Secure Your BI Platform Part 2 – Web Tier
In my previous blog, I covered securing of the communication of your authentication providers.
In this posting, we will cover the configuration of the web tier. It is your war file deployment, and probably the most exposed part of your deployment, especially if you’re facing the public web.
Reduce the attack surface.
The less you have deployed, the less that can be attacked. Although the default BI install will deploy a number of components, you likely don’t need them all.
You may see a list like this of war files deployed:
AdminTools – designed for running advanced direct queries against the BI repository. If you don’t use this, remove it. You could also consider running it on a separate, local access only deployment.
BOE – This is the core of the BI deployment, includes CMC, BI Launchapd and OpenDocument functionality. Note that using wdeploy, you can split the CMC and BI Launchpad deployment, and put the CMC functionality on another, more locked down application server.
dswsbobje – web service used by Crystal Reports for Enterprise, Dashboard designer, and your custom applications. Again something you can remove if none of the above apply to you.
BusinessProcessBI – this is an SDK which is not needed for core functionality. If you’re not deploying custom applications that make use of this, this is something you can remove from your deployment.
clientAPI – contains Crystal Reports ActiveX controls for custom application deployment. You can almost certainly remove this.
MobiServer & MobileBIService – if you are not deploying mobile, you should have no need for these.
docs – This is the default tomcat documentation. They are also available online, so there should not be any need for these to be deployed. They contain information about the version of tomcat which is not necessary.
Tomcat Security
Refer to your tomcat guide. The following is an excerpt from the tomcat guide on default web applications:
Tomcat ships with a number of web applications that are enabled by default. Vulnerabilities have been discovered in these applications in the past. Applications that are not required should be removed so the system will not be at risk if another vulnerability is discovered.
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Default_web_applications
Apache regularly publishes its list of fixed vulnerabilities here:
http://tomcat.apache.org/security-7.html
BI SP’s regularly bundle updates of Tomcat. SAP continually monitors the bundled applications and works to deliver any updates as part of the regular maintenance cycle. We regularly monitor the security listings of tomcat, and use that to drive our updates.
If you are unable to stay on the latest support packages, you may want to consider reviewing the list of vulnerabilities and using your own update of Tomcat at least until such time when you can deploy the latest BI4.x support pack.
Tomcat User Account
The user account only needs to read files under tomcat. Create a user for the tomcat service account, give the service account “Logon as a User” rights, and read only rights on the tomcat folder.
Hide CMS Information
The single biggest benefit is usability, because users will not accidentally lose the information or put in a typo and try to connect to the wrong place.
There is no reason why someone should try to communicate anywhere other than the CMS. so set the CMS.visbile=false setting in the BIlaunchpad.properties file and the CmcApp.properties files.
Do this instead:
1. Create a keytab with the ktpass command
The details for this are contained in the whitepaper attached to sap note http://service.sap.com/sap/support/notes/1631734
The whitepaper is a must for anyone setting up AD for the first time.
2. Copy the.keytab file to the c:\windows\ directory of the application server
3. Add the following line to C:\Program Files (x86)\SAP BusinessObjects\Tomcat\webapps\BOE\WEB-INF\config\custom\global.properties idm.keytab=C:/WINDOWS/<your keytab file name>
If you’re using Trusted Authentication, make sure you secure the shared secret file, so that only the process that your web application server is running as can access it. Consider using OS file level encryption to further lock this file down.
Web Application Container Server
If you are using the WACS, to host your restful web services, or possibly the CMC, the configuration for secure communication is done through server properties in the CMC.
What about Cross Site Scripting, SQL Injection, OWASP TOP 10?! IS IT SAFE!!??
SAP has a very strict release criteria, and a secure development cycle implemented. Testing includes, and is not limited to, static code scanning, dynamic analysis tools, manual penetration testing and security architecture reviews. You can find out more about our security processes here:
Conclusion
The secure approach is to treat your internal network that all your end users access as compromised. Just think of the latest Sony attack as an example, to see the value of encrypting the communication channels.
Additionally, leveraging firewalls to block off parts of the network to would be attackers is also valuable. Firewalls and server communication are covered in part 3.
Feel free to add you comments/questions on other areas, the blog will get updated with any additional bits that may have been missed here.
Analysis for Microsoft Office also makes use of the dswsbobje web application (at least when going through the BI platform vs. directly connecting to SAP BW).
Hi Greg,
Thanks for this nice blog series on BI4 security!
But I can't agree with you regarding the Tomcat user account.
What about log files?
For this the Tomcat user account needs write access to ../tomcat/logs/..
What about "auto deployments" of webapps?
For this the Tomcat user account needs write access to ../tomcat/work/..
Just two things which came suddenly into my mind, when reading this.
There could be other relevant directories, too. (temp?)
Krgds
Moritz
Greg,
Where can I find instructions for splitting the CMC out so that it's not deployed on the web server?
Thanks!
-Dell
It would be in the web application deployment guide.
http://service.sap.com/~sapidp/012002523100008805412015E/sbo41sp6_bip_wapd_unix_en.pdf
Thanks Greg. I figured that out after I had posted, but it's good to know that I went to the right place!
-Dell
Greg Wcislo is it possible to configure WACS to force TLS 1.2 only?
In 4.2 Sp04, WACS supports TLS 1.2 and TLS 1.1 only.
By default it communicates with TLS 1.2
Regards,
Ashutosh