If you are seriously thinking about running a GlassFish in a production
environment your are looking for some kind of information about securing
it. Most basically you would do, what sounds right for your and start
with a secure installation, think about firewalls and secure
applications. And this basically is right. But have you ever thought
about the why? I did. And further on I checked back with GlassFish and
here is the ultimate hardening guide for your GlassFish installation. I
don't have any special version in mind, so most of it should work
beginning with v3.
|Picture CC BY-NC 2.0, annamagal|
The net and the fish
First important part to notice is that you have to take some time to consider your security needs. There are many screws to tighten and you should make sure to use the right ones. A picture came to my mind if I thought about this: The fishing net could be a symbol for your infrastructure. It keeps your GlassFishes in place and prevents them from shark attacks. And your GlassFish takes care of your Java application, running within it. So first and obvious thing to check is the infrastructure. A typical GlassFish does not swim in the wild. He's hidden behind a reverse proxy which itself sits inside a DMZ. If I am talking about "system hardening" here, it's the most basic security process you should apply to your GlassFishes living in similar situations. Depending on your security needs, you should extend the list to your needs.
Hardening a single GlassFish instance is useless, if you are running it somewhere. The weakest point of your infrastructure defines your overall security level. So the first thing to check is, if your Hardware is up to date (yes, I'm talking about BIOS and stuff here) and if the operating system you are using is hardened at all. Don't forget about the network (Firewalls, Switches, and so on). If not. Stop reading and check back with the guys that are responsible for that.
Thoughts about password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. (Source: wikipedia.org) Whenever I talk about changing a password, think about unsing a strong password!
Hardening basics with GlassFish
Before you start doing anything you should think about a security concept. Yes. The documentation stuff. You need to write down, what you are going to do and why. "Which resources am I protecting?" and "From whom am I protecting the resources?". Done? Fine. Let's start.
Install an up-to-date and completely patched version of Java
There are many ways to do this. Get the latest bits, compare the checksums and apply all patches.
Setting up the environment
Very important from security point of view is not to run your Glassfish server as root. This means you need to create a user with restricted rights which you can use for running Glassfish. A good idea is to have a "gfish" user belonging to a "gfishadm" group. This group is the only one allowed to administrate the complete GlassFish installation including files. Note, that you are not going to run GlassFish on port 80 as a non-root user. But this is not too bad at all. As a principle for system hardening you could assume, that all "defaults" are bad. So you don't want to run it there anyway :)
Install an up-to-date and completely patched version of GlassFish
Don't start over with one of the old archives downloaded weeks ago. Visit glassfish.org or oracle.com/goto/glassfish to grep the lates bits. Check the md5 hashes and make sure you really get the right ones. Check back with the critical patch updates website and make sure you have the latest security patches in place.
Configure your ports
As I said before: Try to avoid default settings. Whatever ports are assigned with your basic installation; change them. Even if you find a lot of tools around to query system ports it's still considered good practice to shuffle the ports around.
Restrict access to the http/https ports
Check back with your network guys, to restrict access to your GlassFish server to the http/https port only. All other ports (admin-listener) should be blocked and accessible from the localhost or the cluster nodes only. You can rely on the external firewall product or configure your systems firewall (e.g. iptables) accordingly.
Securing the admin console
If you decide not to protect the admin-listener on network level you need to enable the secure administration feature. The secure administration feature allows an administrator to secure all administrative communication between the domain administration server (DAS), any remote instances, and administration clients such as the asadmin utility, the administration console, and REST clients. In addition, secure administration helps to prevent DAS-to-DAS and instance-to-instance traffic, and carefully restricts administration-client-to-instance traffic.
Change the master password
Glassfish uses the master password to protect the domain-encrypted files from unauthorized access, i.e. the certificate store which contains the certificates for https communication. Every asadmin action needs it to execute successfully. You have to decide if you put your installation in interactive or non-interactive way for the master password challenge. Running it as an autostart demon probably needs a saved master password.
Change the administration password
Same with the administration password. You also have the chance to put this into a password file for an "automatic login". Depending on your network configuration, your thread analysis (from whom do I protect the system) this could be ok. But I advise you to not use any automatic login features available.
A word about certificates
Normally you do not configure SSL certificates with your GlassFish instance. This is done by a reverse proxy and has several advantages. You have some lower load on your instance, you don't have to deal with configuring ssl and certificates. If you are directly terminating your ssl connections with the GlassFish, you have to change the keystore entries accordingly. And certainly you should change the keystore password.
Hiding your identity
As many servers, GlassFish is a bit chatty. The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.
X-Powered-By: Servlet/3.0, JSF/2.0 Server: GlassFish Server Open Source Edition 3.0.1You can disable this by turning off the "XPowered By:" header with your http-listener and by adding a JVM-Option -Dproduct.name="".
If you have accomplished the most basic parts of the hardening, you could also start over and take care for the following points.
Remove unused components/services
Minimize the GlassFish Server installation by removing components that you are not using and do not intend to use. Every component you uninstall reduces the risk for somebody to break into. This needs a whole lot of knowledge about the stuff you are running with your GlassFish.
Define working with update and pkg tools
Think about a small process for working with the update and pkg tools. You should disable the update checks for the admin console ( -Dcom.sun.enterprise.tools.admingui.NO_NETWORK=true) or probably completely remove it from your distribution.
Admin server and instances
Beginning with 3.1 you can have instances beside your admin server. It's considered best practice not to run any application on your admin server at all. So you should have a concept about running your applications on instances and clusters. You could also think about completely shutting down the admin server except for the duration you need it.
Enable authentication and authorization auditing.
Auditing is the process of recording key security events in your GlassFish Server environment. You use audit modules to develop an audit trail of all authentication and authorization decisions. You should track all relevant events via the Audit Logging features.
Check file integrity
There are some tools out there to check the integrity of your installation. Starting with simple rootkit hunters you also find some commercial solutions out there (e.g. tripwire). Think about using such a tool to protect the integrity of your installation.
This is a very unintuitive topic. You have to have very detailed knowledge about the product you are trying to secure and the complete infrastructure. If you are called to harden GlassFish make sure to understand the security needs and make an assessment about the risks you have to take care of. And it's a team play. A single hardened GlassFish is by far not enough.
Links and Literature
IT Security Guidelines (PDF)
Oracle GlassFish Server 3.1 Security Guide
Installing Glassfish 3.0.1 on Ubuntu
Installing Glassfish 3.1 on Ubuntu 10.04 LTS