certificate and save it as a local file and then import it into each product's truststore manually. Please refer to the documentation for these other products for assistance with importing the certificate.
Web Application Firewall
This option controls the ModSecurity web application firewall in SBM, which enables you to implement tighter security screening for your SBM installation. You can choose to enable threat detection logging (via the Log option), or threat detection logging and request filtering (via the Block option) depending on your needs. For details on ModSecurity, refer to https://www.modsecurity.org/.
This feature enables Support to address security concerns quickly, in a focused manner without the need to install a patch or upgrade to address potential vulnerabilities. For example, if a vulnerability is discovered, Support can provide a ModSecurity configuration rule that addresses the issue.
Note that the default configuration that is provided with SBM contains a basic set of rules that tighten system security; however, you will ultimately need to customize the ModSecurity rules in order to block specific requests or threats as necessary.
The web application firewall is enabled via a module (ModSecurity IIS) in IIS that SBM Configurator adds to each SBM application in IIS. The module uses a set of pre-defined rules in configuration files that are located in the following directory:
installDir\SBM\Application Engine\modsecurity\config
If you add or modify any rules in the configuration files, you must reset IIS for the changes to take effect. For more information about ModSecurity rules, refer to solution S141332.
Select one of the following options to configure the firewall:
- Log
Enables threat detection logging only. Captures potential vulnerabilities and writes them to the Application Event Log on the SBM Application Engine server.
- Block
Enables threat detection logging and filters requests (according to your configuration rules) that are considered dangerous.
- Off
No threat detection or filtering is enabled. This is the default option.
Configuring SSL/TLS Protocols
If your system requires older versions of the SSL and TLS protocols, select the protocols as needed in the SSL/TLC Protocols section. Use caution, however, as these older versions contain known security vulnerabilities that could expose your system to malicious attacks. Do not enable legacy protocols unless absolutely necessary.
Securing SSO
In the Secure SSO tab, you configure settings to secure SSO for your SBM installation. You can configure the following settings at any time in utility mode.
- Setting the SSO Session Lifetime
- Establishing SSL for the SSO Log in
- Updating SSO Keystores
- Encrypting SSO Configuration Files
- Overriding SSO URLs
Setting the SSO Session Lifetime
Enter a Session lifetime value for SSO security tokens. This setting controls the length of time for which an issued SSO token is valid. It is not related to browser session inactivity. Enter a numeric value and select hours or minutes in the drop down box to set the timeout.
To change the session timeout value:
- In the Session lifetime field, enter a numeric value (which represents the number of hours or minutes for the timeout period).
- In the drop down box, select hour or minutes to set the timeout.
- Select
Enable automatic session renewal if you want
to ignore the token lifetime setting completely, thereby preventing a trip to
the
SSO
Security Server login page when the session expires. After this setting is
enabled, the next time a session expires, the
SSO
Gatekeeper renews the expired token instead of the
SSO
server. In that case, the session only ends by closing the browser.
Note: If you enable this setting in a distributed server environment, you must run SBM Configurator on each server and enable this setting.
Establishing SSL for the SSO Log in
If you enable this setting in a distributed server environment, you must enable this setting on both the SBM Application Engine server and the Application Repository server.
Updating SSO Keystores
- SSO Security Server (IDP) and gatekeeper keystores
- SSO Security Server (IDP) and gatekeeper truststores
To update the default password:
- Click Change Keystore Passwords.
- A window appears and displays the current password. (The default is changeit).
- Enter a new password and click OK.
- Click Apply.
Encrypting SSO Configuration Files
Use the SSO encryption options to protect vulnerable passwords in the SSO configuration files that are installed on your server. These passwords are not encrypted by default; therefore, to properly secure your installation, select an encryption algorithm and encrypt your SSO configuration files.
You can apply SSO encryption on all of your SBM servers to encrypt the SSO configuration files that are installed on each server.
- Encrypt All
Select this option to encrypt your SSO configuration files using a selected algorithm from the drop-down box. This operation encrypts passwords that normally appear in clear text in various SSO configuration areas (such as the ALFSSOgatekeeper and IDP).
- Decrypt All
Select this option to decrypt files that you have previously encrypted using SBM Configurator. If you need access to the decrypted version of a password, select this option to remove the current encryption.
- Re-Encrypt
Select this option to apply a new encryption to the files that you have previously encrypted using SBM Configurator. If you manually decrypt a previously encrypted password, this option will not re-encrypt the password.
