Versions Compared

Old Version 38

changes.mady.by.user Matthew Wagner

Saved on

compared with

New Version 39

changes.mady.by.user Matthew Wagner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top
This topic describes how to set up an XperienCentral installation in a Windows 2012 and 2016 production environment. The result is that all requests for static content (images, style sheets, and so forth) are handled through the web server and requests for dynamic content (XperienCentral’s HTML) are forwarded by the web server to XperienCentral which processes the requests. In this topic, an environment will be created with two host names:

...

  1. Open the file D:\Program Files\Tomcat 8.x.x\conf\server.xml.

  2. Remove all content from the server.xml and replace it with:

    Code Block
    themeEclipse
    <?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
   <GlobalNamingResources>
      <!-- Userdatabase is used to secure admin pages! Make sure path is ok otherwise the admin jsps will not work -->
      <Resource name="WMUserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="XperienCentral user database" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="D:/Program Files/Tomcat 8.5/conf/admin-users.xml" />
   </GlobalNamingResources>
   <Service name="WebManager">
      <Connector port="8009" enableLookups="false" redirectPort="8443" debug="1" protocol="AJP/1.3" URIEncoding="UTF-8" secretRequired="false" connectionTimeout="600000" />
      <Engine name="WebManager" defaultHost="localhost">
         <Realm className="org.apache.catalina.realm.LockOutRealm" >
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="WMUserDatabase"/>
         </Realm>
         <Host name="localhost" unpackWARs="true" autoDeploy="false" deployOnStartup="false" appBase="D:/XperienCentral/deploy">
            <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
            <Context path="/web" docBase="webmanager-backend-webapp-1.0-SNAPSHOT.war">
            <Valve className="org.apache.catalina.authenticator.DigestAuthenticator" cache="true" />
            <Resource name="jdbc/WebManagerDb" auth="Container" type="javax.sql.DataSource" username="sa" password="admin" driverClassName="net.sourceforge.jtds.jdbc.Driver" url="jdbc:jtds:sqlserver://localhost:1433/webmanagerdb;useLOBs=false" maxTotal="100" maxIdle="10" maxWaitMillis="10000" testWhileIdle="true" timeBetweenEvictionRunsMillis="900000" removeAbandonedOnBorrow="false" removeAbandonedOnMaintenance="false" removeAbandonedTimeout="30" logAbandoned="true" validationQuery="select 1" />
            </Context> 
         </Host> 
      </Engine>
   </Service> 
</Server>


...

  • You should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.

  • To enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CAA (Certification Authority Authorization) should be configured on the domain of each client's website. This must be configured by the hosting company with whom the domain is registered. Verify that this is activated for the corresponding website domain.

  • The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.

  • When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
     


    Code Block
    themeEclipse
    # intermediate configuration - tweak to your own needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384


     

     
  • When HTTPS is used, Expect-CT should be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (the enforce option). Add the following header to your Apache configuration in order to enable Expect-CT headers: 

    Expect-CT: max-age=86400, enforce

  • To prevent the malicious use of browser API functions, you should add the response header Feature-Policy to your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the option camera 'none' then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:


    Code Block
    themeEclipse
    Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';



    The full list of options can be found at OWASP Feature Policy

...