Security Measures

Overview

This section contains tips how to secure the INUBIT environment, notes about possible safety risks and check lists for efficient safety measures.

User Administration

Overview

User must authenticate themselves by entering a username and password to log in to the INUBIT Process Engine via the INUBIT Workbench.

To access user administration, you must have the right for the User Manager component. By default, this rights is assigned to users with System Administrator or Project Lead roles.

Further options

Additionally, the INUBIT software offers the following options:

Logging login attempts

All successful and failed login attempts may be traced in the Audit Log in the INUBIT Workbench.
Locking user accounts after several failed logins

Prevents brute force attacks (UserFailedLoginLimit property). This lock affects all users, except users with the System Administrator role, to ensure that the administrative user is always able to log in. Locked accounts can only be unlocked by a system administrator.

Refer to Max. number of password failures.
Deleting and disabling user accounts

All user accounts can be deleted or disabled by system or group administrators. Following a period of inactivity, users can automatically be disabled after a specified period.

Refer to:
- Lock inactive user
- Delete inactive user
Passwords with minimum lengths and permitted symbols

Configure patterns for new passwords.

Refer to Defining Patterns for Passwords - Minimum Length, Permissible Characters
Maximum validity period for passwords

A user with the System Administrator role can specify a maximum validity period for passwords for all users. After this period has expired the account is locked and the user is prompted to enter a new password at the next login. This mechanism is not valid for the root user.

Refer to Restrict password validity.

Defining Patterns for Passwords - Minimum Length, Permissible Characters

Usage

You can define patterns for user passwords and specify, for example, that passwords, must consist of more than eight characters and contain exactly one capital letter and one number.

Prerequisites

You have not yet started the INUBIT Process Engine for the first time. You can only configure the password patterns using the Workbench afterward. Refer to Configuring INUBIT User Accounts

Proceed as follows

Open the file <inubit-installdir>/server/ibis_root/conf/ibis_config.xml.

Note the details in section refer to Configuring via ibis_config.xml File.
Use the following properties to define the patterns:
- UserPasswordLimit
  
  Activates/deactivates the verification of a new password or one, which must be changed, against the property UserPasswordLimitPattern.
  
  The property `UserPasswordLimitNegative defines `if the password must match the pattern.
- UserPasswordLimitPattern
  
  Used to define patterns for new passwords, as for example their minimum length or allowed characters. Criteria for allowed passwords are specified by using a regular expression. The regular expression must comply with the Java class Pattern syntax (of the JDK). Refer to
  - Regular Expressions
  - https://java.sun.com
    
    The example in the file specifies that a password must consist of at least eight characters, exactly one capital and one number.
- UserPasswordLimitNegative
  
  Inverts the meaning of the property value UserPasswordLimitPattern.
  - If false, a password must comply with the criteria of the property UserPasswordLimitPattern. All passwords are accepted, which are matching the pattern. All others are rejected.
  - If true, the password must not comply with the criteria of the property UserPasswordLimitPattern. All passwords are accepted, which are not matching the pattern. All others are rejected.

Roles and Rights

The role concept ensures that process engine users are only able to use the functions and rights they have been authorized to use.

A role is a collection of rights that control the access to all functions and objects. This allows you to specify in detail, for instance, what rights each role has.

The INUBIT software is delivered with pre-configured roles. These pre-configured roles may be modified but not deleted. A random number of additional roles may also be defined and configured for their actual requirements. Exactly one role may be allocated to each user.

Users involved in creating workflows in the system should have the Advanced User role and should also be allocated the Monitoring right. This ensures that the users have all the necessary rights for creating workflows, but prevents them from creating their own users, for example.

Data Visibility

Data visibility is controlled by allocating users to groups:

Every user can display his/her own data (modules, workflows) in the INUBIT Workbench and is able to edit them.
Every user can also display his/her own group’s data and that of the group immediately superordinate to hers. Every user is able to be a member of exactly one group.
Groups may be structured hierarchically. In other words, a group may be a sub-group of exactly one other group. The nesting depth is unlimited.

For information about filing user data, refer to Changing the User-Specific Working Directory of the INUBIT Workbench.

Communication and System Connections

INUBIT Process Engine

The INUBIT Process Engine and the application server Tomcat form an integrated application. As a result, there is no communication via network components.

INUBIT Process Engine/Remote Connector

The Remote Connector is based on the same source code as the INUBIT Process Engine. The INUBIT Process Engine communicates with the remote connector via SOAP. This protocol may be backed up using HTTPS.

INUBIT Process Engine/INUBIT Workbench

The client/server architecture of INUBIT software requires communication between the INUBIT Process Engine and the INUBIT Workbench. This communication is also based on the SOAP protocol and may be backed up using SSL to protect the transferred data. HTTPS communication may be encrypted to prevent passwords from being stolen during communication between INUBIT Workbench and the server.