After you change any of the encryption settings, you are prompted to restart the SBM Tomcat service for the changes to take effect.
Overriding SSO URLs
Click Override to change the default SSO URLs. This enables you to configure access through your company firewall as necessary. For example, if you need to override the internal hostname and port in the gsoap URL for servers that are beyond the firewall, you can change those values here.
You might also override the SSO URLs in the event that you want to use the IIS filter plugin instead of Tomcat to filter requests. You can modify the URLs to override the SSO login page to use IIS (via port 80) instead of Tomcat so that IIS initially handles the authentication request and then passes the information to SSO.
To override the default SSO URLs:
- Click
Override.
The override dialog box appears.
- In the dialog box, change the URL value as desired. Refer to the sample Template URL to view the required syntax for the URL.
- Click Test Connection to validate the URL. If the URL is valid, a Connection successful message appears.
- Click the
Override button to save your changes.
The new URL value is displayed in the list of URLs.
- Click Override to change the URL again, or click [Reset to default] to undo your changes and use the default SSO URL.
- Click Apply.
Client Certificate Authentication
In the Client Certificate Authentication tab, you can enable bi-directional (or two-way SSL authentication) between the components in SBM. Client certificate authentication provides tighter security for your entire SBM installation because once trust is established, each machine can reliably identify itself and provide assurance of its identity to the server. This prevents sniffing and relaying types of attacks against your SBM system.
Trust is established by assuring the client's identity to the server. To provide this assurance to a server, a client signs messages that it sends with the private key of an asymmetrical encryption key pair. If the server has the corresponding public key installed in its trust store, it is able to decrypt the message to prove that it was sent by a client with the private key. If a server receives a message from a client, but it does not have a key corresponding to the one used by the client, the message is rejected.
Note the following:
- The client certificate authentication set up process is two-fold: you must establish trust between your IIS and Tomcat servers, and you must establish trust between all of your SBM Composer client machines and the Application Repository and SSO servers. Begin by performing the steps according to the type of server installation you have, and finish by completing the steps for SBM Composer.
- If you are using a software load balancer with
SBM that is
already configured to use client certificate authentication for all internal
communication between the
SBM
components, select the
Client Certificate Authentication is handled by load
balancer check box in the IIS and Tomcat sections (whichever is
applicable) before you perform the following steps.
For IIS, this ensures that the certificate is added to the Windows trust store and the certificate details are stored in the database, and removes the SSL requirement for the gsoap application in IIS. If you do not use a load balancer for IIS or Tomcat, do not select this checkbox in either section.
- The sbmproxy application provides the capability to handle SOAP traffic. However, it does not proxy SOAP requests if client certificate authentication is enabled in SBM—the SOAP proxy cannot be secured by client certificate SSL like the other SBM components. This means the sbmproxy application will not proxy SOAP traffic if you configure client certificate security between SBM components.
- Single Server Installation
- Distributed Installation
- Client Certificate Authentication with SBM Composer
- Troubleshooting Issues
Single Server Installation
To enable client certificate authentication, you must configure SSL for IIS and Tomcat first according to the steps in Configuring SSL and Configuring SSL. The SSL port that you specify on the IIS Server tab is used on the Client Certificate Authentication tab. The server SSL port that you specify for Tomcat must be different than the port that is used for client certificate authentication.
To enable client certificate authentication in a single server installation:
- Import or select an existing server certificate to establish SSL on the IIS Server and Tomcat Server tabs.
- Click the Security tab, and then open the Client Certificate Authentication sub-tab.
- Select the Enable SSL Client Certificate Authentication check box.
- In the IIS section, click Generate Client Certificate to create a new certificate and key pair for IIS.
- In the Tomcat section, click Generate Client Certificate to create a new certificate and key pair for Tomcat.
- On the Component Servers tab, select Use HTTPS on port in the IIS section.
- Click Apply in SBM Configurator.
- In SBM Application Repository, update the Application Engine server URL for your environment, the target servers URLs, and any internal endpoints to use HTTPS with the client certificate authentication port. After you have updated the environment and any endpoints, redeploy your process apps.
- Follow the steps in Client Certificate Authentication with SBM Composer to secure connections from SBM Composer.
Distributed Installation
To enable client certificate authentication between components in a distributed installation:
- Configure SSL on your IIS and Tomcat servers by importing or selecting an existing server certificate on the IIS Server and Tomcat Server tabs.
