From 9f677ce311dc95f62c4da1568bc71d2be15b92ec Mon Sep 17 00:00:00 2001 From: senthuran16 Date: Tue, 28 Nov 2023 16:49:46 +0530 Subject: [PATCH 1/3] Add security deployment guidelines for SI --- ...ty-guidelines-for-production-deployment.md | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) diff --git a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md index bf5dd3013f..8222d4e1e5 100644 --- a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md +++ b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md @@ -496,6 +496,232 @@ Given below are the security guidelines for the Micro Integrator runtime. +### Streaming Integrator runtime security + +Given below are the security guidelines for the Streaming Integrator runtime. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
GuidelineDetails

Apply security updates

Apply all the security patches relevant to your product version. Use WSO2 Updates to get the latest security patches.

+ +

Note the following:

+
    +
  • WSO2 releases security patch notifications monthly via the Support Portal. However, WSO2 issues patches immediately to customers if there are highly + critical issues.
    • +
  • WSO2 does not issue patches publicly for older product versions. Community users are encouraged to use the + latest product version to receive all the security issues resolved until that particular product release.
    • +
  • WSO2 Docker repository releases docker images with security fixes. Users with a subscription can fetch these docker images.
    • +
+
+

Change default keystores

+ 		+

Change the default key stores and create new keys for all the cryptographic operations. WSO2 products, by default, come with a self-signed SSL key. Since these keys are public, it is recommended to configure your own keys for security purposes. Consider the following guidelines when creating the keystores:

+
    +
  • +

    Select a key size of at least 2048 bits.

    +
    • +
  • +

    Use an SHA256 certificate.

    +
    • +
  • +

    Make sure that WSO2 default certificates do not exist in any of the keystores in your production environment. For example, be sure to delete the default public certificate in the default trust store that is shipped with the product.

    +
    • +
+ See Creating New Keystores for information on how to create and configure your own keys. +

+
Encrypt passwords in configuration files +

WSO2 products use a tool called Secure Vault to encrypt the plain-text passwords in configuration files.

+

See Securing Passwords in Configuration Files for instructions.

+
+

Change default ports

+


+ 		+

For information on all the default ports used by WSO2 API Manager, see Default Product Ports.

+

For information on changing a default port, see Changing the Default Ports with Offset.

+
+

Always communicate over TLS

+ 		+

All connections from your server to external databases, or other services, should be over TLS, to ensure adequate network-level protection. Therefore, be sure to use external systems (user stores, databases) that are TLS-enabled.

+
+

Connect to data stores using a less privileged user

+ 		+

When connecting the server to external databases, be sure to go through a user who does not have permission to change the data store's schema. Be sure not to use the root user of the data store because all permissions are generally granted to the root user.

+
+

Configure strong HTTP(S) security

TODO CHECK ------------------------------------------------------------------------------- + 		+

To have strong transport-level security, use TLS 1.2 and disable SSL, TLS 1.0 and 1.1. The TLS protocol and strong ciphers are configured for the passthrough transport in the deployment.toml file. See the following links for instructions:

+

Configuring Transport-Level Security

+

Note the following:

+
    +
  • When deciding on the TLS protocol and the ciphers, consider the compatibility with existing client applications. Imposing maximum security might cause functional problems with client applications.
    • +
  • Apply ciphers with 256 bit key length if you have applied unlimited strength policy. Note that unlimited strength policy is recommended.
    • +
  • + Also, consider the following factors when deciding on the ciphers: +
      +
    • DES/3DES are deprecated and should not be used.
      • +
    • MD5 should not be used due to known collision attacks.
      • +
    • RC4 should not be used due to crypto-analytical attacks.
      • +
    • DSS is limited to a small 1024 bit key size.
      • +
    • Cipher-suites that do not provide Perfect Forward Secrecy/ Forward Secrecy (PFS/FS).
      • +
    • GCM based ciphers are recommended over CBC ciphers.
      • +
    +
    • +
+
+

Remove weak ciphers for PassThrough transport

TODO: CHECK ------------------------------------------------------------- + 		+

Remove any weak ciphers from the PassThrough transport and ensure that the server does not accept connections using those weak ciphers. The PassThrough transport is configured using the deployement.toml file. +

See Disabling Weak Ciphers for instructions.

