august, 2012 © tridium 2012 niagara 3.7 and new security features bill smith
TRANSCRIPT
August, 2012© Tridium 2012
NIAGARA 3.7 AND NEW SECURITY FEATURES
Bill Smith
3.5 and 3.6 Security Patch Highlights
• Blacklisting of critical files• Default Category
Configuration for new stations
• No blank passwords• Strong passwords enabled
by default• Program objects now
require super user privileges to install
SSL with 3.6 and Earlier
• The following data regarding SSL for 3.6 and earlier is available on Niagara Central by perform a search for “Installing a Signed Cert”
Installing the TKS Provider
• Download the Tks Provider jar: TridiumProvider.jar• Install the jar into the lib/ext directory of your chosen
JRE. DO NOT INSTALL INTO THE NIAGARA JRE!• If you have previously installed
StandaloneTksProvider.jar, delete it from the lib/ext directory!!
• Add the following line to the list in lib/security/java.security file in your JRE.
• Make sure the number after "security.provider." is sequential
security.provider.11=com.tridium.crypto.TksProvider
Generate Key Pair for Certificate Request• Open a command prompt and make sure that jre/bin is in your
PATH.• Go to the security directory for your Niagara installation.• Rename the existing ssl.tks file to ssl.tks.orig as a backup.• Run keytool with the following command:
• It may be necessary to adjust the -keyalg and -keysize arguments for the Certificate Authority you intend to use.
• The alias• IMPORTANT: When prompted for your first and last name, enter
the base domain name for the dns entry for your server: ex. tridium.com
• Answer the remaining questions as accurately as possible.• When prompted to enter a password for the key pair, just hit enter
to use the keystore password.• Make a copy of the new ssl.tks to ssl.tks.new as a backup.
keytool -genkey -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -keyalg RSA -keysize 2048
Generate the Certificate Request
• Now that a key pair has been generated, create the cert request with the following command:
• A new file called certreq.cer has been created. This file should be submitted to your Certificate Authority along with any other information that they require.
keytool -genkey -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -keyalg RSA -keysize 2048
Install Signed Certificate
• When the CA has completed the signing process, you will receive an email or file that contains something like :
-----BEGIN CERTIFICATE----- MIIFUTCCBDmgAwIBAgIQdYL06pVxhgnBQNHptRI6NzANBgkqhkiG9w0BAQUFADCB yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl cnZlciBDQSAtIEcyMB4XDTExMDUxMzAwMDAwMFoXDTExMDYxMjIzNTk1OVowgakx CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTERMA8GA1UEBxQIUmljaG1v bmQxEjAQBgNVBAoUCUhvbmV5d2VsbDEQMA4GA1UECxQHVHJpZGl1bTE6MDgGA1UE CxQxVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYSAo YykwNTESMBAGA1UEAxQJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDcGyBUtgqRiNNQ4bdeDSGZ3oH4AiclGw5TYW5aPEkHZqvXmHwdLHSKqMme X2FnqPbw2XCwwwcFMCKD9LT6glAIvGpnDSsoDEdWAG5W7YujM1Bp53uuziUpBWV6 g8ko81K6IoRQ/PnljGUWkOXqCJuP2SxPsUxiS2Hn966m6nruswIDAQABo4IB0zCC Ac8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwQwYDVR0fBDwwOjA4oDagNIYyaHR0 cDovL1NWUlRyaWFsLUcyLWNybC52ZXJpc2lnbi5jb20vU1ZSVHJpYWxHMi5jcmww SgYDVR0gBEMwQTA/BgpghkgBhvhFAQcVMDEwLwYIKwYBBQUHAgEWI2h0dHBzOi8v d3d3LnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAfBgNVHSMEGDAWgBQoFxOKvdaitdwGLLe2jtoQZmBu5TB0Bggr BgEFBQcBAQRoMGYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNv bTA+BggrBgEFBQcwAoYyaHR0cDovL1NWUlRyaWFsLUcyLWFpYS52ZXJpc2lnbi5j b20vU1ZSVHJpYWxHMi5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1h Z2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0 cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUA A4IBAQCLmDayf1WCyO3bRBfy5EqF314Swj0RbX6sEWq+413R72KpUwMucK5ugo56 o7QlMl5vSMZdm70vjt6jiSnBPWUUYxggwP1ri565DuuRNYcjhdA/Lz7Aj+x2FLOx k9nwKt9oehPproEuMIJM/4NbijKOWNDndLOquuokITeL5Rp2s8p7lF0mfBYB4FTY cO+q0sbXZxN4swHSvf4RcfbC4xMHsenA86m5E6NuLlJshz3h5Yr4oASR2btm7htK myEslcmph/HcpdBAaTguhGvvqkCytc4Bry5IGedPgYgZStIudA1PdkeUtC5/mvy0 ctI785MRsEhTCsmryqIVrYrscYb8 -----END CERTIFICATE-----
Install Signed Certificate (continued)
• Save that section to a file, ex. signedcert.cer and put it in the same directory as your ssl.tks.