- On each IIS and Tomcat server:
- Click the Security tab, and then open the Client Certificate Authentication sub-tab.
- Select the Enable SSL Client Certificate Authentication check box.
- Click Generate Client Certificate.
- On the IIS server, open the
Component Servers tab, and then select
Use HTTPS on port in the IIS section.
If you are using the Configuration Settings database to store the configuration from all servers in a centralized location, click Update From Database, and then Apply on your other servers. You have now successfully secured your entire installation.
If you are not using the Configuration Settings database, proceed with the next step.
- On each Tomcat server, click the Export button at the bottom of SBM Configurator. Save the configuration snapshot file on each Tomcat server.
- Copy the snapshot files from each Tomcat server to the IIS server.
- On the IIS server, click the Import button at the bottom of SBM Configurator and import the snapshot files from each Tomcat server.
- Once all the snapshots have been imported on the IIS server, click the Export button at the bottom of SBM Configurator. Save the configuration snapshot file on the IIS server.
- Copy the snapshot file from the IIS server to each Tomcat server.
- On each Tomcat server, click the Import button at the bottom of SBM Configurator, and then import the snapshot file from the IIS server.
- Click Apply in each instance of SBM Configurator.
- In
SBM Application
Repository,
update the
Application Engine
server URL for your environment, the target servers URLs, and any internal
endpoints to use HTTPS with the client certificate authentication port. For
example:
https://serverName:443/gsoap/gsoap_ssl.dll?sbminternalservices72
https://serverName:8443/jbpm-bpel/services/DeployService
https://serverName:8443/eventmanager/services/ALFAdmin
After you have updated the environment and any endpoints, redeploy your process apps. - Follow the steps in Client Certificate Authentication with SBM Composer to secure connections from SBM Composer.
If you do not want to export and import configuration snapshots to establish client certificate authentication, you can use the Export Client Certificate and Import Client Certificate buttons to establish trust between your IIS and Tomcat servers. In the Export dialog box, you can export just the public certificate, you can export the public and private certificates (for example, if you want to clone the certificate on multiple Tomcat servers).
Client Certificate Authentication with SBM Composer
To finish the client certificate authentication setup between your SBM components, you must configure each instance of SBM Composer by generating or importing a public and private key certificate into the client user's personal key store, and then importing the public key certificate from that key pair in the Application Repository and SSO servers. This creates a client trust between each SBM Composer client and the Tomcat servers in your installation.
The process for establishing client trust is flexible. For example:
- You can generate a certificate that contains a private and public
key pair on each
SBM Composer
machine, export the public key certificate from each
SBM Composer
machine, and then import all the public key certificates on the
Application
Repository
and
SSO
servers.
This ensures each client machine has a unique key pair; if one key pair is lost it does not impact all the other client machines. However, you must ensure that all of the public keys from each key pair are imported on the Application Repository and SSO servers.
- You can generate a certificate that contains a private and public
key pair on one
SBM Composer
machine, export the key pair certificate, import the key pair certificate on
your remaining
SBM Composer
machines, and then import the public key certificate on the
Application
Repository
and
SSO
servers.
This means that the key pair that is used by all clients is imported only once on your Application Repository and SSO servers; however, if the private key is compromised, all client machines are impacted.
- You can use the same private and public key pair for a set of SBM Composer machines if necessary, and have other clients use unique private and public key pairs.
- You can use a
Smart Card
certificate for client certificate authentication with
SBM Composer.
Follow the steps in
Using
Smart Card
Authentication with
SBM Composer
to make the
Smart Card
certificate available for use on the
Client Certificate Administration tab.
Important: If you decide to use the Smart Card certificate for client certificate authentication from SBM Composer, you must export the public certificate from your personal store, and then import it in SBM Configurator on the SSO and Application Repository servers.
Before you begin configuring client certificate authentication for your SBM Composer, consult your IT department and decide which strategy will satisfy your security needs.
The following steps describe the process for creating private and public key pairs on each SBM Composer machine.
To enable client certificate authentication in SBM Composer:
- Ensure each
SBM Composer
instance can connect to
Application
Repository
using SSL. This means you have configured SSL for the
Application
Repository
server by generating or importing a server certificate on the
Tomcat Servers tab, and connections are made to
Application
Repository
over HTTPS using the Secure connection check box in
SBM Composer.