+
+

Increase Ephemeral Diffie-Hellman Key size

+ 		+

Before starting the server, open the product startup script ( server.sh in Linux and server.bat in Windows) and enter the following with the other Java properties:

+
+
+
+ 
-Djdk.tls.ephemeralDHKeySize=2048 \
+
+
+
+
+

Disable client-initiated renegotiation

+


+ 		+

Before starting the server, open the product startup script ( server.sh in Linux and server.bat in Windows) and enter the following with the other Java properties:

+
+
+
+ 
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
+
+
+
+
+

Enable HostName Verification

+


+ 		+

Make sure that hostname verification is enabled in the product startup script ( server.sh in Linux and server.bat in Windows) with the Strict mode. That is, you need to enable the following parameter:

+
+
+
+ 
-Dhttpclient.hostnameVerifier=Strict \
+
+
+
+
+

Verify super admin credentials

+


+ 		+

The username and the password of administrator is configured as follows in the deployment.yaml file. When you go into production, be sure to manually check and ensure that unwanted admin records are removed.

+
+
+
+ 
+                            auth.configs:
+                              type: 'local'        # Type of the IdP client used
+                              userManager:
+                                adminRole: admin   # Admin role which is granted all permissions
+                                userStore:         # User store
+                                  users:
+                                   -
+                                     user:
+                                       username: admin
+                                       password: YWRtaW4=
+                                       roles: 1
+                                  roles:
+                                   -
+                                     role:
+                                       id: 1
+                                       displayName: admin
+                        

+
+
+
+
+

Enable log rotation and monitoring

+


+ 		+

Ensure that you have a relevant log rotation scheme to manage logs. Log4J properties for Streaming Integrator can be configured in the <SI_HOME>/conf/server/log4j2.xml file. To roll the wso2carbon.log based on size, this guide can be used.

+
+

Prevent Log Forging

+ 		+

Log forging can be prevented by appending a UUID to the log message.

+
+

Set appropriate JVM parameters

+


+ 		+

The recommended JDK version is JDK 8 or 11. See the installation pre-requisites for more information.

+

Tip: To run the JVM with 2 GB (-Xmx2048m), you should ideally have about 4GB of memory on the physical machine.

+
+ ## OS-level security This section provides the list of OS-level security guidelines for your production environment. From cc4334ab9184c5fe3c4642ff70f5d29ea1a9fefc Mon Sep 17 00:00:00 2001 From: senthuran16 Date: Tue, 28 Nov 2023 16:53:40 +0530 Subject: [PATCH 2/3] Remove incomplete sections from the security deployment guidelines of SI --- ...ty-guidelines-for-production-deployment.md | 34 ------------------- 1 file changed, 34 deletions(-) diff --git a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md index 8222d4e1e5..2ca03e5430 100644 --- a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md +++ b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md @@ -578,40 +578,6 @@ Given below are the security guidelines for the Streaming Integrator runtime.

When connecting the server to external databases, be sure to go through a user who does not have permission to change the data store's schema. Be sure not to use the root user of the data store because all permissions are generally granted to the root user.

- - -

Configure strong HTTP(S) security

TODO CHECK ------------------------------------------------------------------------------- - - -

To have strong transport-level security, use TLS 1.2 and disable SSL, TLS 1.0 and 1.1. The TLS protocol and strong ciphers are configured for the passthrough transport in the deployment.toml file. See the following links for instructions:

-

Configuring Transport-Level Security

-

Note the following:

- - - - - -

Remove weak ciphers for PassThrough transport

TODO: CHECK ------------------------------------------------------------- - - -

Remove any weak ciphers from the PassThrough transport and ensure that the server does not accept connections using those weak ciphers. The PassThrough transport is configured using the deployement.toml file. -

See Disabling Weak Ciphers for instructions.

- -

Increase Ephemeral Diffie-Hellman Key size

From 596f7ec245d782b8889d016c7d68cb19a6e06864 Mon Sep 17 00:00:00 2001 From: senthuran16 Date: Tue, 28 Nov 2023 17:04:07 +0530 Subject: [PATCH 3/3] Update JDK version --- .../security-guidelines-for-production-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md index 2ca03e5430..3a8f27f7ca 100644 --- a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md +++ b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md @@ -681,7 +681,7 @@ Given below are the security guidelines for the Streaming Integrator runtime.


-

The recommended JDK version is JDK 8 or 11. See the installation pre-requisites for more information.

+

The recommended JDK version is JDK 11. See the installation pre-requisites for more information.

Tip: To run the JVM with 2 GB (-Xmx2048m), you should ideally have about 4GB of memory on the physical machine.