Security Measures
Overview
This section contains tips how to secure the INUBIT environment, notes about possible safety risks and check lists for efficient safety measures.
User Administration
Overview
User must authenticate themselves by entering a username and password to log in to the INUBIT Process Engine via the INUBIT Workbench.
To access user administration, you must have the right for the User Manager component. By default, this rights is assigned to users with System Administrator or Project Lead roles.
Further options
Additionally, the INUBIT software offers the following options:
-
Logging login attempts
All successful and failed login attempts may be traced in the Audit Log in the INUBIT Workbench.
-
Locking user accounts after several failed logins
Prevents brute force attacks (
UserFailedLoginLimit
property). This lock affects all users, except users with the System Administrator role, to ensure that the administrative user is always able to log in. Locked accounts can only be unlocked by a system administrator.Refer to Max. number of password failures.
-
Deleting and disabling user accounts
All user accounts can be deleted or disabled by system or group administrators. Following a period of inactivity, users can automatically be disabled after a specified period.
Refer to:
-
Passwords with minimum lengths and permitted symbols
Configure patterns for new passwords.
-
Maximum validity period for passwords
A user with the
System Administrator
role can specify a maximum validity period for passwords for all users. After this period has expired the account is locked and the user is prompted to enter a new password at the next login. This mechanism is not valid for theroot
user.Refer to Restrict password validity.
Defining Patterns for Passwords - Minimum Length, Permissible Characters
Usage
You can define patterns for user passwords and specify, for example, that passwords, must consist of more than eight characters and contain exactly one capital letter and one number.
Prerequisites
You have not yet started the INUBIT Process Engine for the first time. You can only configure the password patterns using the Workbench afterward. Refer to Configuring INUBIT User Accounts
Proceed as follows
-
Open the file
<inubit-installdir>/inubit/server/ibis_root/conf/ibis_config.xml
.Note the details in section Configuring BPC via ibis_config.xml File.
-
Use the following properties to define the patterns:
-
UserPasswordLimit
Activates/deactivates the verification of a new password or one, which must be changed, against the property
UserPasswordLimitPattern.
The property `UserPasswordLimitNegative defines `if the password must match the pattern.
-
UserPasswordLimitPattern
Used to define patterns for new passwords, as for example their minimum length or allowed characters. Criteria for allowed passwords are specified by using a regular expression. The regular expression must comply with the Java class
Pattern
syntax (of the JDK). Refer to-
The example in the file specifies that a password must consist of at least eight characters, exactly one capital and one number.
-
UserPasswordLimitNegative
Inverts the meaning of the property value
UserPasswordLimitPattern
.-
If
false
, a password must comply with the criteria of the propertyUserPasswordLimitPattern
. All passwords are accepted, which are matching the pattern. All others are rejected. -
If
true
, the password must not comply with the criteria of the propertyUserPasswordLimitPattern
. All passwords are accepted, which are not matching the pattern. All others are rejected.
-
-
Roles and Rights
The role concept ensures that process engine users are only able to use the functions and rights they have been authorized to use.
A role is a collection of rights that control the access to all functions and objects. This allows you to specify in detail, for instance, what rights each role has.
The INUBIT software is delivered with pre-configured roles. These pre-configured roles may be modified but not deleted. A random number of additional roles may also be defined and configured for their actual requirements. Exactly one role may be allocated to each user.
Users involved in creating workflows in the system should have the Advanced User
role and should also be allocated the Monitoring right.
This ensures that the users have all the necessary rights for creating workflows, but prevents them from creating their own users, for example.
Data Visibility
Data visibility is controlled by allocating users to groups:
-
Every user can display his/her own data (modules, workflows) in the INUBIT Workbench and is able to edit them.
-
Every user can also display his/her own group’s data and that of the group immediately superordinate to hers. Every user is able to be a member of exactly one group.
-
Groups may be structured hierarchically. In other words, a group may be a sub-group of exactly one other group. The nesting depth is unlimited.
For information about filing user data, refer to Changing the User-Specific Working Directory of the INUBIT Workbench. |
Communication and System Connections
INUBIT Process Engine
The INUBIT Process Engine and the application server Tomcat form an integrated application. As a result, there is no communication via network components.
INUBIT Process Engine/Remote Connector
The Remote Connector is based on the same source code as the INUBIT Process Engine. The INUBIT Process Engine communicates with the remote connector via SOAP. This protocol may be backed up using HTTPS.
INUBIT Process Engine/INUBIT Workbench
The client/server architecture of INUBIT software requires communication between the INUBIT Process Engine and the INUBIT Workbench. This communication is also based on the SOAP protocol and may be backed up using SSL to protect the transferred data. HTTPS communication may be encrypted to prevent passwords from being stolen during communication between INUBIT Workbench and the server.