Tip: If your Tomcat server SSL certificate is self-signed or signed by an authority that is not well-known, you must import the server's public certificate into the Trusted Root Certificate store on each SBM Composer machine using the Microsoft Management Console (MMC) or import the certificate by connecting to Application Repository via HTTPS from a Web browser and trusting the public certificate.
- Open
SBM Composer
on a client machine, click
File, select
Composer Options, and then select
Repository |
Connection. Click the
Advanced Security Setup button.
Alternatively, navigate to the directory that contains the SBM Composer executable, and launch SBM Composer using the following command:
Serena.Studio.Shell.Application /ClientSideSSLSetup
The Advanced Security Setup for SBM Composer dialog box appears. The dialog box lists all self-signed certificates that currently reside in the user's personal certificate store that contain both a private and public key. - Click
New to create a new self-signed certificate
that contains a new unique private and public key pair. Provide the following:
- Select the Available in Composer check box to allow the SBM Composer user to select the certificate in the Repository Connection Settings dialog box when he or she attempts to connect to the repository.
- Enter a
Composer name for the certificate that
will easily identify the certificate to the
SBM Composer
user. The
Composer name is what appears to the user
in
SBM Composer
(not the certificate's issued to, subject name, or friendly name).
Tip: If SBM Composer will connect to only one repository, then giving the certificate a meaningful name is not necessary, and any name will suffice. However, if more than one certificate is flagged in the list as Available in Composer, consider naming the certificates in a way that distinguishes them (perhaps to identify which server they connect to).
- Enter a Subject (CN) for the certificate. This is used to complete the certificate's friendly name.
The new certificate is created and added to the user's personal certificate store.
- Click
Export, and then select
Public Key Certificate. This option saves the
public key to a DER-encoded binary X.509 (*.cer) public key file. You will
import this file on the
Application
Repository
and
SSO
servers to establish trust.
You can export the public and private key pair from this machine and use it to secure other SBM Composer clients (instead of generating several unique key pairs on each machine). To export the key pair:
- Click Export, and then select Public and Private Key Certificate.
- Enter a password to secure the private key.
- Save the file locally, and then copy the .pfx file to your other SBM Composer machines.
- On each SBM Composer machine, open SBM Composer, click the Advanced Security Setup button, and then click the Import button.
- Select the .pfx file, and then enter password.
- On the server or servers that host
Application
Repository
and
SSO,
navigate to the
Client Certificate Authentication sub-tab, and
click the
Manage Trusted Certificates button in the
Tomcat section. Click
Import Certificates, and then select the X.509
(*.cer) file that contains the public certificate from
SBM Composer.
Important: If you generated a unique key pair for multiple SBM Composer machines, you must repeat this step for each SBM Composer machine with a unique key pair. You must import the public certificate from each SBM Composer machine in order for Tomcat to trust that machine.
- Click Apply in SBM Configurator.
- In SBM Composer, open the Composer Options dialog box, and then click the Repository tab. Select the Use secure connection check box. The Client certificate drop-down becomes available.
- Select the client certificate that is trusted by Application Repository in the Client certificate drop-down list.
- Enter the client certificate authentication port for Tomcat (the default is 8443). This is the HTTPS port for client certificate authentication that is specified for Tomcat in the Client Certificate Authentication tab in SBM Configurator.
- Click Test connection to verify that SBM Composer can connect to Application Repository.
Note the following additional options in the Advanced Security Setup for SBM Composer dialog box:
- Click the Show Filter button to only display certificates that match a certain string. In the Look for combo box, search for certificates by entering a string, and then click Find. Certificates with one or more properties that match the specified string are displayed. Click the Options button to specify whether to search details, match case, or match whole word.
- Click Edit if you need to rename the certificate or select the Available in Composer check box after the certificate has been created.
- If you import a self-signed certificate that contains multiple key pairs, you can select which key pair certificates should be imported. If one or more of the certificates (identified by thumbprint) already exist in the personal certificate store, a dialog box indicates the number of duplicate certificates that were skipped.
- Click the Properties button to view details of the self-signed certificates in the user's personal certificate store. You can also select a certificate in the list, right-click, and then select Properties.
- Press the F5 key to refresh the list of certificates if any changes have been made using the MMC console instead.
Troubleshooting Issues
If users experience connectivity issues or problems deploying process apps after client certificate authentication is configured, click the Advanced Settings button in the IIS section and configure the following:
- Send trusted authorities list
Select this check box to ensure that the list of trusted root certificate authorities is sent to the client during the TLS/SSL handshake. This can fix connectivity issues for users who are trying to log in to the system.