• If intermediate certs have also been provided, save them to files as well.
• Documentation with your signed cert should provide you with a reference to the root certificate used to sign the chain. Download this root cert and save it to a file.
• With a text editor, create a new file and copy and paste the contents of each cert file into the new one with the signed cert first, then the intermediate cert(s), and last the root (CA) cert .
• Save this to a file called something like certchain.cer.• Run the following command: (This MUST be done on the same
keystore that was used to generate the initial CSR.)
• You may be promped with something like "... is not trusted. Install reply anyway?". Answer "yes".
keytool -importcert -trustcacerts -file certchain.cer -keystore ssl.tks -storepass tridium -storetype TKS -alias tridium
Check the Keystore• Dump the contents of the keystore with the following command:
• The first few lines should contain something like:
• Verify that this is PrivateKeyEntry.• The next thing to look at is the first cert. Look for the following
lines:
• Verify that the owner is the end certificate that you had signed.• Look through each subsequent certificate to make sure the owner
is the same as the issuer on the previous certificate.
keytool -list -alias tridium -keystore ssl.tks -storepass tridium -storetype TKS -v
Alias name: tridium Creation date: Jul 31, 2012 Entry type: PrivateKeyEntry
Certificate[1]: Owner: CN=foo.com, OU=engineering, O=tridium, L=richmond, ST=virginia, C=us Issuer: C=us, ST=virginia, L=richmond, O=tridium, OU=engineering, CN=intermediateca
Some Notes• The signed cert that you installed will only validate
correctly for the domain that it was created.
• Your Certificate Authority may have other requirements and instructions and should be able to assist you with any trouble.
• The certificate chain must be installed into the keystore that contains the matching private key entry.
3.7 SSL Features
• Certificate Generation• Trust Store and Key Store
Management• Certificate Signing Request• Certificate Signing Tool• Importing/Export keys and
certificates• Allowed Host Management• Improved SSL Support for Web,
Fox and Niagarad• Improved SSL Api Support
Key Store Table
Trust Store Table
Allowed Hosts Table
Certificate Generation
Certificate Request Generation
Certificate Signing Tool
Approved Cipher List• TLS_RSA_WITH_AES_256_CBC_SHA• TLS_DHE_RSA_WITH_AES_256_CBC_SHA• TLS_DHE_DSS_WITH_AES_256_CBC_SHA• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA• SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA• SSL_RSA_WITH_3DES_EDE_CBC_SHA• TLS_DHE_DSS_WITH_AES_128_CBC_SHA• TLS_DHE_RSA_WITH_AES_128_CBC_SHA• TLS_RSA_WITH_AES_128_CBC_SHA• SSL_RSA_WITH_RC4_128_MD5• SSL_RSA_WITH_RC4_128_SHA• TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Certificate Verification
Session Information
SSLSocket Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance(); SSLSocketFactory factory = (SSLSocketFactory) mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1); SSLSocket socket = (SSLSocket) factory.createSocket(addr, port); socket.close();
HttpsConnection Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance(); IClientSocketFactory factory = mgr.getClientSocketFactory(BSslTlsEnum.sslv3andtlsv1); HttpsConnection connection = new HttpsConnection(new BIpHost("www.amazon.com"), 443, "/", factory); connection.connect(); connection.close();
Server Configuration
• State: enabled, disabled or ssl only• if ssl only, will redirect from non-ssl port• Port: default for niagarad ssl is 5011• Certificate: server certificate selected from the
key store• Protocol: SSLv3, TLSv1, or both
Server Configuration
• https enabled: true or false• https only: true or false, will redirect from http if
http is enabled• Port: default for the web service is 443• Certificate: server certificate selected from the key
store• Protocol: SSLv3, TLSv1, or both
Server Configuration
• foxs enabled: true or false• foxs only: true or false, will redirect from http if
http is enabled• Port: default for the foxs service is 4911• Certificate: server certificate selected from the key
store• Protocol: SSLv3, TLSv1, or both
SSLServerSocket Sample Code
ICryptoManager mgr = CertManagerFactory.getInstance(); SSLServerSocketFactory factory = (SSLServerSocketFactory) mgr.getServerSocketFactory(BSslTlsEnum.sslv3andtlsv1, false, "tridium"); SSLServerSocket serverSocket = (SSLServerSocket) factory.createServerSocket(); SSLSocket socket = (SSLSocket) serverSocket.accept(); socket.close();
Small Network Example
CA Certificate Installedon Client Machinesin Their Trust Store
CA Private Key Used toSign Server Certificates
Large Network Example
Root CA Certificate Installed on Client
Machines in Their Trust Store
Root CA Private Key Used to Intermediate CA
Certificates
Intermediate CA Certificate
Intermediate CA Private Key Used to Sign Server
Certificates
Questions?