Partner and IT systems
There is always a potential security risk when linking business partners with other IT systems.
Which protective measures are possible and necessary must be determined individually, because the measures greatly depend on the communication path used.
All the settings for message processing and communication may be configured specifically for each partner (e.g. IP addresses, public keys).
Ports
The SSL ports used for HTTPS communication between the INUBIT Workbench and the SSL-based protocols for communication with business partners can be separated. This prevents a business partner from connecting to the INUBIT Process Engine with a INUBIT Workbench. Every SSL port may be supplied with its own certificate.
HTTP-based protocols may be protected by utilizing SSL-secured HTTP connections (HTTPS). For this purpose, it is necessary to configure the SSL port and the private key to be used.
Centralized SSL key management
In order to communicate with other systems/business partners, the system needs the other system’s public keys. These are provided specific to each partner in the System Connectors (modules for connecting a system using an SSL-based protocol, e.g. HTTPS). The business partners' SSL keys are filed in the module properties of the system connector. The module properties are available through cache database tables.
The INUBIT software has a central SSL key monitoring component along with the SSL Key Manager. The keystores of the enabled system connectors are managed here; disabled system connectors cannot establish a connection.
In due time, before their validity expires, e-mails are automatically sent to a specified address (usually owners of connectors) for notification.
Before the SSL key expires, a notification may be sent automatically via e-mail to the mailing address specified in the Configuration tab.
The SSL Key Manager also allows new certificates to be stored, including those which are valid before the old certificate expires. The INUBIT software automatically uses the new certificate once it becomes valid.
Executing External Programs and Shell Commands
The Execution Connector allows the execution of all external programs and shell commands the user has authorization for and under which the INUBIT Process Engine is running. The Execution Connector can thus present a security risk. If the Execution Connector is not needed in processes, the root user should rescind other users' right to use this module.
All the files mentioned in this chapter are further protected by restricting the reading rights of all configuration files.
Code Injection
Certain areas of the INUBIT software have default protection against command sequences that are transmitted as input. In the login screen, for example, input is filtered so as only to process valid entries (e.g. user names).
Data entering via the Web Service Connector is not checked automatically. This test must be completed by the relevant workflow.
Passwords for System Connectors
Passwords for system connectors are encrypted with AES and saved in the `MODULE_PROPERTIES `cache of the respective module.
Third-party Components
Tomcat is installed as part of the standard installation of the INUBIT software; known weaknesses and unused components are then removed. The following sections describe the rules to be applied.
A list of all the third party components used may be obtained on request from Virtimo AG.
Tomcat
Tomcat only executes the code originating from the INUBIT software.
The following Tomcat components were removed because they are not necessary to the functioning of the INUBIT software:
-
Tomcat Management Console
-
Sample applications
-
Load balancer Web application
Patches for Tomcat
New versions of Tomcat are only integrated into new releases of the INUBIT software after they have been tested extensively.
The decision of which versions to integrate is incumbent upon Virtimo AG. For security reasons, Virtimo AG follows the philosophy of not switching to a more current version, unless urgently required, in order to benefit from the respective practical experience testing of the components.
User Administration Checklist
Review | Info | ||
---|---|---|---|
Max. 5 failed login attempts to INUBIT Workbench |
INUBIT Workbench > Administration > General Settings > Administration > User Refer to Max. number of password failures |
||
Failed logins to INUBIT Workbench are recorded in the audit log |
INUBIT Workbench > Monitoring > Audit Log |
||
Lock/delete of accounts not needed |
Only used accounts should exist |
||
Maximum validity of passwords =90 days (except root user) |
|
||
10-character passwords, at least one number, one capital letter, one lower-case letter, one special symbol |
|
||
Users who create workflows have no Admin rights |
User configuration: Advanced user with monitoring |
||
Process engine user passwords not in plain text in the filing system. |
|
||
Execution Connector required? |
Should only be released for workflow users if requested |
Checklist for Hardening Tomcat
Apache Tomcat is an application server, on which the INUBIT software runs. Virtimo AG delivers a preconfigured Tomcat instance together with the software installation. This Tomcat is hardened fundamentally. Only necessary components are provided. Passwords being necessary for accessing the components are randomly generated during the installation.
Further recommendations
-
Use the Tomcat delivered with INUBIT to run INUBIT only.
-
Limit the operating system-based access rights for users/user groups executing Tomcat and the containing INUBIT to the bare necessities.
-
Change the Tomcat passwords, refer to Configuring Tomcat.