- Buffer size
Increase the client request size (in bytes) that IIS will buffer and pass to the SBM ISAPI extension. If users encounter a 413 Error: Request entity too large message when trying to deploy process apps, consider increasing the buffer size. For example, setting the buffer size to 100000000 bytes should allow deployment to finish.
Anonymous Events
In the Secure Anonymous Events tab, you enter an SBM user name and password to use with anonymous events that are sent to the Event Manager.
About Using Anonymous Events
By default, SBM Orchestration Engine rejects anonymous events unless you select Allow Anonymous Events and provide an SBM user and password that the Event Manager will use for anonymous events that it receives.
For integrations that support it, configure Single Sign-On (SSO), to ensure that any events from the integrated system will be accompanied by a credential that represents the originating user. If SSO is not used, the event source must add an SBM credential to the event or it will be rejected. This ensures that the remote entity that sends the event can identify itself and that SBM will only process events from approved entities.
However, if you must use anonymous events, you can designate an anonymous event user in SBM Configurator, which allows SBM to process anonymous events if credentials are not provided. While this configuration is not recommended because the caller's identity is unknown, it does provide control over anonymous use by enabling you to change or de-authorize the anonymous user account if necessary.
Integrations
In the Secure Integrations tab, you manage security for integrations with other products that use SSO such as Dimensions CM, Dimensions RM, and PVCS VM. SBM has a trusted relationship that is established with these different servers for them to work with SSO. This relationship is established using certificates that are generated by or for these other products. SBM is installed with sample certificates; however, you should replace the default SSO certificate for these integrations to improve security.
SSO Trusted Certificates
To secure your integrations:
- In the SSO Trusted Certificates section, select the product from the integrations drop-down list. Details for the current trusted certificate (if enabled) appear.
- Select the Enable trusted certificate for SSO check box.
- In the Trusted Certificate section, you can view, import, or export the trusted certificate.
Response Headers
In the Secure Response Headers tab, you can enable secure response headers for responses sent by IIS and SBM Tomcat. Adding secure response headers tightens security and prevents malicious attacks against your SBM system.
You can view these headers in IIS under HTTP Response Headers. For SBM Tomcat, configuring these options adds a specific httpHeaderSecurity filter to the web application files.
- Enable HTTP security response headers
Select this option to add security headers to Web server responses from IIS and SBM Tomcat.
- Enable HTTP strict transport security (HSTS)
(STRICT-TRANSPORT-SECURITY)
Select this option to have the SBM response header instruct the browser to only use HTTPS. If HSTS is enabled, the browser will not allow users to access SBM over HTTP. This also prevents users from being able to click through warnings about invalid certificates. You must also specify a max age that defines how long the SBM domain is cached in the browser's HSTS list. By default, the max age is 31536000. This means the HSTS header response from SBM will be cached in the HSTS list for one year. Select Include subdomains to increase security further by securing the domain-level cookie.
- Enable anti-clickjacking (X-FRAME-OPTIONS)
Select this option to use clickjacking prevention options. Specify whether to allow or deny pages to load in a frame.
- Allow from specified URI – Pages from this server can only be framed by pages/frames from the specified URI. For instance, an SBM report page with the X-Frame-Options: ALLOW-FROM http://anotherserver.somedomain.com directive can be framed by pages loaded from http://anotherserver.somedomain.com.
- Allow from the same origin – This allows the page to render in a frame where the parent page is from the same server. For instance, if http://myserver.company.com/mypage.htm contains the X-Frame-Options: SAMEORIGIN directive, it can be framed only by pages from http://myserver.company.com.
Note: The Deny option sends an X-Frame-Options HTTP response header that instructs the browser to not allow framing from the current domain and other domains. This option is not available with SBM because SBM relies on the use frames extensively. - Block content sniffing (X-CONTENT-TYPE-OPTIONS)
This option prevents MIME type confusion by telling the browser to not guess the MIME-type specified in content-type headers. This prevents browsers from sniffing executable content-types.
- Enable XSS (cross-site scripting) filtering (X-XSS-PROTECTION)
Select this option to enable a filter against cross-site scripting attacks. For example, instead of sanitizing a script, this instructs the browser to block the response in the event malicious JavaScript code has been inserted.