Partner and IT systems

There is always a potential security risk when linking business partners with other IT systems.

Which protective measures are possible and necessary must be determined individually, because the measures greatly depend on the communication path used.

All the settings for message processing and communication may be configured specifically for each partner (e.g. IP addresses, public keys).

Ports

The SSL ports used for HTTPS communication between the INUBIT Workbench and the SSL-based protocols for communication with business partners can be separated. This prevents a business partner from connecting to the INUBIT Process Engine with a INUBIT Workbench. Every SSL port may be supplied with its own certificate.

HTTP-based protocols may be protected by utilizing SSL-secured HTTP connections (HTTPS). For this purpose, it is necessary to configure the SSL port and the private key to be used.

Centralized SSL key management

In order to communicate with other systems/business partners, the system needs the other system’s public keys. These are provided specific to each partner in the System Connectors (modules for connecting a system using an SSL-based protocol, e.g. HTTPS). The business partners' SSL keys are filed in the module properties of the system connector. The module properties are available through cache database tables.

The INUBIT software has a central SSL key monitoring component along with the SSL Key Manager. The keystores of the enabled system connectors are managed here; disabled system connectors cannot establish a connection.

In due time, before their validity expires, e-mails are automatically sent to a specified address (usually owners of connectors) for notification.

Before the SSL key expires, a notification may be sent automatically via e-mail to the mailing address specified in the Configuration tab.

The SSL Key Manager also allows new certificates to be stored, including those which are valid before the old certificate expires. The INUBIT software automatically uses the new certificate once it becomes valid.

Executing External Programs and Shell Commands

The Execution Connector allows the execution of all external programs and shell commands the user has authorization for and under which the INUBIT Process Engine is running. The Execution Connector can thus present a security risk. If the Execution Connector is not needed in processes, the root user should rescind other users' right to use this module.

All the files mentioned in this chapter are further protected by restricting the reading rights of all configuration files.

Code Injection

Certain areas of the INUBIT software have default protection against command sequences that are transmitted as input. In the login screen, for example, input is filtered so as only to process valid entries (e.g. user names).

Data entering via the Web Service Connector is not checked automatically. This test must be completed by the relevant workflow.

Passwords for System Connectors

Passwords for system connectors are encrypted with AES and saved in the `MODULE_PROPERTIES `cache of the respective module.

Third-party Components

Tomcat is installed as part of the standard installation of the INUBIT software; known weaknesses and unused components are then removed. The following sections describe the rules to be applied.

A list of all the third party components used may be obtained on request from Virtimo AG.

Tomcat

Tomcat only executes the code originating from the INUBIT software.

The following Tomcat components were removed because they are not necessary to the functioning of the INUBIT software:

Tomcat Management Console
Sample applications
Load balancer Web application

Patches for Tomcat

New versions of Tomcat are only integrated into new releases of the INUBIT software after they have been tested extensively.

The decision of which versions to integrate is incumbent upon Virtimo AG. For security reasons, Virtimo AG follows the philosophy of not switching to a more current version, unless urgently required, in order to benefit from the respective practical experience testing of the components.

User Administration Checklist

Review Info

Max. 5 failed login attempts to INUBIT Workbench

INUBIT Workbench > Administration > General Settings > Administration > User

Refer to Max. number of password failures

Failed logins to INUBIT Workbench are recorded in the audit log

INUBIT Workbench > Monitoring > Audit Log

Lock/delete of accounts not needed

Only used accounts should exist

Maximum validity of passwords =90 days (except root user)

<inubit-install>/server/ibis_root/conf/ibis_config.xml

Refer to Configuring via ibis_config.xml File to note the details.

UserPasswordTimeout: true

UserPasswordTimeoutValue: TimeOut in days

10-character passwords, at least one number, one capital letter, one lower-case letter, one special symbol

<inubit-install>/server/ibis_root/conf/ibis_config.xml

Refer to Configuring via ibis_config.xml File to note the details.

UserPasswordLimit: true UserPasswordLimitPattern: [Regular Expression]

Refer to Patterns for Passwords - Minimum Length, Permissible Characters.

Users who create workflows have no Admin rights

User configuration: Advanced user with monitoring

Process engine user passwords not in plain text in the filing system.

<inubit-install>/<server>/<parent group>/<group>/<User>/user.xml

Execution Connector required?

Should only be released for workflow users if requested

Checklist for Hardening Tomcat

Apache Tomcat is an application server, on which the INUBIT software runs. Virtimo AG delivers a preconfigured Tomcat instance together with the software installation. This Tomcat is hardened fundamentally. Only necessary components are provided. Passwords being necessary for accessing the components are randomly generated during the installation.

Further recommendations

Use the Tomcat delivered with INUBIT to run INUBIT only.
Limit the operating system-based access rights for users/user groups executing Tomcat and the containing INUBIT to the bare necessities.
Change the Tomcat passwords, refer to Configuring Tomcat.