Secure Configuration Guide

[Rowan Burgess <ro...@gmail.com>]

Hello,

Is there a guide/reference available that outlines "best practices" on how
to configure TomEE securely?

I have used Tomcat in the past, and am familiar with steps such as those
described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html ,
but I have not worked with TomEE before.

I need to ensure that no ports/services have been exposed unnecessarily.

I also need to ensure that there are no servlets / JSP's mapped and
accessible by default.

Appreciate any help/guidance you might have,

Thanks!

Re: Secure Configuration Guide

[HWinMT <ho...@gmail.com>]

Hello,

Contribution to this discussion. The attached pdf has 4 links. The first two
are dated, but worth reading. The second two have already been mentioned.
The rest of the document is notes from setting up Tomcat 8.5.16 on Windows
Server 2012.

notesFromSettingUpTomcat_8.pdf
<http://tomee-openejb.979440.n4.nabble.com/file/n4682337/notesFromSettingUpTomcat_8.pdf>  

Howard



--
View this message in context: http://tomee-openejb.979440.n4.nabble.com/Secure-Configuration-Guide-tp4682316p4682337.html
Sent from the TomEE Users mailing list archive at Nabble.com.

Re: Secure Configuration Guide

[Rowan Burgess <ro...@gmail.com>]

Hi Jon,

Thanks for the feedback. We are using TomEE plus 7.0.3 and have followed
the "Tomcat Security How To" guide as an opening step. The server will be
deployed behind a load balancer and firewall.

I have found the documentation related to remote EJB calls (
http://tomee.apache.org/ejbd-transport.html ) and confirmed this is not
present.

Are there any other considerations we should be aware of?

Apologies for such a broad question - I have not worked with an EJB
container previously ( usually just simple Spring applications! ). TomEE is
being used to migrate an inherited legacy application away from WebLogic
and we are trying to verify that we have taken appropriate steps to secure
the server.

Thanks again for your help!

Rowan

On Wed, Jul 26, 2017 at 7:05 PM, Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi Rowan
>
> Thanks for your email! This would make a great page on the site, so please
> do follow up with your experiences as you get to grips with TomEE. It would
> be useful to know which version of TomEE you are running, as there are a
> couple of things that are slightly different between TomEE 7.x and TomEE
> 1.7.x, specifically in terms of the tomee/ejb servlet being available for
> remote EJB calls (it is off in TomEE 7.x by default).
>
> As a start, I'd suggest you remove any applications you do not want from
> the webapps directory, and ensure that server.xml has only the ports that
> you wish to use. The config in server.xml is the same config you're used to
> with Tomcat, please do let us know if you encounter anything that doesn't
> work in that regard (the information on the page you reference should be
> good). Lock down any users and permissions in tomcat-users.xml, and check
> your realm config in server.xml - out of the box we ship with the
> UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.
>
> If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
> setup there may be other things you want to do to allow access to
> administrative applications from a management VLAN but not the outside
> world, for example - the above doesn't cover anything like that, but is
> hopefully useful as a start.
>
> Please do let us know if you have any questions or feedback!
>
> Jon
>
> On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <rmannibucau@gmail.com
> >
> wrote:
>
> > Hi Rowan,
> >
> > listing what didnt work can help to be more accurate but dont think we
> > duplicated this page on tomee site directly.
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > <https://blog-rmannibucau.rhcloud.com> | Old Blog
> > <http://rmannibucau.wordpress.com> | Github <https://github.com/
> > rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> > <https://javaeefactory-rmannibucau.rhcloud.com>
> >
> > 2017-07-26 1:29 GMT+02:00 Rowan Burgess <ro...@gmail.com>:
> >
> > > Hello,
> > >
> > > Is there a guide/reference available that outlines "best practices" on
> > how
> > > to configure TomEE securely?
> > >
> > > I have used Tomcat in the past, and am familiar with steps such as
> those
> > > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.
> > html
> > > ,
> > > but I have not worked with TomEE before.
> > >
> > > I need to ensure that no ports/services have been exposed
> unnecessarily.
> > >
> > > I also need to ensure that there are no servlets / JSP's mapped and
> > > accessible by default.
> > >
> > > Appreciate any help/guidance you might have,
> > >
> > > Thanks!
> > >
> >
>

Re: Secure Configuration Guide

[Jonathan Gallimore <jo...@gmail.com>]

Hi Rowan

Thanks for your email! This would make a great page on the site, so please
do follow up with your experiences as you get to grips with TomEE. It would
be useful to know which version of TomEE you are running, as there are a
couple of things that are slightly different between TomEE 7.x and TomEE
1.7.x, specifically in terms of the tomee/ejb servlet being available for
remote EJB calls (it is off in TomEE 7.x by default).

As a start, I'd suggest you remove any applications you do not want from
the webapps directory, and ensure that server.xml has only the ports that
you wish to use. The config in server.xml is the same config you're used to
with Tomcat, please do let us know if you encounter anything that doesn't
work in that regard (the information on the page you reference should be
good). Lock down any users and permissions in tomcat-users.xml, and check
your realm config in server.xml - out of the box we ship with the
UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm.

If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN
setup there may be other things you want to do to allow access to
administrative applications from a management VLAN but not the outside
world, for example - the above doesn't cover anything like that, but is
hopefully useful as a start.

Please do let us know if you have any questions or feedback!

Jon

On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <rm...@gmail.com>
wrote:

> Hi Rowan,
>
> listing what didnt work can help to be more accurate but dont think we
> duplicated this page on tomee site directly.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> <https://blog-rmannibucau.rhcloud.com> | Old Blog
> <http://rmannibucau.wordpress.com> | Github <https://github.com/
> rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
> <https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-07-26 1:29 GMT+02:00 Rowan Burgess <ro...@gmail.com>:
>
> > Hello,
> >
> > Is there a guide/reference available that outlines "best practices" on
> how
> > to configure TomEE securely?
> >
> > I have used Tomcat in the past, and am familiar with steps such as those
> > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.
> html
> > ,
> > but I have not worked with TomEE before.
> >
> > I need to ensure that no ports/services have been exposed unnecessarily.
> >
> > I also need to ensure that there are no servlets / JSP's mapped and
> > accessible by default.
> >
> > Appreciate any help/guidance you might have,
> >
> > Thanks!
> >
>

Re: Secure Configuration Guide

[Romain Manni-Bucau <rm...@gmail.com>]

Hi Rowan,

listing what didnt work can help to be more accurate but dont think we
duplicated this page on tomee site directly.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-07-26 1:29 GMT+02:00 Rowan Burgess <ro...@gmail.com>:

> Hello,
>
> Is there a guide/reference available that outlines "best practices" on how
> to configure TomEE securely?
>
> I have used Tomcat in the past, and am familiar with steps such as those
> described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
> ,
> but I have not worked with TomEE before.
>
> I need to ensure that no ports/services have been exposed unnecessarily.
>
> I also need to ensure that there are no servlets / JSP's mapped and
> accessible by default.
>
> Appreciate any help/guidance you might have,
>
> Thanks!
>